Email Verification: Spam, Self-Signing, and Security

June 9, 2017

Here at Sephone, we’ll occasionally get inquiries concerning email safety and security. These can range from topics like “Should I trust this suspicious-looking email?” to “Why is all my mail getting marked as spam?” In today’s blog post, I’d like to begin tackling some of these issues in-depth. I’ll do so by starting with the topic of Email Verification.

Perhaps you’ve run into this scenario before:

EmailYou’ve got a new form on your website – a place where visitors can ask questions about your services, and perhaps get a quote in the process. The form looks beautiful. You’ve thought long and hard about what questions to ask, and are confident that you’ll be getting exactly the information you need. You launch the form.

Time passes. You’re form appears to be getting traffic – but you’re not getting submission notifications in your inbox! What’s going wrong?

A quick check of your spam folder shows the issue: all of your notifications are getting flagged as spam by your email provider.

This is a common issue, and I can explain why.

When you set up a form on your website, there is a good chance that any notifications generated by it will be sent from the same server space that hosts your website. Over the years, this has been common practice. Yet things have changed in recent times – there has been more and more separation of web servers and mail servers, and increased security has meant more and more items are getting marked as spam.

How can we resolve this issue? Perhaps you’ve heard of the practice known as “self-signing,” wherein you set up the records necessary to let every email provider know that you meant to send that email from your website, and to please trust it.

This may work – but it’s no longer the best practice. Think of it like receiving a sales call, or buying a product in a store, through a television advertisement, or elsewhere online. You can see the product, but maybe your internal sensors are saying, “This seems suspicious,” or “This is too good to be true.” So you look for any signs of verification.

If the first thing you get as “proof” of trustworthiness is a verbal guarantee from the same salesperson, that may only set off more red flags. Think about it – if the only person who can vouch for a product is the creator or distributor of that product, there is a large potential for bias. If you know someone well enough, perhaps you can take them at their word. But what if you don’t?

This is the problem with self-signing emails sent from web servers. Sure, email providers will see that the email came from your website. Self-signing will tell them, “Yes, I meant to send this email from my web server. Please accept it.” This is far from a golden ticket, and does very little to prove that an email is trustworthy.

Utilizing a third-party verification system, such as found with services like Constant Contact and MailGun, adds a more reputable opinion into the mix. Many email providers will automatically accept emails that are signed by certain services such as these. Think of it like a shortcut through the verification process – if someone reputable can vouch for you, you’re ahead in the game.

Does it seem unnecessary? Maybe, maybe not. I’m a fan of the practice, myself. Is it a different process than has been utilized in the past? Absolutely – but the internet as a whole is constantly changing, and many institutions are trying their best to keep things secure and protect consumer information.

So the next time something slips into your spam folder unexpectedly, do a little research. Maybe it was a total fluke on the part of the email provider – but maybe it wasn’t.


Gary is a team member at Sephone, helping to design, develop and maintain websites.

Leave a Reply

Your email address will not be published. Required fields are marked *