Email whitelist is a bad antispam practice. It compromises email cyber security and enables hackers to exploit your email whitelist. Additionally, it cultivates false sense of email protection. Find out more about this security risk especially if you are an Email Hosting user.

What is Email Whitelist?

Email whitelist allows you to instruct antispam protection to let a particular email pass through. It could be based on the entire domain name you trust or any specific email senders. With email whitelist, any emails from the approved domain or sender will go directly to your Inbox. There will be no false positive, since any email protection services will not screen through the email.

Email Whitelist is a Bad Antispam Practice

Email spammers know clearly the logic and limitations of whitelisting. Therefore, each whitelist entry that you add is a potential source of risk. For one, it is easy for the spammer to make an email look like it is coming from any address through “spoofing”. Spammers often spoof the emails they send out with addresses of popular banks, stores, credit card companies, etc. (like “support@<bank name>.com”). Clearly, spammers can spoof these prominent email addresses easily.

Someone at your company gets an email that looks like it is from a trusted source because you have already whitelisted it. To make things worse, they feel safe clicking on a link in the email since they think it is trustable. But clearly it is a spoofed email and the link takes them to the spammer’s site; where a virus is downloaded or they enter their username and password, provide their corporate credit card number, etc.

How to use Email Whitelist Effectively?

You can still learn some of the ways to make whitelisting safer (but not completely safe):

• Do NOT Whitelist Entire Domain: Many anti-spam programs let you specify that any email from a domain (the part after the “@” sign) is safe. Don’t ever do that, because the spammer won’t even need an exact email address to get through. If you’re unable to get a better antispam program, only whitelist specific email addresses that you trust.
• Do NOT Whitelist Popular Companies: Do not whitelist any email address from merchants, banks, credit card companies, etc. (like “support@<bank name>.com”) Those are the addresses used in phishing scams and they’ll all get through unscanned.
• NEVER Whitelist Your Own Domain: It is usually unnecessary anyway. Unless you’re a larger company with more than one mail server, intra-domain emails never go out on the Internet.

A Better Antispam Approach

A good email antispam protection should be one that learns from your email. It does not require you to teach it what to whitelist. It should be able to reliably and almost accurately screen and remove spam mails for you. We recommend you to check out our Email Security Gateway, an AI-enabled antispam & email security gateway that helps you reduce spam mail. It also eliminates the risks you may face with whitelisting.

SecureAX is a Fully Managed Cloud Server provider in Singapore & Malaysia which specialises in Business Email Hosting. Contact us to find out how we can help you with better email hosting for your company!