Malware Email AttachmentsI recently was catching up on my email, and I was struck that there wasn’t a single marketing message with an attachment in my inbox. The only notes with attachments were transactional in nature: a receipt from a store I made a purchase from and a voicemail notification from my company’s phone system. Those transactional messages didn’t have any images, nor were they long with a bunch of offers. Sure, there were a few links to their website where I could find marketing offers, but no big call to action beyond the essential transactional purpose of the message.

Now curious, I also took a look at my spam folder. In contrast, it had quite a few messages with attachments that looked to be marketing. Upon further investigation, though, it became very clear that those seeming marketing messages actually contained malware. Yikes.

Now you may think, how does this affect me? “The attachments I send aren’t malware, so what’s the problem?” Simple: you might be lumped in with the bad guys because receivers will judge you guilty by association. Anything you do that looks even slightly like the behavior of malware spammers will hurt your deliverability. In this post, I’ll look at some popular techniques used by these bad actors.


First and foremost, the bulk sending of non-transactional messages with attachments has become a clear indicator to ISPs that your messages have a high risk of being malware. It’s hard to understate what a significant problem computers infected with malware have become for ISPs. When a PC gets infected, it’s often used for sending more spam, which harms the ISP’s reputation, eats up bandwidth, and degrades their network for their customers. When an ISP permits marketing or other bulk senders to send attachments, they’re taking a very sizable risk of exacerbating this problem.

Forewarned and forearmed, I picked apart the header of a message that purported to be from a well-known sender, USAA. However, I immediately noticed a major red flag: a lack of authentication. SPF failed, and there was not a DKIM or Domain Key Signature. It is important to do both SPF and DKIM authentications in order to get into the inbox. ISPs have made it clear that without it, you’re fighting an uphill battle, and at high likelihood of being disposed of as spam.


SparkPost understands the importance of authentication and therefore signs with SPF and goes the extra step of signing with DKIM for the sending domain as well as the SparkPost domain.


Moving on from the message headers of this spoofed USAA message, I saw that this spammer was trying really hard to convince me to open the attachment. Sure, the imperfect grammar was a good warning that something wasn’t legit, but a recipient who is a USAA member, and perhaps not reading carefully, just might fall for it—and then, boom, the spammer’s mission is accomplished. Those of us in the business may be a little jaded, but if this technique weren’t effective, it wouldn’t still be around after all these years. It’s a major reason ISPs have become more and more strict about blocking bulk messages with attachments.


As we saw, the example malware spam above was sent in mass, without authentication, and with an attachment. To maximize deliverability legitimate senders should strive to look as different from that profile as possible. In most cases, it is far better to send an email with no attachment and instead include a link for your recipient to click to access the content you otherwise would have attached. But, if you do find yourself unavoidably in need of sending attachments there are a few key things to keep in mind:

  1. Don’t send attachments in bulk. Instead, send them only in response to transactions initiated by your subscriber. If a subscriber is expecting an email, they are more likely to locate the message and open it, even if it’s in the spam folder.
  2. Don’t include images or marketing-centric calls to action. It’s OK to reference offers and point them to your site, but be careful not to look like you are attempting to slide in the attachment with a marketing message.
  3. Don’t send apps or executable files, as they will be blocked instantly. There is a host of file types that are not allowed by ISPs. Do some advance testing to make sure what you are sending will be accepted by the ISPs you are sending to.
  4. Watch your grammar and spelling. Content is looked at very carefully when sending attachments.
  5. Authenticate! This is a best practice when sending any message, transactional or commercial.

Even when following these best practices, you may still find yourself in the spam folder. If that’s the case, it may be best to throw in the towel and try another approach—like using a file-hosting service to handle the attachment.