Suped

Why am I receiving Temu spam emails with valid DKIM signatures from Disney or Homegoods domains?

13 Marketer opinions4 Expert opinions4 Technical articles0 Resources

Summary

Receiving Temu spam emails with valid DKIM signatures from domains like Disney or Homegoods is a multifaceted problem stemming from several key areas. A primary cause is affiliate marketing abuse, where unscrupulous affiliates engage in spammy tactics within legitimate programs, leveraging the brands' DKIM for authentication. This is exacerbated by potential account takeovers (ATO) or compromised systems within those organizations. Old or purchased email lists falling into the wrong hands, often used by Temu affiliates, and brand impersonation tactics further contribute to the issue. Even when DKIM is valid, factors like content, sender reputation, and recipient engagement play crucial roles in ESP filtering. The DKIM is valid, the sending practices are questionable and often involve unauthorized rebranding, domain reputation suffers due to aggressive marketing, and authentication alone is insufficient for ensuring email legitimacy.

Key findings

  • Affiliate Abuse: Unscrupulous affiliates are exploiting legitimate programs, sending spam using a brand's valid DKIM.
  • Compromised Accounts/ATOs: Accounts within Disney or Homegoods marketing systems may be compromised, leading to unauthorized email sending.
  • Old/Purchased Lists: Temu affiliates may be using outdated or purchased email lists.
  • Domain Reputation: Aggressive affiliate marketing damages the brand's domain reputation, even with valid DKIM.
  • Content Matters: ESPs filter based on content, sender reputation, and engagement, regardless of DKIM.
  • DKIM Limitations: DKIM verifies the sender but doesn't guarantee email legitimacy or wantedness.
  • Unauthorized Branding: Unauthorized branding practices such as changing the 'Friendly From' is a sign.
  • Brand Impersonation: Spammers often successfully mimic legitimate brands and compromise the brand's reputation

Key considerations

  • Affiliate Monitoring: Brands must closely monitor affiliate programs for compliance and ethical marketing practices.
  • Security: Implement robust security measures to prevent account takeovers and unauthorized access.
  • List Hygiene: Maintain clean, up-to-date email lists.
  • Reputation Management: Proactively manage domain reputation through responsible email marketing.
  • Multi-Factor Authentication: Email providers use various factors to filter emails, not just DKIM.
  • User Awareness: Educate users on the limitations of email authentication.
  • Review Authentication Setup: Ensure SPF and DMARC records are properly configured.
  • Review 3rd Party Permissions: Review the permissions 3rd parties have been given.

What email marketers say
13Marketer opinions

The reason for receiving Temu spam emails with valid DKIM signatures from reputable domains like Disney or Homegoods stems from several potential issues. The predominant factor seems to be related to affiliate marketing abuse, where unscrupulous affiliates associated with these brands engage in spammy practices while still utilizing the brand's DKIM for authentication. This can also include unauthorized branding of "Friendly Froms". Other causes include compromised email accounts within the legitimate domains, old or purchased email lists falling into the hands of Temu affiliates, and even brands suffering from domain reputation damage due to aggressive affiliate marketing tactics. Even with valid DKIM, email service providers might filter emails based on content, sender reputation, and recipient engagement, and also from spammers impersonating brands. These issues can impact email deliverability and brand reputation.

Key opinions

  • Affiliate Abuse: Unscrupulous affiliates are using spammy tactics within legitimate affiliate programs, while still sending email using the companies valid DKIM.
  • Compromised Accounts: Email accounts or systems within Disney or Homegoods could be compromised, leading to unauthorized sending.
  • List Acquisition: Temu affiliates may have acquired old or purchased email lists, leading to spam being sent to outdated addresses.
  • Reputation Damage: Aggressive affiliate marketing practices can damage a brand's domain reputation, even with valid DKIM.
  • Content & Engagement: Email service providers filter emails based on content, sender reputation, and recipient engagement, irrespective of DKIM.
  • Unauthorized Branding: Friendly Froms are unauthorized and de-branding the email.

Key considerations

  • Monitor Affiliates: Brands need to closely monitor their affiliate programs and ensure compliance with email marketing best practices.
  • Security Measures: Implement robust security measures to prevent account compromises and unauthorized access to email systems.
  • List Hygiene: Regularly clean and update email lists to remove inactive or outdated addresses.
  • Domain Reputation: Actively monitor and protect domain reputation through responsible email marketing and proactive spam monitoring.
  • ESP Filtering: Be aware that ESPs use multiple factors to filter emails, so focus on content quality, sender reputation, and recipient engagement.
  • Authentication is not enough: Authentication does not guarantee deliverability or legitimacy.
Marketer view

Marketer from Email Geeks, Brian Sisolak, asked if someone let Acoustic know about the DKIM keys still coming with spop1024. Expert from Email Geeks, Al Iverson, then shares headers with Brian and Brian lets Acoustic know, and they are on it.

September 2021 - Email Geeks
Marketer view

Email marketer from Reddit comments that affiliate programs can be difficult to control, and some affiliates may use aggressive tactics that border on spam. While the DKIM is valid, the sending practices are questionable.

November 2024 - Reddit
Marketer view

Email marketer from EmailOnAcid explains that sometimes, legitimate brands use third-party email marketing services or affiliate programs which can be exploited by spammers. If the third-party service has valid DKIM for the brand, spam can appear legitimate.

October 2024 - EmailOnAcid
Marketer view

Marketer from Email Geeks, Tim Starr, points out the Friendly From of "Temu Pallets" looks unauthorized and questions why Disney or Homegoods would de-brand their email like that.

November 2021 - Email Geeks
Marketer view

Email marketer from an Email Marketing Forum explained that they had once had this issue themselves and it was from really old mailing lists from a previous company. This lists had sat idle for 10 years, but Temu or their affiliates bought the list.

November 2021 - Email Marketing Forum
Marketer view

Email marketer from LinkedIn highlights that the brand's domain reputation might be suffering due to affiliate marketing practices. Even with valid DKIM, aggressive or misleading affiliate tactics can lead to the domain being flagged as spam.

May 2023 - LinkedIn
Marketer view

Marketer from Email Geeks, Alison Gootee, states that they cannot comment as they are in an active investigation of this sending behavior.

August 2024 - Email Geeks
Marketer view

Email marketer from Quora suggests that a possible reason is that a list that you are on has been sold to a company, and then sold to Temu affiliates who have then begun sending the emails.

May 2024 - Quora
Marketer view

Email marketer from StackExchange suggests that one possibility is that an account within Disney or Homegoods' marketing system has been compromised, and the spammer is using it to send emails with a valid DKIM signature.

August 2022 - StackExchange
Marketer view

Email marketer from Reddit explains that sometimes companies will work with bad affiliates that send email without following the rules, and as long as they are using DKIM from the company you can't block them.

January 2024 - Reddit
Marketer view

Email marketer from EmailDrips Blog explains that a potential reason could be that even with legitimate DKIM signatures, email service providers (ESPs) may filter emails as spam based on other factors like content, sender reputation, and recipient engagement.

August 2023 - EmailDrips Blog
Marketer view

Email marketer from Reddit explains that it's likely an affiliate pushing Temu offers through various means, some legitimate, some less so. The valid DKIM means someone with authorized sending privileges is sending it.

March 2021 - Reddit
Marketer view

Email marketer from EmailSecurityPro Blog addresses the issue of brand impersonation, where spammers successfully mimic legitimate brands and compromise the brand's reputation by piggybacking on the positive relationships the brand has fostered with customers.

November 2024 - EmailSecurityPro Blog

What the experts say
4Expert opinions

The influx of Temu spam emails bearing valid DKIM signatures from domains like Disney or Homegoods points to a combination of factors. It's suggested there may be either affiliate marketing abuse where illegitimate affiliates are sending emails using a brand's DKIM or it could be hacked accounts that is causing the issue. In all cases, the DKIM signatures pass but they do not guarantee email is legitmate, wanted, or from an ethical source.

Key opinions

  • Affiliate Marketing Abuse: Unscrupulous affiliates associated with Disney or HomeGoods might be engaging in spammy practices while still using the company's DKIM.
  • Hacked Account: Account Takeover could be occurring.
  • Authentication Inadequacy: DKIM and other authentication methods verify the sender but don't guarantee the email is wanted or legitimate.

Key considerations

  • Affiliate Monitoring: Thorough monitoring of affiliate activities is crucial to prevent spam and maintain brand reputation.
  • Security Enhancements: Implementing robust security measures to prevent account takeovers is essential.
  • Email Authentication Limitations: Acknowledge that email authentication alone isn't sufficient for ensuring deliverability or legitimacy; broader strategies are needed.
Expert view

Expert from Word to the Wise, Laura Atkins, emphasizes that while DKIM and other authentication methods verify the sender, they don't guarantee the email is wanted or legitimate. A compromised account or a rogue affiliate can still send spam with valid authentication.

June 2021 - Word to the Wise
Expert view

Expert from Email Geeks shares that he received a similar Temu spam email with a dkim=pass header.i=@em.homegoods.com header.s=spop1024.

April 2023 - Email Geeks
Expert view

Expert from SpamResource explains that the issue is likely due to abuse within an affiliate marketing program. Legitimate companies like Disney or HomeGoods may have affiliate programs, and unscrupulous affiliates might engage in spammy tactics, still using the company's DKIM.

July 2021 - SpamResource
Expert view

Expert from Email Geeks, Al Iverson, suggests the issue is a hacked account. Marketer from Email Geeks, Tim Starr, adds that Temu has gone into the affiliate offer business and suspects an ATO (Account Takeover). Al also states he assumes the bad guy is an affiliate.

January 2024 - Email Geeks

What the documentation says
4Technical articles

The documentation collectively highlights that while DKIM confirms the email was sent by an authorized server and wasn't altered in transit, it doesn't ensure the email's content is legitimate, desired, or free of spam. Spammers can exploit legitimate domains and abuse SPF records to pass DKIM checks, sending spam that appears authenticated. Therefore, valid DKIM does not guarantee the email is safe or wanted.

Key findings

  • DKIM Limited Scope: DKIM verifies sender authorization and message integrity, not content legitimacy.
  • Spam Exploitation: Spammers can abuse legitimate domains and SPF records to pass DKIM checks.
  • No Content Guarantee: Valid DKIM doesn't guarantee the email's content is desired or spam-free.

Key considerations

  • Beyond Authentication: Relying solely on DKIM for email security is insufficient; consider other factors like content analysis and sender reputation.
  • Holistic Security: Implement comprehensive email security measures to combat spam, even with valid DKIM signatures.
  • User Awareness: Educate users about the limitations of email authentication and encourage them to be cautious of unsolicited emails.
Technical article

Documentation from RFC Editor explains that DKIM is designed to verify the message has not been altered during transit, and that it was indeed sent by the entity which owns the signing domain. It says nothing about the content or intent of the message.

September 2023 - RFC Editor
Technical article

Documentation from Microsoft states that spammers can abuse SPF records to pass DKIM by gaining access to the domains email servers or by impersonating the domain owner.

December 2022 - Microsoft Support
Technical article

Documentation from SparkPost explains that a valid DKIM signature confirms the email was sent by a server authorized to send on behalf of the domain, but it does not guarantee the content is legitimate or desired by the recipient. It only confirms the sender's identity.

January 2024 - SparkPost
Technical article

Documentation from Google explains that spammers sometimes spoof legitimate domains by using authorized services to send emails. If a domain is configured correctly it's emails will pass authentication checks even if they are used to send spam.

May 2024 - Google Support

Related resources
0Resources

No related resources found.

Related questions