What You Need to Know About Email Harvesting and Your Company

What marketers don't want you to know

By Mary Ann Wells

This article is not about programs that can skim your email from your website. That’s a very old vulnerability that most web designers can fix by encoding the emails on your website. This article is about a method of email harvesting that you may not be aware of - domain email harvesting.

The screenshot below is the easiest way to explain what domain email harvesting is. I’m using an insurance company’s website because it’s a big company and the results are a shocking eye-opener.

Let me explain what you’re looking at. This is the insurance company’s home page and the drop-down at the top right is a Chrome extension on my browser. When I go to any website (not just this one), I can use this extension to find all emails associated with that website’s domain. In this specific case, you’ll see that there are 38,030 emails associated with their domain and they are exposed.

Now, if this insurance company were to come to me and ask how to fix this, here’s what I would tell them…

1. Buy an additional domain like my-insurance.com or my-healthcare.com
2. Make the website utilize the newly purchased domain.
3. Make the old domain redirect to the new domain so clients can still find the site.
4. Do not set up any emails for this new domain

Problem solved. See the screenshot below for another company that uses one domain for its website and a different domain for its emails. Even with the obvious email on the page, the email harvesting program does not “see” it.

Why Does Email Harvesting Pose a Risk?

• First and foremost, sending emails to all of your employees can result in someone inadvertently clicking on a link with malware, thus infecting your entire network.
• Second, it’s a nuisance to have to empty all those spam emails and relevant emails can get lost among the crowd.
• Third, and this is one I’m sure you may never have considered. Some people are survivors of domestic abuse and prefer to not be found by their abuser and/or stalker. If their abuser finds out where they work, they can easily find their work email address, which is far easier than finding their personal email address. You want to keep your workers as safe as possible.

Best Practices

Besides having two domains: one for email, and another for the website, you may want to make sure that all “public” emails are forwarding emails like sales@, service@, etc. You can use either domain for these because they do not have an inbox. Each forwarding email can be set to forward to one person or a group of people. Because forwarding emails do not have an inbox of their own, when someone tries to validate the email, it will come back as “unverifiable”. People can still send to them, but they are not verified because no one knows who’s going to receive them. A mass mailing sent to “unverified” emails is generally penalized with fines or the servers get shut down (bounce backs of 15% or more are not allowed).

Keep company email for in-company use only or to communicate directly with a customer. Make it a rule that no one at your company is to share an employee’s email address with anyone outside of the company but can provide a forwarding email address instead.

A quick note on forwarding emails. You can create forwarding emails for your salespeople as well. For example, [email protected] can be a forwarding email that is printed on business cards for Joe, but it forwards to Joe’s company email of [email protected]. This gives Joe’s email a bit of protection and Joe can set up a rule in his email client that all mail sent to [email protected] go into a specific folder for him. This keeps his sales emails separate from in-company emails.

Another perk of using a forwarding email for employees is, if Joe moves on to another company, his forwarding email can just forward to someone else’s email address.

I hope you have found this article helpful. The next article in this series will be about social media and data mining.