Stop using email allowlists!

Irving Hofman

The idea behind adding an email address to an allowlist is to prevent SPAM false positives from trusted senders. We are often encouraged to add email addresses when signing up with new vendors to ensure their emails are always received, and not blocked by an anti-SPAM filter.

While doing do so achieves this goal, it also creates a cybersecurity risk when the sender's account is compromised. It exposes the receiver to malicious emails that would have been blocked had they not been added to an allowlist. Doing so, simply moves the onus of cybersecurity from the receiver to the sender.

If genuine emails you are frequently receiving from the same person are getting blocked by your anti-SPAM filter, then you need to fix the root cause of why these emails are getting filtered, not just bypass the filter. Allowlists merely facilitate abuse that you do not control, i.e. by the senders domain and email accounts. It provides a direct route for malware, phishing attempts and other malicious content to bypass your filters are arrive straight into your mailbox without any checking.

If a sender is having issues with email delivery, it's on them to address why their emails are not getting through instead of asking recipients to punch holes in their email security to accommodate them. For example, if the senders SPF record is misconfigured, they need to fix it. If you add a trusted vendor to an allowlist, then you are bypassing security checks. If your trusted vendor gets compromised, you are giving them an open door into your systems.

Talk to Exigence about SPAM!

Striking the right balance of delivering legitimate emails from so many different email domains is a daunting task. Users will complain that they receive spam while at the same time complaining when they don't receive clients email because it was detected as SPAM. Talk with our team to find out more about anti-SPAM solutions.

Contact Exigence