• United States




How CIOs can fight the rise in shadow email

Apr 21, 20175 mins
Email ClientsSecurity

A substantial percentage of cloud services may be sending email on your company’s behalf. Here' s how to get control over the problem of shadow email.

shadowy figure reaching out of blurred background
Credit: Thinkstock

One feature of today’s cloud-centric landscape is just how many different services may be sending email on your company’s behalf, even when email does not appear to be their primary function.

We call this “shadow email,” because these emails are going out (potentially exposing your company to risk and liability) without any awareness or oversight by the CIO, CSO or IT teams. Like shadow IT, shadow email lurks in the dark corners of your domain.

I’ve worked with dozens of companies to help them discover and manage their shadow email services, and I have yet to encounter a CIO who wasn’t surprised by the sheer volume of cloud services that were sending email on their behalf—sometimes dozens of them.

If you’re a CIO or CSO and this doesn’t scare you, it should. Liability, compliance, security–these are the kinds of things that keep CIOs up at night. And shadow email brings all of them into play.

Anatomy of a shadow email sender

Here’s how shadow email comes about. Say your sales team finds a useful cloud tool that lets them collect data and rank leads using some kind of new algorithm. One of its secondary functions is that it can be used to send emails to those leads on behalf of your sales reps. The emails look like they’re coming from your company, but they are actually being sent by the cloud service’s servers.

Of course, your IT department is certainly aware of big cloud providers like and Workday, because they’re large companies offering mission-critical services used by a huge chunk of your employees. By now, most IT managers know their company may be using many other cloud services that didn’t come in through the IT department. CIOs have gotten pretty good at finding and getting “shadow IT” services under control in the past few years.

What many don’t realize is how many of those services are also sending email on the company’s behalf. In fact, we’ve identified over 10,000 third-party cloud services that send email. Unless you’ve set up authentication (and most companies haven’t), it’s trivially easy for any of these cloud services to put your company’s domain name in the From: field without any knowledge or involvement from you at all.

In short, a substantial percentage of cloud services are using email as a pipeline to your employees and customers. They are doing it—the messages carry your return email address and apparently originate from you—in a way that encourages customers to believe that they are official communications from you.

There are perfectly valid reasons for these third parties to send email as you. They simply need to be authorized and go through proper compliance, rather than being turned on by anyone in the company with no compliance and no security audit checks.

The risks of staying in the shadows

Shadow email services often go undiscovered and unmanaged by IT, because it’s so easy to overlook their role as email senders. It’s just email, after all, right?

Not so fast. Shadow email brings up several serious issues for the CSO and CIO:

  • Visibility: In many cases, IT is not even aware that these services are sending email with the company’s domain name. There’s no oversight, no need to go through the company’s official mail servers, and no reporting.

  • Control: Because cloud services send email with their own servers, IT has no way to reach out and turn those message pipelines on or off. There’s no “god switch” that gives you control over the third party’s email servers.

  • Compliance: If an email-sending service hasn’t gone through your company’s internal compliance or auditing process, it could be a security risk. It might violate the CAN-SPAM act or other regulations about emailing customers or potential customers.

  • Security: Letting an outside server handle your email could put customer data at risk (at the very least, potentially exposing their emails to others). And because you don’t control the cloud service’s email servers, you have no way to hold them accountable or correct a problem if something goes wrong.

 On top of all of that, the CIO is expected to manage all these services, but in many cases isn’t even aware that they exist.

Moving towards visibility and control

There is a way through this thicket of confusion. Email authentication through DMARC gives IT visibility and control over shadow email. 

You’ve probably heard of DMARC, an open standard that has rapidly won nearly ubiquitous support among big email service providers like Google and Microsoft, because it is an extremely effective way to prevent same-domain phishing attacks and brand impersonation. With DMARC authentication properly configured and set to enforcement mode, email that uses your domain name in the From: and Reply-to: fields without your approval will be rejected, whether sent by spammers, phishers or legitimate cloud services you haven’t yet whitelisted.

With proper oversight, DMARC can also help companies gain control over shadow email. That’s because the standard includes built-in reporting features so any service that attempts to send email on your behalf without being on your whitelist will trigger a record in a DMARC event log.

DMARC gives CIOs and CSOs nearly instant awareness of the shadow email services attempting to send mail on behalf of their companies. Suddenly, all those cloud services that want to use your domain in their email messages need to come to you for approval first.

Given how critical email is, gaining visibility and control over shadow email services is a major win for IT. It puts the CIO back in the driver’s seat and helps ensure that all cloud services that want to send email on the organization’s behalf are in compliance, secured and monitored.

It might just help you sleep better at night as well.


Alexander García-Tobar is CEO and co-founder of ValiMail, a leading provider of email authentication services for CIOs of large enterprises, located in San Francisco. Alexander has deep roots in the email authentication and cybersecurity space, as a global executive and advisor at Agari, ValiCert and Sygate.

A veteran entrepreneur, Alexander has held various positions at high tech companies such as Lattice3D, SyncTV and Individual. Prior to that he worked at leading research and consulting firms such as The Boston Consulting Group and Forrester Research.

The opinions expressed in this blog are those of Alexander García-Tobar and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.