Email Security Best Practices For eCommerce Stores (For 2024)

Let’s do a quick test—which of these is the original email:

1. “store-news@amazon.com” 
2. “store-news@аmazon.com”
3. “store-news@ɑmazon.com” 

They’re the same right? 🤔 Except for option 3 maybe?

Both option 2 and 3 are spoofed homograph emails, with the “а” and “ɑ” in Cyrillic.  

Spam techniques like these are among the reasons why both Google and Yahoo have started implementing stricter sender policies, starting in February 2024. 

So, how do you increase your email security (and adhere to regulations)? Start by addressing these 4 key areas:

• Technical
• Content
• Policy
• Organizational

22 Essential Ways To Increase Email Security for your eCommerce Brand

Technical

1. Create Dedicated Domain Emails (With A Correctly Routed DNS)

The ask here is that your emails should originate from dedicated and identifiable email addresses.

These emails can be from your domain/subdomain/a separate domain (that you’ve authenticated).

For example: if your domain is “example.com”, your dedicated emails can be “doejohn@mail.example.com” or “doejohn@example.us.”

So, how do you implement it?

• Create a separate email ID from your domain or create a subdomain
• Remember to use completely fresh emails and subdomains that aren’t used anywhere else
• The next step is to connect your email marketing service to your domain’s email
• Just ask your ESP for a CNAME/NS record
• Doing this will connect your email to your email marketing service’s mail-sending servers

Quick Summary: DNS stands for “Domain Name Server”. By default, your domain registrar hosts your emails. When you set up CNAME/NS on your domain/subdomain, you are essentially saying: my domain, i.e., “example.com” exists (and is hosted) at this name-server “yourbrand.emailservice.net.”

Here are some resources:

For GoDaddy:

• How to Create a Subdomain?
• How to add an MX Record (for Domains & Subdomains)

2. Set Up a Return Address

ICYMI, a return address for your email marketing isn’t an address, where your users reply. 

Instead, it’s a “mailfrom” address, that gets the good ol’ delivery reports, and the other technical details. 

Till now, you wouldn’t have to worry about this one (because email marketing service providers took care of it).

With these new rules in place, there are two options:

• Set up a separate dedicated email address from your subdomain to receive these updates
• Or, authenticate your email marketing service provider’s return address in your SPF records, like Reddit does:

The return path specifies the exact email address—meanwhile, the SPF record shows that the email server and address are indeed authenticated.

Quick tip: Ensure the return email address is completely unique and ensure that you don’t use it anywhere else.

Either way, this leads us to our next point: authentication.

You Might Also Like To Read: eCommerce email marketing: The complete guide

3. Implement SPF, DKIM & DMARC

SPF or any other type of authentication (like DKIM, DMARC, and more) exists to ensure that only authorized emails from authorized locations go through. 

Here’s how each of these frameworks works:

SPF uses IP addresses/domain names to make sure that the sender of an email is indeed who they claim to be—here's an example of an SPF record:

DKIM uses two types of encrypted keys to identify if your email has been tampered with—here’s an example of a public DKIM key:

DMARC tells an inbox what to do with the email (if it doesn’t align)—an inbox can do nothing, quarantine or reject the email—here’s an example of a DMARC record:

Want dedicated resources on how to set up DKIM, DMARC, and SPF for your brand? We recommend reading these:

1. Setting up SPF  | Add an SPF record
2. How to Add DKIM Record in GoDaddy: GoDaddy DKIM Setup Guide
3. How to Add DMARC Record in GoDaddy: GoDaddy DMARC Setup Guide

Quick Tip: If you own a Trademark, try incorporating and securing your branding across all email providers with BIMI (Brand Indicators for Message Identification)—here’s a helpful resource to add BIMI.

4. Ensure Your ESP Uses The Correct Protocols

When choosing an Email marketing tool/service, research their mail-sending protocols, specifically:

• ARC: ARC works by adding a “seal” to an email. This seal contains a list of authentication results (SPF, DKIM, DMARC) from all the servers involved in the email journey.
• TLS: TLS establishes a secure, encrypted tunnel between the email client and the server. 

Quick Tip: Ensure your ESP has data protection certification in place like SOC 2 type II. 

5. Warm Your Address Slowly

The fastest way to get marked as spam? Going from 0 to 5000 emails in one day (or 5000 to 10,000 in one day). 

A double-fold increase in email volume raises alarms across mail-sending servers. 

Why: sudden spikes signal DDoS attacks (distributed denial-of-service attacks—hackers try to overload systems from multiple traffic sources)

So, how do you avoid this?

For migrations/new email addresses:

• Once your dedicated email address is ready, consider testing with emails without any links
• By this, we mean increase your sending volume gradually
• Segment your list by purchase history
• Start with top spenders, and then move downwards

For existing emails:

• Don't increase your sending volume at the get-go (if you send 500 emails a day, keep doing it)
• Gradually increase the volume, but never let it go beyond double your sending volume (500 to 1000)
• Try sending out emails to that segment, that you know will drive the most opens (for example: your top spenders or newsletter subscribers)

Quick Tip: This fact applies to all senders (with new or existing email addresses)

6. Set Up Google Postmaster For Gmail Sender Monitoring

Google Postmaster, like Google Search Console, is a tool to monitor your domain's delivery rate on Gmail. 

Additionally, it also lets you check your spam score by IP. 

Quick Tip: Google Postmaster doesn’t track opens or directly show spam scores—however, it gives you a hint with features like “Spam Rate by IP” and “Sender Reputation.”

Looking for a resource to set up Google Postmaster? This will help: How To Get Started With Google Postmaster?

7. Create Dedicated Emails For Various Types of Messaging

Essentially, it's always better to build relevance with your email names too; for example:

• For promotions: “promo-box@yourbrand.com”
• For newsletters: “newsroll@yourbrand.com”
• For transactional emails: “support@yourbrand.com”
• For 1:1 support: “jim@yourbrand.com”

This email strategy helps you:

• Adhere to sending volumes
• Build context for your subscribers
• Lessen chances of getting marked as spam

What should you keep in mind when creating emails?

• Avoid generic email names like “deals” or “news”
• Ensure all of the above emails pass the DMARC, DKIM, and SPF check

Quick Tip: Set up different “mailfrom” addresses to get a better understanding of your delivery patterns.

Content

8. Avoid Adding Unnecessary Links (But Don’t Add Too Less)

By necessary, we mean links that fit the context of the email, and are also:

• Visually labeled through a CTA/color/formatting
• Used in a certain hierarchy

A good example of this in use is Everlywell:

What kind of links should you use?

• Links that fit the context of your email
• Clearly labeled CTA buttons with descriptive anchor text
• Social proof links like your socials or app install links
• Send only SSL-secured links, i.e., “https://” links
• Use full links instead of link shorteners like “bit.ly”

Quick Tip: Too many links are definitive red flags—but, using only one link sends out a phishing alert too.  

You Might Also Like: Email marketing ideas for eCommerce that nobody’s talking about

9. Use The Right Formatting

Most eCommerce brands, still, rely entirely on images to create their message. 

This can cause a security issue, as the receiving server sees no text or formatting whatsoever. 

As a result, your email may end up in your customer’s inbox, sans the image. 

Which, of course, may lead them to “mark it as spam.”

So, what's the way out? 

• Design your email body with HTML
• Use WebP images to compress down on size
• Limit the width of your images to 600 px
• Optimize your emails specifically for mobile devices

Quick Tip: Excessive use of exclamation points and ALL CAPS triggers spam filters (so beware).

Also Read: eCommerce Email Design: 25 Beautiful Examples (& Why They Drive Sales)

10. Avoid Spam Like The Plague

Here’s why: a spam score above 0.3% will stop you from sending emails (like ever).

So, how do you avoid getting automatically reported as “spam”?

• Attaching anything: Attachments in bulk emails are a massive red flag—if you do have offers or any downloadable offerings, send them over a link
• Don’t use stop-words: Not using words or phrases like “free”, “get it now”, “act now” are definitive ways of getting marked as spam
• Use clickable and correctly formatted subject lines: Avoid adding exclamation points or random capital letters and limit the use of emojis
• Continue your message in your pre-header: This works tremendously well for not only your CTR but also for users to get a hint of what’s in the email—which leads to being not marked as spam
• Follow necessary compliance: Like HIPAA for healthcare emails, CAN-SPAM, and GDPR for all emails, and CCPA, wherever applicable

Quick Tip: Loop in an explanation of why a user is receiving your email, within your email’s microcopy.

11. Ask Them To Add You As a Contact

This tried and tested technique ensures that your emails reach your customer’s inboxes without fail.

Furthermore, it also ensures that anyone pretending to be you, can’t reach your customers. 

The caveat here is: that you have to maintain a consistent mail address to the sending address—and offer a set of clear instructions.

How do you do this?

• Use clear and concise language like “Add us to your safe senders list” or “Whitelist our email address.”
• Employ a polite and friendly tone, such as “To ensure our emails always reach your inbox, you can add us to your safe senders list”
• Add it in a section, that will be explicitly visible: 

Quick Tip: Offer a short and clear explanation on how to whitelist your email address, ideally with a link to relevant tutorials.

12. Assign a Time Limit for Key Actions

Specifically to key actions like password reset, discount codes, or any sensitive information. 

Here’s why: email as a medium is never completely secure (yes, even with the TLS)—and is thus vulnerable to Man In The Middle attacks. 

Opting for this technique ensures that your users are protected (and helps you in the long run).

Quick Tip: The more sensitive the information, the lesser the time limit (for example: password reset links should expire within an hour of being sent).

Policy

13. Get The Sign-Up Right

As painful, as it may sound, a proper sign-up equals a double opt-in.

The biggest benefits are:

• You can now weed out spam
• Get their confirmation for CCPA/HIPAA/GDPR
• Slide into their inbox with confidence

Other than offering double-opt-in, here are the steps to make your email more secure:

• Provide rewards for profile completion—offer a miniscule discount (if needed)
• Launch the removal flow for any new accounts that don’t open your emails/showcase inactivity for at least 6 months

Quick Tip: Ensure you avoid a hard bounce—if you are migrating lists, always validate all emails first before sending. 

14. Time Your Flows Correctly

This is extremely important if you’re just starting out, or are sending emails infrequently. 

Email marketing gurus recommend maintaining an email-sending frequency—but, how much is too much or too less?

Most marketers agree that they reach out to their subscribers on a weekly basis.

How do you figure it out?

• Ask your users for feedback during the opt-in process
• Pose a question like “how often do you want us in your inbox”
• Doing this helps you maintain the frequency as well as segment your list

Quick-Tip: There’s no incorrect frequency, as long as you aren’t bombarding your customers with emails—which brings us to our next point:

15. Get Your Promo Frequency Right

As we’ve mentioned before: a sudden spike in your sending activity may send bells ringin’ (not the good kind).

Now, most eCommerce brands trigger emails based on behavior—all while sending emails from their regular drip. 

As a result, users may often end up getting at least 5 to 6 emails within 2 to 3 consecutive days (or more).

The new regulations also look at sudden spikes like a watchdog—any deviation from this could result in rate limiting or sender score drops.

How do you take control of this?

• As an automation pro, do what you do best: create another rule
• Ensure that all other flows are stopped for a subscriber when a certain flow is triggered
• For example: stop all other flows temporarily till a particular subscriber ends receiving emails from your “browse abandonment” drip

Quick-Tip: Avoid adding in multiple promotional elements within your transactional emails. 

Also Read: 20 Brilliant "Post-Purchase Email" Examples (+ How to copy them)

16. Avoid Graymail Suppression – Maintain List Hygiene

“Remove all inactive and incomplete accounts.” 

Sounds all too familiar? Well, because these types of subscribers contribute to graymail.

Graymail is the type of mail that doesn’t get opened. Yet it provides value (and is not spam).

What does this mean for your emails? Your sender score may drop, which may lead to an increased spam score. 

How do you fix it?

• Break out the win-back email for segments that haven’t opened your emails in the last 6 months 
• Launch the unsubscribe flow if your product has a high purchase frequency (for example: food, beauty products, etc)
• If your products have a long shelf life, launching the unsubscribe flow for non-purchasers can help
• For purchasers, consider reducing your sending frequency

Quick Tip: Never buy lists, or cold mail anyone who hasn’t opted for your emails—doing this will result in a blacklist (which isn’t recoverable).

17. Let Them Unsubscribe

The new regulations have brought in RFC 8058, i.e. a one-click unsubscribe rule.

This means all requests to unsubscribe should be completed within the inbox, without the need for browsers.

While this method does secure your emails, it does not bode well for eCommerce brands—there’s no option to collect feedback.

Quick Tip: Look out for replies that ask you to unsubscribe them from your list.

Also Read: 13 Proven Ways to Reduce Email Unsubscribe Rate (eCommerce)

18. Use Your Name

This one’s strictly for your users—looking at a familiar name helps them know where it’s from.

Note the example below:

Keep in mind that your users should know who you are. Here are some best practices for sender names:

• Keep it under 25 characters
• Use a combination of your first name with your brand email like “Joe@Convertcart <joe@convertcart.com>”
• Or a short explanation of your role, “Support @Convertcart <joe@covertcart.com>”

Quick Tip: If you use your full name, ensure that your pre-header text contains your brand name. 

You Might Also Like: 20 email personalization templates (examples from great brands)

Organizational

19. Share Access Only With Critical People

Follow the principle of least privilege. This means you ensure your email marketing tool's access to key people. 

• If you manage a team or outsource it, create levels of access
• For example, manager access ensures confidential details such as user information or list access remain guarded
• Ensure that you and your teams use password managers—this prevents repetition of personal passwords 
• Audit your access list, every month for changes to your organization (if any)

Quick Tip: Implement 2-Factor Authentication/2FA (logging in with an OTP to your phone/email) or Single Sign On SSO (logging in with third-party platforms), to authenticate every single login to your ESP’s tool. 

20. Keep Your Emails Separate (But Monitor For Replies)

Segmentation works everywhere—even when it’s your personal and work emails. 

Ensure that you don’t route your business emails/internal emails, through your bulk email address.

However, chances are that you will get replies to your marketing emails.

This is why we recommend setting up a separate email address, that’s set up for replies. (use the reply-to field).

Quick Tip: If your ESP doesn’t allow reply-to fields, set up an auto-reply for your bulk email to inform users something like “Your response has been recorded. Got something urgent? Send us a DM @Live Chat Support.”

21. Don’t Mark Your Internal Mail as Spam

Almost all websites send out a lot of emails—and these emails will often bear your domain name (depends on your CMS).

You mustn’t mark these emails as spam, or these too:

• Process emails, bearing your domain name
• Test emails bearing your domain name
• Or any other email that bears your subdomain or domain name

Quick Tip: If you send out a huge volume of emails for marketing purposes, keep your internal mail-sending domain separate (for additional security).

22. Update Your Plugins

If your store operates with outdated plugins—your website as well as your emails become vulnerable too.

For starters, hackers can inject malicious code into your website and take over your site data.

How do you prevent this?

• Reduce plugin usage (keep only the necessary plugins)
• Opt for tools that have security measures for data from your plugins

Quick Tip: Look for sudden spikes in form submission, and ensure that you keep backups of your databases regularly.

23. Use & Receive Links/QR With Caution

As an eCommerce founder, you mustn’t be a stranger to spoof emails–

—Or, emails from unknown sources with questionable links.

However, your employees may not be.

Ensure that your employees practice these measures (always):

• Never open any links on their business/personal emails at work 
• Always open links within a secure/incognito window (to prevent automatic downloads)
• Avoid scanning QR at all costs

Quick Tip: Never allow any phone logins for your internal/marketing emails.

Recommended Reading:

• 50+ eCommerce Email Marketing Statistics for 2024
• 13 Triggered Email Examples That Actually Drive Conversions
• 25 Tips to Increase Sales Through Email Marketing (+ Amazing Examples)

Lastly, Some More Resources

DreamHost:

• Changing MX records
• Custom TXT DNS records
• For Adding DKIM
• Managing DMARC
• Using SPF

Cloudflare: 

• Adding an MX record
• Managing DNS TXT records
• Adding DKIM in Cloudflare
• Using DMARC in Cloudflare
• Adding SPF in Cloudlflare

HostGator:

• Setting up MX Records
• Managing DNS Records with HostGator/eNom
• Using DKIM & SPF With Third Party DNS
• SPF for HostGator‍

NameCheap:

• How can I set up MX records required for mail service? 
• How do I add TXT/SPF/DKIM/DMARC records for my domain?  

Names.co.uk:

• Changing your domain's DNS settings
• Enabling DKIM
• Adding DMARC

Wix:

• Adding or Updating MX Records in Your Wix Account 
• Adding or Updating TXT Records in Your Wix Account