This is precisely why you need to hawk over compliance, and set a goal to find a provider that: 

• Safeguards your data 
• Respects user privacy 
• Helps you navigate the labyrinth of GDPR, CCPA, and HIPAA

To help you make an informed decision, I’ll peel back the layers of documentation, from privacy policies and Data Processing Agreements (DPAs) to providers’ infrastructure disclosures and feature sets. My SMTP providers compliance comparison also incorporates: 

• Insights from practical testing
• The visibility of audit logs 
• The flexibility of account roles 
• The accessibility of DPAs and 
• The robustness of data deletion options

SMTP providers compliance comparison: a snapshot

The snapshot gives you an immediate overview of where each provider typically shines and how they initially position themselves regarding compliance. 

Truth be told, all the providers listed here are compliant, so it’s not like you’ll make a mistake and choose a service that would somehow jeopardize the legality of your campaigns. But the serve slightly different businesses needs, and Amazon SES, for example, requires expertise to set up. 

Anyway, the table below provides a high-level overview. Click on the detailed comparison below for the full analysis.

Methodology

My analysis is built on a two-pronged methodology: 

1. Rigorous documentation review 
2. Practical, hands-on testing 

I aimed to make the insights theoretically sound and reflective of real-world functionality for high-volume senders. So, here’s the gist of it. 

Documentation research:

• Privacy policies: To understand how each provider collects, uses, stores, and protects personal data.
• Data Processing Agreements (DPAs): Crucial for GDPR and other privacy regulations, I examined the terms and responsibilities outlined for them as data processors. This included looking for clear commitments on data security, incident response, and sub-processor management.
• Infrastructure disclosures: Understanding where and how their data centers operate, their network security, and redundancy measures.
• Feature documentation: Specifically looking for features designed to aid customer compliance, such as data retention controls, audit logs, and access management capabilities.

Hands-on testing:

Beyond what’s written, I explored the practical implementation of compliance features within the platforms. This involved:

• Audit log visibility: Assessing the detail and accessibility of logs that track user activities and system changes, which are vital for accountability and incident investigation.
• Account roles and permissions: Examining the granularity of user roles and how platforms (and users) control access to sensitive data and features. This is essential for adhering to the principle of least privilege.
• DPA access and signing process: Evaluating how easily a customer can access and execute a DPA with the provider.
• Data deletion options: Testing the mechanisms for customers to permanently delete their data (e.g., email logs, recipient lists) and understanding the retention policies in practice.

With all that, I could present a balanced view, distinguishing between stated policies and their functional implementation. In turn, you get the most relevant insights for your compliance strategy.

SMTP providers compliance detailed comparison

Here, I’ll break down each compliance category, comparing Mailtrap, Mailgun, SendGrid, Amazon SES, and Postmark based on my research and hands-on observations.

Regulations compliance: the global maze 🌎

Before the deep-dive, I’d like to give you the exact context since it’s easy to get lost in all the abbreviations and standards. 

When I talk about “regulations compliance”, I’m referring to SMTP providers’ inherent ability and demonstrable commitment to operate within the frameworks of major data protection and privacy laws worldwide. 

In my assessment, this means looking at their official stance, available documentation (like DPAs), and features that support your own compliance efforts regarding laws like GDPR, CCPA/CPRA, and, where applicable, HIPAA.

Here’s a direct comparison of how each provider approaches key regulations:

Interpretation: 

Here’s my take on what these comparisons mean for you:

• GDPR: I look for a clear DPA, transparency about data processing, and features that help me uphold data subject rights (like easy data deletion or access logs).
  • Mailtrap, Mailgun, SendGrid, and Postmark all offer dedicated DPAs and clear policies, making them solid choices. They provide the necessary contractual framework. Mailtrap’s focus on secure email delivery naturally integrates these principles. For more in-depth info on the subject check: A deeper dive into GDPR and Emails: How to Stay Compliant.     
  • Amazon SES inherits AWS’s compliance. While the underlying infrastructure is compliant, it places more responsibility on you to configure your services correctly for full GDPR adherence. This is suitable for those with strong DevOps teams who want ultimate control, but it might be a steeper learning curve for others.

• CCPA/CPRA: If you handle personal information of California residents, these acts are paramount. The focus here is on consumer rights: knowing what data is collected, opting out of its sale, and requesting deletion.
  • All five providers demonstrate alignment with these principles in their privacy policies and offer features that support your obligations. My review confirms that they understand the need for transparency and control. Again if you need more, check out how CCPA impacts your email strategy at CCPA Email Best Practices. 

• HIPAA: This one is highly specialized. If your business deals with Protected Health Information (PHI), a Business Associate Agreement (BAA) is a essential.
  • Mailgun, SendGrid, and Amazon SES explicitly offer BAAs and have well-documented capabilities for handling PHI environments. Amazon SES, being part of AWS, offers an extensive toolkit for building HIPAA-compliant architectures.
  • Mailtrap doesn’t directy support HIPAA, but we’re ready to review existing BAA of a client.
  • Postmark doesn’t support HIPAA.

Note: The topic has it’s fair share of intricacies. Therefore, it wouldn’t hurt to check our post on How to Ensure Your Email is HIPAA Compliant?

• CAN-SPAM Act: Its core tenets involve clear identification, opt-out mechanisms, and valid sender information. And keep in mind that, while often associated with marketing, CAN-SPAM also applies to transactional emails in certain contexts. 
  • All providers facilitate compliance here by supporting essential email authentication standards like SPF, DKIM, and DMARC, which are critical for sender reputation and deliverability. They also handle aspects like unsubscribe links. Ultimately, ensuring your email content and sending practices adhere to CAN-SPAM is largely your responsibility, but the providers give you the necessary tools. 

Further reading:

• A Quick Guide to Sending CAN-SPAM Compliant Cold Emails
• Legal Aspects of Email Marketing: Laws, Compliance, and Penalties

In essence, while all providers strive for general compliance, the depth of their support and the ease with which you can achieve compliance vary. For high-volume senders, the ability to easily sign a DPA, leverage granular controls, and have transparent data handling practices is a must-have.

Data residency and processing

Data residency refers to the physical or geographical location where an organization’s data is stored and processed. 

For high-volume email senders, particularly those operating across different continents or in highly regulated industries, the ability to choose data residency (or at least have transparency about it) could be critical. Why? Data residency may dictate the compliance with local laws and internal policies within a particular region. 

Data processing, on the other hand, describes how that data is handled, transformed, and managed throughout its lifecycle. And, just to stress, it’s as important as the residency. 

Here’s my comparison of how each SMTP provider addresses data residency and processing:

Interpretation:

• Data residency choice:
  • Mailtrap offers clear choices between EU and US data centers, which is a significant advantage for businesses needing to ensure their email data doesn’t leave a specific jurisdiction.
  • Mailgun also provides EU and US options, giving similar flexibility.
  • Amazon SES stands out with the vast number of AWS regions available globally. If you’re already operating within a specific AWS region, keeping your email data there simplifies your compliance landscape considerably. 
  • SendGrid operates globally, meaning the data might traverse or be processed in different regions for optimal deliverability. While they are compliant, explicit regional data residency choice for all data at rest could be less straightforward than with Mailtrap or Amazon SES.
  • Postmark primarily processes data in the US. This is perfectly fine for US-centric businesses.

• Data flow transparency:
  • All providers generally offer good transparency in their documentation regarding data flow. I pay close attention to DPAs and privacy policies to ensure no hidden routes or unexpected data transfers.

• Data Encryption:
  • I expected, and confirmed, that all these providers implement robust encryption at rest (when data is stored on servers) and in transit (when it’s moving across networks).
  • All five providers utilize industry-standard encryption protocols (AES-256 for data at rest, TLS 1.2+ for in transit). This ensures that even if data were intercepted or accessed without authorization, it would be unreadable.

Further reading: 

• Email Encryption: Everything You Need to Know  
• StartTLS vs. SSL vs. TLS: Email Protocols Explained

In essence, if data residency is a hard requirement for your business (e.g., due to government contracts or specific industry regulations), providers offering explicit regional choices like Mailtrap, Mailgun, and Amazon SES should be at the top of your list.

For others, understanding the transparent data flow and robust encryption practices of all providers gives confidence in their security posture.

Auditing and accountability

Being able to prove WHAT happened WHEN is as vital as sending the email itself. Auditing and accountability refer to the mechanisms an SMTP provider puts in place to log activities, track changes, and ensure transparency in their operations and your usage of their platform. 

For me, this means:

• Readily available audit logs
• Clear incident response protocols
• Transparent sub-processor management 

These features are indispensable for internal governance, external audits, and forensic investigations in case of a security incident or compliance query.

Here’s my analysis of how each provider handles auditing and accountability:

Interpretation

For high-volume senders, robust auditing and a transparent accountability framework from your SMTP provider are non-negotiable. This enables you to maintain internal oversight, respond effectively to incidents, and confidently demonstrate your compliance posture to regulators and customers alike.

• Audit logs: These are your digital breadcrumbs. I rely on them to understand who did what, when, and from where. They’re crucial for security investigations, troubleshooting, and demonstrating due diligence to auditors.
  • All providers offer some form of audit logging. Amazon SES, benefiting from the entire AWS ecosystem, offers incredibly granular logging via services like CloudTrail, allowing for highly detailed activity tracking across your entire AWS infrastructure. 
  • Mailtrap, Mailgun, SendGrid, and Postmark also provide strong audit logging capabilities. They typically track user logins, API calls, setting changes, and other critical account activities. 

• Log retention: How long are those logs kept? This is vital for meeting regulatory requirements (e.g., GDPR mandates records of processing activities).
  • Most providers offer configurable log retention periods, from a few days up to several months or even years, depending on the service tier and specific log type. For instance, Mailtrap allows for configurable retention, which is essential for aligning with various compliance policies. Amazon SES gives you the most flexibility, allowing you to store logs in S3 for virtually as long as you need. This flexibility is key for organizations with long-term audit requirements.

• Incident response transparency: How quickly and clearly does the provider communicate in the event of an outage or security breach?
  • I look for publicly available status pages and documented incident response plans. All providers maintain status pages and have internal protocols. SendGrid and AWS (for SES) often publish more detailed transparency reports or security bulletins, reflecting their scale and commitment to a wide user base. 
  • Sub-processor Transparency: All five providers maintain publicly accessible lists of their sub-processors. This transparency demonstrates their commitment to accountability and allows you to perform your own due diligence on their supply chain.

• Compliance Reports/Certifications: These third-party attestations (like SOC 2, ISO 27001) are independent validations of a provider’s security and compliance posture.
  • Amazon SES, as part of AWS, benefits from the broadest range of certifications, covering virtually every major compliance framework. 
  • Mailgun, SendGrid, and Postmark all hold SOC 2 Type 2 reports, which is a strong indicator of their robust internal controls over security, availability, processing integrity, confidentiality, and privacy.
  • Mailtrap has ISO 27001 and is pursuing SOC 2, showcasing its commitment to these rigorous standards as its platform scales. These certifications aren’t just badges; they represent a deep commitment to maintaining high security and operational standards. 

If you’d like to learn more about this security aspect check our blog posts: Understanding Secure Email Server: A Comprehensive Guide and SMTP Security Best Practices: A Comprehensive Guide.

In summary, for large-scale email senders, robust auditing and a transparent accountability framework from your SMTP provider are the key. This enables you to maintain internal oversight, respond effectively to incidents, and confidently demonstrate your compliance posture to regulators and customers alike.

Access and user controls

In large organizations, managing WHO has access to WHAT and ensuring that access is secure and appropriate is a fundamental pillar of compliance and security. To that, access and user controls refers to the features an SMTP provider offers to manage user accounts, define roles and permissions, secure logins, and control API access. 

In turn, you get to:

• Prevent unauthorized actions 
• Limit potential damage from compromised credentials
• Help adhere to the principle of least privilege.

Here’s my comparison of how each provider handles access and user controls:

Interpretation

Check the more granular comparisons based on the security subcategory. 

• Role-Based Access Control (RBAC): It allows you to define specific roles with tailored permissions, ensuring that, for example, a developer can access sending logs but not delete an entire domain, or a marketing user can view campaign metrics but not modify critical API settings.
  • Amazon SES, through AWS IAM (Identity and Access Management), offers arguably the most extensive and granular RBAC system. You can define highly specific policies that control virtually every action within SES.
  • Mailtrap, Mailgun, SendGrid, and Postmark all provide robust RBAC capabilities, allowing for custom roles or the use of predefined ones. This is crucial for SMEs and larger teams to enforce the principle of least privilege, minimizing the attack surface. Mailtrap, for instance, offers clear roles like Owner, Admin, and Viewer, which map well to typical team structures.

• Multi-Factor Authentication (MFA): A non-negotiable security layer. MFA significantly reduces the risk of unauthorized access even if a password is compromised.
  • All five providers support MFA, typically via time-based one-time passwords (TOTP) or security keys. I strongly advise enabling MFA for every user account to enhance security posture.

• Single Sign-On (SSO): SSO integration is a huge efficiency and security booster, since streamlines user management and enforces corporate identity policies. This goes double for organizations that already use Okta, Azure AD, or Google Workspace. 
  • All listed providers offer SAML-based SSO, enabling seamless integration with enterprise identity management systems. 

• API key management: You want the ability to create separate keys for different applications or services, assign specific permissions to each key (e.g., send-only, analytics-only), and restrict them by IP address.
  • All providers offer robust API key management. Amazon SES (via AWS IAM) again provides the most sophisticated control, allowing you to attach incredibly detailed policies to individual API keys.
  • Mailtrap, Mailgun, SendGrid, and Postmark offer excellent features like IP whitelisting for API keys and the ability to define granular permissions, ensuring that if an API key is compromised, the blast radius is minimized. 

• Password policies: Even though these are basic, it’s truly helpful to choose a provider with strong default password policies. 
  • All providers enforce strong password policies. For organizations with specific internal security mandates, the ability to customize these policies (e.g., minimum length, character types, rotation frequency) is a plus, which most provide.

In essence, the sophistication of access and user controls directly impacts your ability to secure your email infrastructure and comply with internal and external security mandates. For teams of any size, these controls are fundamental to preventing unauthorized access and ensuring accountability.

Data control and retention

Data control and retention refers to the features an SMTP provider offers that allow you, the customer, to manage the lifecycle of your email data (message content, metadata, logs, recipient lists). This includes setting retention periods, exercising the right to be forgotten, and ensuring data is deleted securely and permanently. 

Also, these capabilities are vital for adhering to privacy regulations like GDPR’s “right to erasure.” And these features also help manage internal data governance policies effectively.

Here’s my comparison of how each provider facilitates data control and retention:

Interpretation

The ability to control your email data’s lifecycle is a cornerstone of modern data privacy and security. Neglecting this can lead to compliance violations and expose sensitive information. So, check the comparison in greater detail. 

• Email log retention: How long are your email logs (metadata, message IDs, status) kept by the provider? This is a key question for compliance. Many regulations require data to be retained only for as long as necessary.
  • All providers offer configurable log retention, but the default periods and maximum extensions vary. Amazon SES, through its integration with AWS CloudWatch Logs and S3, gives you virtually infinite control and retention options, allowing you to tailor retention precisely to your legal and operational needs. 
  • Mailtrap, Mailgun, SendGrid, and Postmark offer flexible, user-configurable retention periods, which is crucial. I find that the ability to set and enforce these periods directly within the platform simplifies compliance with policies like GDPR’s storage limitation principle.

• Content logging control: For sensitive transactional emails, you might not want the full message body or specific attachments stored on the provider’s servers after delivery.
  • It’s reassuring to see that Mailtrap, Mailgun, SendGrid, and Postmark all provide options to disable or limit the logging of email content. This is a vital feature for protecting privacy and minimizing the amount of sensitive data at rest with a third party. Amazon SES also gives you granular control over what data is logged to CloudWatch or S3. This feature helps significantly in reducing your data footprint and compliance risk.

• Recipient list management: In general, most email sending is API-driven and lists are managed on your side, but providers often store suppression lists (bounces, unsubscribes, complaints).
  • All providers offer robust tools for managing these (stored) suppression lists. 
  • For broader recipient list management, Mailtrap, Mailgun, and SendGrid offer more comprehensive features if you choose to upload and manage lists directly on their platforms, giving you control over importing, exporting, and segmenting. 
  • Amazon SES and Postmark typically expect you to manage your primary lists externally, using their platforms for sending to those lists.

• Data deletion capabilities: As indicated, the “right to be forgotten” is a fundamental privacy right. Therefore, my main guiding question was if you can easily and permanently delete data from your provider’s systems.
  • All five providers offer clear mechanisms for deleting email logs, suppression lists, and other associated data. 
  • I’ve found that providers like Mailtrap and SendGrid make it straightforward to initiate these deletions, either manually or through API calls, ensuring you can comply with data subject requests quickly. 
  • For Amazon SES, data deletion is handled through standard AWS service deletion policies (e.g., deleting S3 buckets for logs), which requires familiarity with the AWS ecosystem.

• DPA/Terms on data ownership: Crucially, all these providers explicitly state in their Data Processing Agreements or Terms of Service that you, the customer, retain ownership of your data. This is a non-negotiable point for maintaining control over your intellectual property and user data.

In summary, granular control over email data retention and robust deletion capabilities is no longer optional. It’s a fundamental requirement for meeting global privacy regulations and ensuring responsible data governance for any high-volume email sender.

Legal compliance

Beyond specific data privacy regulations, “legal compliance” for an SMTP provider encompasses their general adherence to commercial laws, the terms of service, acceptable use policies, etc. 

More importantly, in my view, legal compliance dictates the reliability of the service, the protection of intellectual property, and how potential disputes or legal requests (like subpoenas) are managed. 

A provider’s robust legal framework offers peace of mind and reduces the risk of operational disruptions due to unforeseen legal entanglements.

Here’s my comparison of each provider’s stance on broader legal compliance:

Interpretation

Beyond technical features, the legal backbone of your SMTP provider significantly impacts your operational stability and risk management. Check the details below. 

• Terms of Service (ToS) & Acceptable Use Policy (AUP): These are the foundational contracts governing your relationship with the provider. I thoroughly review these to understand my rights, their responsibilities, and, critically, what constitutes acceptable email sending behavior. A clear and strict AUP is a good sign, as it indicates the provider is actively working to maintain a clean sending reputation, which directly benefits my deliverability.
  • All five providers maintain comprehensive and regularly updated ToS and AUP documents. This transparency is crucial. Mailtrap, like the others, has a very clear anti-spam and abuse policy, which is essential for ensuring a healthy sending environment for all users.

• Handling of legal requests (e.g., subpoenas): This is a sensitive area. Should a government agency or legal entity request access to your data held by the provider, their process for handling such requests is vital. I look for providers that commit to notifying customers about such requests unless legally prohibited.
  • All providers have documented processes for handling legal demands, aligning with legal requirements. SendGrid and Amazon SES (through AWS) are notable for often publishing transparency reports, detailing the number and types of legal requests they receive, which offers an additional layer of accountability for large enterprises.

• Intellectual Property (IP): It’s a fundamental principle, but one worth confirming. I mean,  your data needs to remain your data. This is typically addressed in their Terms of Service and/or Data Processing Agreements.
  • My review confirmed that all five providers explicitly state that the customer retains ownership of their intellectual property and data uploaded or sent through their services. This is a baseline requirement for any reputable service provider.

• Service Level Agreements (SLA): For high-volume transactional emails, uptime and performance are paramount. An SLA legally binds the provider to certain performance metrics and outlines recourse if those aren’t met.
  • All providers offer clear SLAs, guaranteeing specific uptime percentages and often detailing response times for support. For mission-critical email operations, a strong SLA provides a vital layer of assurance and financial protection against downtime.

In essence, a provider’s strong legal compliance framework, transparent policies, and robust handling of legal matters are as important as their technical capabilities. 

Certification compliance

Beyond their internal policies and stated commitments, an SMTP provider’s certification compliance provides independent, third-party validation of their security posture and adherence to industry best practices. 

To stress, these certifications (like SOC 2, ISO 27001, PCI DSS, etc.) aren’t just badges. They take a lot of work to obtain, making them critical indicators that the provider has undergone rigorous audits and maintains robust controls over their systems and processes. 

The certifications are an external, objective assurance that the provider meets stringent security, availability, confidentiality, and privacy standards. Here’s a look at the key certifications held by each provider:

Interpretation

When a provider holds a relevant certification, it means an independent auditor has verified their controls, saving you significant time and resources in your own compliance efforts.

• SOC 2 Type 2: It assesses controls related to security, availability, processing integrity, confidentiality, and privacy. For me, a SOC 2 Type 2 report indicates that the provider has mature internal controls and processes to protect customer data.
  • Mailgun, SendGrid, Postmark, and Amazon SES all hold SOC 2 Type 2, providing strong assurance of their operational security. 
  • Mailtrap is actively investing in obtaining this, which is a critical step for a growing platform targeting high-volume senders.

• ISO 27001: This is an international standard for information security management systems (ISMS). It’s a comprehensive framework for managing information security risks.
  • Mailtrap, SendGrid, Amazon SES (via AWS), and Mailgun hold ISO 27001. This signals a structured and systematic approach to managing sensitive information. 

• PCI DSS Level 1: This applies to organizations that store, process, or transmit credit card data. While SMTP providers generally don’t handle credit card numbers within email content (that’s your responsibility), some may process payment details for their own services.
  • SendGrid states PCI DSS compliance, primarily for handling their own billing. 
  • Amazon SES (via AWS) provides an environment that can be configured for PCI DSS compliance, but responsibility ultimately lies with the customer’s implementation. For most email sending, this certification is more relevant to your own application’s handling of payment data rather than the email provider’s core service.
• HIPAA Compliance: As discussed, this is crucial for PHI. The ability to sign a Business Associate Agreement (BAA) is the key indicator.
  • Mailgun, SendGrid, and Amazon SES are willing to sign BAAs, enabling their use for HIPAA-compliant workflows. 

• CSA STAR (Cloud Security Alliance Security Trust Assurance and Risk): This program provides a framework for assessing the security posture of cloud services. Levels range from self-assessment to rigorous third-party auditing.
  • Mailgun, SendGrid, and Amazon SES (via AWS) participate in CSA STAR, demonstrating their commitment to cloud security transparency. 

• GDPR Certified: While there isn’t a single official “GDPR certification” scheme universally adopted, adherence is demonstrated through robust DPAs, policies, and features that enable compliance.
  • All listed providers explicitly state their GDPR adherence and offer DPAs, which serve as their contractual commitment to processing data in a GDPR-compliant manner. 

In conclusion, a provider’s suite of certifications acts as a powerful trust signal. For large-scale senders, these attestations significantly reduce your own compliance burden and provide an external validation that your chosen email partner operates at the highest standards of security and reliability.

Wrapping up

Ultimately, the best SMTP provider for you will be the one whose compliance posture aligns seamlessly with your organization’s specific legal requirements, risk tolerance, and operational needs. 

I urge you to use this smtp providers compliance comparison as a starting point, conduct your own thorough due diligence, and confidently choose the partner that helps you send emails not just effectively, but also compliantly.

In this article, I’ll tell you why Outlook is implementing the new requirements and then break them down one by one, explaining how to comply with each.

To jump ahead to the detailed overview of the update, click here.

Why is Outlook implementing new email-sending requirements? 

To quote Microsoft, the new email-sending requirements are there to “significantly reduce the likelihood of spam and spoofing campaigns reaching their user base.”

It’s also worth mentioning that these practices are far from new since they’ve existed for quite a while now. Other email giants like Gmail and Yahoo also implemented their own email-sending rules last year. 

Moreover, many high-volume, or bulk, senders are already following them, with the biggest difference being that they’ll be required from now on.

It’s also worth mentioning that currently, the update only concerns consumer mailboxes (e.g., outlook.com, live.com, hotmail.com). However, in the future, it will probably be expanded to corporate mailboxes (e.g., 365.com) as well as senders with a volume of less than 5,000 emails/day.

So, if you plan on sending emails with Outlook and don’t want them to be rerouted to Junk folders, it’s recommended you adhere to these practices.

Also, the cost of undelivered emails is not neglectable since you lose $0.11 for every email that doesn’t reach the main inbox.

Detailed overview of the Microsoft sender updates

Outlook’s new update can be divided into email authentication requirements and deliverability recommendations.

Email authentication requirements

The email authentication requirements introduced are primarily concerned with the authentication protocols for address authorization, message authenticity verification, and additional layers of security.

If you don’t meet these requirements after May 5, 2025, Outlook will route your messages to Junk. 

SPF (Sender Policy Framework)

SPF is a protocol dedicated to IP address authorization checks. It validates emails by verifying they are sent from authorized domains/IPs and helps protect against spoofing.

Outlook requires that:

• Your domain’s SPF must pass for the sending domain.
• The IP address or service you use to send emails must be listed in your domain’s SPF DNS record. 

DKIM (DomainKeys Identified Mail) 

DKIM is a protocol for message authenticity verification. It adds a digital signature to each email, which is one of the most common methods of authenticating yourself as the sender.

Outlook requires that emails you send must have a valid digital signature that matches your domain. Basically, your signing domain should match or align with your From domain.

For example: 

• From: john.doe@example.com
• DKIM-Signature: d=example.com

DMARC (Domain-based Message Authentication, Reporting & Conformance) 

DMAR is a policy-based email security protocol that utilizes both SPF and DKIM to validate each received message even further. What’s more, it was designed back in 2012 by engineers from leading email organizations (e.g., Microsoft, Google, Yahoo, etc.).

Outlook requires that the emails you send must pass either SPF, DKIM, or both and be aligned with your domain. 

• Additionally, you also need a DMARC policy (at least p=none) published in your DNS.

Your From: header domain should match the domain authenticated by SPF or DKIM. 

This means that your Return-Path, From, and DKIM domain (d=) must all match the SPF/DKIM authenticated domain.

So, for example, if your authenticated domain is @example.com, then:

• Return-Path: john.doe@example.com → SPF domain = example.com
• From: john.doe@example.com → visible sender = example.com
• Hidden header, DKIM-Signature: d=example.com → DKIM domain = example.com

Email deliverability recommendations 

To ensure your email deliverability is high, that is, that your emails land in recipient’s main inboxes, Outlook included some best practices in the update as well.

Although you won’t get routed to Junk if you don’t adhere to them, your email deliverability might suffer if you don’t, meaning your emails might get blocked or filtered.

Compliant P2 (Primary) Sender Addresses

Simply put, your recipients need to be able to reply to the emails you send them from your “From” and “Reply-To” addresses.

This means that addresses like “no-reply@example.com” are not allowed anymore.

Visible and functional unsubscribe links 

Although there is no need for RFC 8085 or a one-click unsubscribe button, as with Gmail and Yahoo, Outlook does require your unsubscribe link to be visible. It must not be hidden or tucked away at the bottom of your emails in super small font.

List hygiene and bounce management 

Outlook recommends cleaning your list and validating your emails regularly. If not, then at least monthly or quarterly, which aligns with the industry-best practices.

This includes removing faulty and inactive addresses to reduce spam complaints, bounces, and wasted emails.

Some of the tools I recommend (and personally use) for this are:

• ZeroBounce
• Snov.io 
• Hunter  

For a detailed guide on email list hygiene, feel free to check out our dedicated article. ⬅️

Transparent email-sending practices

Your recipients need to have consented for your messages, which also need to include honest subject lines, headers, and valuable content.

We also have a fresh guide on subject lines, so be sure to give it a read.

Mailtrap to the rescue!

Mailtrap is an Email Delivery Platform designed for product companies with high sending volumes.

When it comes to the new Outlook update, we can help you in the following ways:

• Email authentication – We require each sender to have proper authentication (SPF, DKIM, DMARC) before they start to send so each domain is properly checked and prepared.
• Spam complaints – Our Deliverability Team systematically monitors the number of spam complaints and proactively assists customers with their issues to ensure compliance.
  • There’s also the free deliverability consultation with one of our experts. 
• Detailed Outlook stats – We provide you with performance breakdowns for each provider, including Outlook. These are open rates, spam rates, bounces, and more.

• Dedicated Bulk Stream – Our Bulk Email Service is designed for high-volume senders and can handle large amounts of emails without a stutter, all the while keeping your deliverability high.
  • To each email you send through the Bulk stream, we automatically add a one-click unsubscribe button.

And if you’re interested in reading more about Outlook, we have a plethora of related articles on our blog, some of which include:

• Outlook SMTP Explained
• Outlook Spam Filter
• Create an Email Template in Outlook
• Office 365 SMTP
• Send Mass Email in Outlook

The worst part? You are completely unaware of this until unauthorized transactions start appearing on your account, or you receive alerts about unusual activity.

But it doesn’t stop there. Soon, you notice your social media accounts have been hijacked, and your employer informs you that sensitive company data has been accessed from your account, jeopardizing your job and the entire organization’s security.

This chain of events can turn your entire life upside down, and the culprit? A seemingly innocent (phishing) email.

In this article, I’ll tell you how to spot phishing and talk about:

• What phishing is
  
• The most common methods of phishing
  
• 11 telltale signs of phishing
  
• What to do if you suspect a phishing attempt

Let’s dive right in.

What is phishing?

Phishing is a deceptive technique used to steal sensitive information like credit card data, usernames, and passwords. Attackers pretend to be trustworthy entities, often mimicking big brands, to trick victims into revealing their confidential data.

But phishing isn’t new; it has been around since the early days of the Internet. At first, it involved simple email scams in which attackers would send fake messages pretending to be from reputable organizations.

Over time, phishing tactics have become more advanced, targeting a wider range of platforms, including social media, messaging apps, and phone calls. Today, phishing attacks are highly personalized and often use social engineering techniques to be more effective.

What phishing methods are most common?

1. Email Phishing – Attackers send fake emails that appear to be from legitimate sources. These emails often have links to fake websites designed to steal login credentials or other sensitive information. They’re usually sent in bulk.
2. Spear Phishing – This is the scenario I covered in the intro. Attackers usually target specific individuals or organizations. They research their victims to create more convincing and personalized messages, increasing their chances of success.
3. Whaling Targets high-profile individuals within an organization, like executives or senior officials. These attacks involve significant research and aim to exploit the targets’ influence and access. So, if you’re a CEO, you’d better pay close attention to your emails, especially the ones from finance.
4. Smishing – Involves sending fraudulent text messages to trick recipients into revealing personal information or clicking on malicious links. Here’s an example of a smishing campaign targeting Booking.com’s clients.
5. Vishing – Involves phone calls from attackers pretending to be from legitimate institutions, like banks or government agencies, to extract sensitive information from the victims. So next time a ‘bank agent’ calls, listen carefully and try not to give any personal information.

11 Telltale signs of phishing

Despite the constant threat of phishing attacks, there are telltale signs that help identify cybercriminal activities. Here are some of them.

1. Email spoofing awareness

Email spoofing allows cybercriminals to manipulate sender information, making an email seem like it’s from someone you know. Scammers can mimic the sender’s name, change the email address, or alter the domain name after the “@” symbol. Even if the sender looks familiar, don’t assume the email is legitimate.

To detect spoofed emails, look beyond the sender’s name. Cybercriminals often create a sense of urgency to pressure you into responding quickly. Always ask yourself:

• Were you expecting this message?
• Does the email’s content match your usual interactions with the sender?
• Are you being pushed to act immediately?

By asking these questions, you can better identify and stop phishing attempts, protecting your personal and professional information.

2. Caution with attachments

So, an email arrives in your inbox with an attachment that has an unfamiliar extension—maybe a “.exe” or “.js” file. While these extensions might not immediately raise red flags, they are often wolves in sheep’s clothing.

Executable files (.exe) and JavaScript files (.js) can hide malicious intent, paving the way for malware or sneaky script execution when opened. Similarly, Microsoft Office macros (.docm, .xlsm, .pptm) may seem harmless but can contain harmful macros designed to damage your system’s security.

The risk doesn’t stop there. Cybercriminals also use zip or archive files (.zip, .rar) to hide their malicious payloads. These files act as Trojan horses, sneaking malware past email security filters because they are often password-protected, with the password included in the email body. While you know the password, antivirus software doesn’t.

Shortcut files (.lnk), usually innocent, can be repurposed to hide malicious executables or redirect users to dangerous websites. Scratchpad files (.scr) and batch files (.bat) are also often exploited to execute harmful scripts or automate malicious actions, leading to severe consequences.

3. Beware of man-in-the-middle

Let’s have an imaginary John, an account manager in the finance department, who gets caught in a major cyber scam.

It starts with a series of emails about an invoice payment. A malicious actor has infiltrated the email exchange and intercepted the communication with its client (man-in-the-middle).

As the payment deadline nears, John receives what seems like the final email from the trusted source, but the attacker has substituted their bank account details for the legitimate recipient’s.

Because it seemed urgent, John unknowingly transferred the funds to the attacker. He later realizes he’s been victimized by a man-in-the-middle attack. The attacker disappears, leaving John with financial loss and broken trust.

Moral of the story? Always double-check payment details, especially via email. Verify the recipient’s account through secure channels, like phone calls or in-person confirmation. This extra step can safeguard your money from fraudulent schemes.

4. Impersonation of big corporations

Phishing attackers often impersonate large corporations or well-known brands to make their scams seem credible. They use official logos, email templates, and branding to create convincing facades. This perceived authority can lower your guard, making you more susceptible to phishing.

Imagine receiving an email from your bank about a security update. The email urges you to click a link to verify your account details, and you trust the sender.

To protect yourself, always verify such communications by contacting the company directly through official channels to confirm the legitimacy of the request.

5. Fake URLs

You just received an email from your favorite online shopping platform offering a tempting discount. The email contains a link to “Claim Your Discount Now,” which displays a familiar web address.

However, when you click the link, you’re redirected to a convincing replica of the site. The URL has been forged to trick you into thinking it’s the real website. When dealing with potentially fake URLs, using a comprehensive link checker can help determine the safety of a website before you click. These tools assess whether links redirect users to harmful sites aimed at stealing sensitive information.

This tactic is common in phishing attacks, where cybercriminals manipulate URLs to divert users to malicious sites designed to steal personal information or install malware.

To protect yourself, always be cautious when clicking email links, especially from unknown or unexpected senders. Hover over links to preview the URL and ensure they are legitimate. Alternatively, type web addresses directly into your browser or use bookmarks for trusted sites. To further strengthen protection against these threats, web filtering software can automatically block access to known malicious sites and prevent users from clicking on unsafe links.

6. Phishing trends

Phishing trends are specific patterns or methods used by cybercriminals. These evolve with changes in technology and current events, ranging from new impersonation tactics to exploiting emerging tech vulnerabilities.

You can stay updated on new phishing methods by regularly checking news and security reports. For instance, last year, there was a spike in emails about missed shipments or credits to claim.

7. Common filesharing URLs

Attackers sometimes misuse trusted file-sharing platforms (e.g. Google Drive) for phishing scams. How does this happen?

Via a fake sharing link

You receive an email that seems to be from someone you know, sharing a Google Drive document. When you click the link, it takes you to a website that looks like Google Drive but actually isn’t.

The fake site then asks you to log in, and if you enter your credentials, the attackers steal your login details.

Real document with malicious links inside

The shared document is real and hosted on Google Drive, but it contains a link to a harmful website.

While file-sharing websites have built-in security, if a website considered legitimate is compromised or starts hosting malicious links, it might take a while before security systems flag it.

Clicking on these links could infect your device or steal your information.

To protect yourself, always verify unexpected shared documents (double check if the file was uploaded by someone you trust), check web addresses carefully, and be cautious with links inside documents.

8. Emails sent by people in non-business hours

Be cautious of emails sent outside typical business hours. Attackers can operate from any time zone, so emails received at unusual times may indicate phishing.

If you get emails outside the usual schedule, especially with urgent requests, scrutinize them carefully before acting.

9. Unsolicited investment opportunities

Be cautious of emails promoting investment opportunities or financial schemes that promise high returns with minimal risk. These could be phishing attempts to steal your money or personal information.

10. Tax season caution

During tax season, there’s a surge in phishing scams by impostors posing as “tax authorities.” These scammers request financial information or distribute fraudulent tax “receipts” that are actually malware. To understand common red flags businesses face, this practical guidance on business fraud risks outlines steps for prevention and response. In 2022, the IRS identified $5.7 billion in tax fraud schemes.

Also, phishers often trick employees into revealing sensitive information, like W-2 forms, by sending emails that appear to come from the company’s HR department. If you fall victim, attackers may file tax returns in your name, stealing your refunds.

11. Generic greetings or salutations

Phishing emails often use generic greetings or omit personal salutations entirely. Common phrases include “dear customer,” “dear account holder,” “dear user,” “dear sir/madam,” or “dear valued member.”

If an email from a reputable source doesn’t address you by name, consider it a red flag.

By looking out for the signs above, you can significantly reduce your risk of falling victim to phishing attacks. The basic principle is – ‘always verify before you trust’.

What to do if you suspect a phishing attempt?

If you suspect an email is phishing, do or don’t do 😀 the following:

1. Do not click: Avoid clicking on any links or downloading attachments in the suspicious email. These could lead to malicious websites or install malware on your device. 
2. Verify sender: Check the sender’s email address carefully for any discrepancies or signs of impersonation. Look for misspellings or unfamiliar domains that may indicate a phishing attempt.
3. Scrutinize content: Examine the content of the email for red flags such as urgent requests for personal information, grammatical errors, or suspicious attachments.
4. Contact the sender directly: If the email appears to be from a legitimate organization, verify the request by contacting the sender directly through official channels, such as their website or customer service hotline.
5. Report to IT: Report the suspicious email to your organization’s IT department or security team for further investigation and guidance.

How to report phishing attempts?

You can either report internally (for business accounts) or externally (for personal accounts);

Internal reporting – If you receive a phishing email at work, report it to your organization’s IT department or designated security contact immediately. They can take appropriate action to mitigate the threat and prevent further attacks.

External reporting – For personal email accounts, report phishing attempts to the appropriate authorities or organizations. Most email providers have mechanisms for reporting phishing emails, such as a “Report Phishing” button or email address.

How to prevent Phishing?

Apart from looking out for the signs above, you should also take some other proactive steps to protect yourself from phishing attacks:

• Educate yourself and your colleagues on MS cybersecurity online programs, which teach about the dangers of phishing and how to recognize and avoid suspicious emails. 
• Enable email filters and spam detection tools to automatically identify and quarantine suspicious emails before they reach your inbox. 
• Enable MFA for your email and other accounts to add an extra layer of security against unauthorized access.
• Keep software updated with the latest security patches to protect against known vulnerabilities and use vulnerability scanners to help identify hidden security gaps in your software, networks, and cloud environments before they become exploit points.
• Create strong, unique passwords for your accounts – and avoid using the same password across multiple platforms to minimize the risk of credential theft.
• Boost your security with a next-gen email security solution that can detect and remove malicious attachments, filter through compromised IP addresses and domains, and identify suspicious links.

Final thoughts

Thank you for getting this far, and I hope you learned a thing or two about phishing, how to spot it, report it, and prevent it from ever becoming a life upside-down kind of nightmare.

If you found this guide helpful, make sure you add it to your favorites so you can revisit it whenever you need a refresher.

What is email obfuscation about?

The idea behind email obfuscation is simple. You want to make it as hard as possible for website crawlers to capture your email address and use it later on. If you don’t, your inbox is likely to get flooded with ever-so-interesting offers of sophisticated therapies and messages from a long-forgotten uncle that left you a small fortune. 

Obfuscated contacts should be hard to traverse for bots but easy to utilize for real users.

There’s also the concept of email masking – altering an email address to protect our privacy online but also to secure the data of users or create data samples for software testing. We cover all these topics in our article on email masking.

Obfuscating Public Emails to Prevent Spam

Now, let’s explore the most common way of obfuscating your emails.

Changing email format

By far, the easiest way to hide your email address from crawlers is by removing or replacing some characters. The most common method is to replace ‘@’ character with [at]. It’s fairly obvious to just about anyone what the correct address is, and bots looking strictly for email addresses will get confused. It can also be implemented within seconds and without any code.

By default, such an email address is not clickable as adding a mailto redirection underneath would share the actual address. But there’s a way to get around this with a bit of JavaScript. We cover it in more detail below.

Many variations of this approach can be seen around the web. The next step would be to add our address as “support at mailtrap dot io”. Sounds clear? Yes. Will it mislead some bots? Likely. But it’s already forcing users to make some extra effort to contact you.

The same goes for all the “contact me at steve and the rest is my domain address” contact details. They’re very clear but will likely lower conversion.

Another approach that can sometimes be seen on rather simple pages is hiding contact details on an image. So, instead of a footer of your page with the details in it, the webmaster uploads a picture of a footer with an email address.

It’s almost impossible for spam bots to penetrate, but it’s also quite a hassle for users, especially those with a visual impairment. So please don’t take this approach.

Using contact forms

Another common way of hiding emails is by… removing them from a site. Such emails are replaced by contact forms of various shapes and sizes. Forms don’t expose an email address to bots, they also allow you to gather additional data in an easy-to-absorb form (as in the example below).

Are they perfect? No. Many users prefer sending emails over filling out forms, especially if they want to email several companies at once (for example, to compare the offers). Businesses tend to add multiple fields to a form, often with good intentions (e.g., when troubleshooting). But the more required fields, the harder it is to fill the form, and the fewer people will contact you. 

What’s even worse, while bots can’t harvest an email from such sites, they can easily complete a form and submit it within milliseconds. To prevent that, many forms come with verification solutions that check if users are legit before a message is sent.

Using Google reCaptcha

A great approach to validating senders is with Google reCaptcha. It has come a long way from forcing users to decipher sometimes ridiculously twisted characters to a really user-friendly tool these days. What’s most important, reCaptcha really works and with very high accuracy is able to distinguish bots from humans. 

You sure have seen reCaptcha v2 a number of times. It’s this bar that pops up usually under the ‘submit’ button and asks you to check a box if you’re not a bot. A quick load and a message is sent.

Later iterations also added the so-called Invisible reCaptcha – a bar stating that a form is “protected by ReCaptcha”. When submitting a form, a user doesn’t need to perform any action as the check happens automatically within milliseconds. Only those with low reCaptcha scores (so likely the bots) will be subject to additional verification before they can proceed.

With the latest iteration, ReCaptcha v3, the entire process happens in the background. Users don’t even know that any check is performed, and yet, nearly all spambots are easily discarded.

V3 also comes with other features that enable you to hide or fake contact details if a low score is recorded. Among other features, displaying only partial contact details and forcing users to click (and get verified) to get more might also be worth your attention.

We can safely recommend reCaptcha as a great way to secure contact forms.

Obfuscating emails with JavaScript

As promised earlier on, we’ll now demonstrate how to obfuscate an email address with JavaScript. We feel it’s the best way to tackle the problem for a few simple reasons:

• Users can still click/tap on your email and be redirected directly to their inbox -> increased conversion
• It’s neat, almost doesn’t take up any space, and doesn’t slow down your pages, like contact forms or images of contact details
• Bots go crazy and look for a better target elsewhere

Obfuscating emails with JavaScript requires adding a simple code to your website. HTML code for adding a clickable email address is as follows:

<a href="mailto:name@domain.com">Your Name</a>

Since the address is exposed, it’s extremely easy for bots to find and save it. But with a bit of JavaScript, you can quite easily hide it.

<SCRIPT LANGUAGE="JavaScript">user = 'name';site = 'domain';document.write('<a href=\"mailto:' + user + '@' + site + '\">');document.write(user + '@' + site + '</a>');</SCRIPT>

Of course, ‘name’ and ‘domain’ are to be replaced with the components of your email address. In the case of our address (support@mailtrap.io), ‘support’ would be ‘name’ while ‘mailtrap.io’ is a ‘domain’.

Bots are getting smarter and smarter and some can already decipher even such code. That’s why developers try to find new and new ways to encode such addresses, without affecting the user experience. Below you can see our email address encoded with one of the approaches:

<a href="mailto:support@mailtrap.io">Mailtrap Support</a>

It’s really easy to find and use email obfuscators. These often free web tools let you encode your addresses in various ways. Try, for example, email-obfuscator.com or hcidata.info.

There are also various plugins that can automate the process in respective frameworks so that you don’t have to obfuscate each link manually. Here are some examples:

• actionview-encoded_mail_to can be used to obfuscate emails in Ruby on Rails applications
• react-obfuscate obfuscates not only emails but also phone numbers or Facetime links when developing with ReactJS
• Email Obfuscator is a more generic plugin that will work whether users have JavaScript enabled or not
• email-scramble is another generic JavaScript plugin that works with emails but also phone numbers

Does email obfuscation work in general?

It kind of does. If you did a simple test on two similar websites and put a plain email address on one and JS-obfuscated address on another, you would likely see the latter one perform better.

Likely it wouldn’t be 100% accurate though. As we mentioned earlier, crawlers are getting better and better as they need to find ways to harvest as many addresses as their computing power allows. Many are already coded in such a way that they can decipher all those [at] addresses without any hassle (see how easy it is to decode them here).

So if you’re putting some effort into obfuscation, do it with JavaScript or, even better, add a good-looking reCaptcha to your website. In all honesty, though, we wouldn’t recommend focusing on this for too long.

You might spend days testing different solutions, coding them, and analyzing results. And then, it could take a single person to find your email in some long-forgotten spreadsheet and sell it to a harvester to make all your efforts futile.

The crawlers are improving but so are spam filters. Gmail or Thunderbird spam filters these days are able to stop almost every useless message sent your way. In 2015, Google claimed that they are able to stop 99.9% of spam messages and mistakenly classify as spam, only 0.05% of incoming mail. And this was four years ago!

While on the topic of spam filters, do you know how they are treating your emails? Useless ones ending up in the spam folder are none of your concern, but the emails you send shouldn’t be getting the same treatment.

The best way to prevent this (besides keeping your fingers crossed) is to check your email content for spam, and you can do exactly that with Mailtrap Email Sandbox.

Within the Email Sandbox testing solution, you have access to the Spam Analysis tab, which offers a spam report as well as a blacklist report. 

The spam report gives an overall score of your email content based on numerous tests of email headers and body text made using the Apache SpamAssassin filter. It also lists each rule that email clients might deem suspicious and assigns it spam test points as well as a description.

The blacklist report, on the other hand, tells you if your IP/domain is listed on any commonly used blacklists. It will give you insight into what blacklists were queried, and, in case you have been listed on one, it will link to it, thus allowing you to review all the rules and instructions you need to follow to get delisted.

So, if you want to avoid triggering any spam filters and having your emails be in the company of true spam, make sure you do some email testing beforehand. Trust us, these spam and blacklist reports could prove to be a true “emailsaver”.