One feature of today\u2019s cloud-centric landscape is just how many different services may be sending email on your company\u2019s behalf, even when email does not appear to be their primary function.We call this \u201cshadow email,\u201d because these emails are going out (potentially exposing your company to risk and liability) without any awareness or oversight by the CIO, CSO or IT teams. Like shadow IT, shadow email lurks in the dark corners of your domain.I\u2019ve worked with dozens of companies to help them discover and manage their shadow email services, and I have yet to encounter a CIO who wasn\u2019t surprised by the sheer volume of cloud services that were sending email on their behalf\u2014sometimes dozens of them.If you\u2019re a CIO or CSO and this doesn\u2019t scare you, it should. Liability, compliance, security--these are the kinds of things that keep CIOs up at night. And shadow email brings all of them into play.Anatomy of a shadow email senderHere\u2019s how shadow email comes about. Say your sales team finds a useful cloud tool that lets them collect data and rank leads using some kind of new algorithm. One of its secondary functions is that it can be used to send emails to those leads on behalf of your sales reps. The emails look like they\u2019re coming from your company, but they are actually being sent by the cloud service\u2019s servers.Of course, your IT department is certainly aware of big cloud providers like Salesforce.com and Workday, because they\u2019re large companies offering mission-critical services used by a huge chunk of your employees. By now, most IT managers know their company may be using many other cloud services that didn\u2019t come in through the IT department. CIOs have gotten pretty good at finding and getting \u201cshadow IT\u201d services under control in the past few years.What many don\u2019t realize is how many of those services are also sending email on the company\u2019s behalf. In fact, we\u2019ve identified over 10,000 third-party cloud services that send email. Unless you\u2019ve set up authentication (and most companies haven\u2019t), it\u2019s trivially easy for any of these cloud services to put your company\u2019s domain name in the From: field without any knowledge or involvement from you at all.In short, a substantial percentage of cloud services are using email as a pipeline to your employees and customers. They are doing it\u2014the messages carry your return email address and apparently originate from you\u2014in a way that encourages customers to believe that they are official communications from you.There are perfectly valid reasons for these third parties to send email as you. They simply need to be authorized and go through proper compliance, rather than being turned on by anyone in the company with no compliance and no security audit checks.The risks of staying in the shadowsShadow email services often go undiscovered and unmanaged by IT, because it\u2019s so easy to overlook their role as email senders. It\u2019s just email, after all, right?Not so fast. Shadow email brings up several serious issues for the CSO and CIO:Visibility: In many cases, IT is not even aware that these services are sending email with the company\u2019s domain name. There\u2019s no oversight, no need to go through the company\u2019s official mail servers, and no reporting.Control: Because cloud services send email with their own servers, IT has no way to reach out and turn those message pipelines on or off. There\u2019s no \u201cgod switch\u201d that gives you control over the third party\u2019s email servers.Compliance: If an email-sending service hasn\u2019t gone through your company\u2019s internal compliance or auditing process, it could be a security risk. It might violate the CAN-SPAM act or other regulations about emailing customers or potential customers.Security: Letting an outside server handle your email could put customer data at risk (at the very least, potentially exposing their emails to others). And because you don\u2019t control the cloud service\u2019s email servers, you have no way to hold them accountable or correct a problem if something goes wrong.\u00a0On top of all of that, the CIO is expected to manage all these services, but in many cases isn\u2019t even aware that they exist.Moving towards visibility and controlThere is a way through this thicket of confusion. Email authentication through DMARC gives IT visibility and control over shadow email.\u00a0You\u2019ve probably heard of DMARC, an open standard that has rapidly won nearly ubiquitous support among big email service providers like Google and Microsoft, because it is an extremely effective way to prevent same-domain phishing attacks and brand impersonation. With DMARC authentication properly configured and set to enforcement mode, email that uses your domain name in the From: and Reply-to: fields without your approval will be rejected, whether sent by spammers, phishers or legitimate cloud services you haven\u2019t yet whitelisted.With proper oversight, DMARC can also help companies gain control over shadow email. That\u2019s because the standard includes built-in reporting features so any service that attempts to send email on your behalf without being on your whitelist will trigger a record in a DMARC event log.DMARC gives CIOs and CSOs nearly instant awareness of the shadow email services attempting to send mail on behalf of their companies. Suddenly, all those cloud services that want to use your domain in their email messages need to come to you for approval first.Given how critical email is, gaining visibility and control over shadow email services is a major win for IT. It puts the CIO back in the driver\u2019s seat and helps ensure that all cloud services that want to send email on the organization\u2019s behalf are in compliance, secured and monitored.It might just help you sleep better at night as well.