Skip to main content

Hi everyone, yesterday I sent a newsletter to all my subscribers and so far I have received 15 emails back from people I don’t know and I deffinitley don’t have on my profiles, asking me very aggressively to be removed at once from my email list… when I checked those emails properly I realized they were replying to and email that I DEFFINITEL did not send, but my email address is on it…

What the actual hell is going on here? Did this happen to anyone else?

Also, since I’m currently on a free klavyo plan, I don’t have any way to contact them?? This is a joke.

@RBM_Adrian  I have never seen anything like this and I don’t really have an answer… but see how distressing this is. 

Is it at all possible someone else sent an email with your email as the from and reply to address?

From what I know, Klaviyo doesn’t require any confirmation that you own an email address you send from. 

I don’t know what anyone end game doing something like this, but it popped in my head so thought it was worth it to mention. 


Hi @RBM_Adrian, thanks for bringing this to the attention of the community! I understand how frustrating and stressful this kind of bug/ issue is.

 

I haven’t experienced this same problem before, but I have had notifications sent to my clients’ Klaviyo accounts before about scheduling/ pausing of campaigns that are clearly not associated with our accounts, and from somewhere else. I’m going to bring this to the attention of the Klaviyo community team, and hopefully they’ll be able to help you get in touch with the best people to help you resolve this.

 

@stephen.trumble @chloe.strange @David To @Brian Turcotte @Taylor Tarpley - can one of y’all help @RBM_Adrian please? 

 

Warmly,

Gabrielle

 

Klaviyo Champion & Marketing Lead at ebusiness pros


Hey @RBM_Adrian,

Sorry to hear you’re experience this sort of issue! Certainly not an ideal experience. 

In my experience, this is most likely the behavior that @Jessica eCommerce Badassery brought up of a potentially malicious actor spoofing your from/reply-to address as their own.

Although Klaviyo doesn’t require any confirmation that you own the specific from/reply-to address you’re using, there are typically safeguards in place from the inbox providers that addresses these sort of concerns. These safeguards include ensuring your CNAME, DKIM, and SPF records are all aligned - as described in our Understanding email authentication Help Center article. Even slight misalignments will likely cause emails to be blocked or placed in the spam filter of the recipient’s inbox. 

For added security, you could also heighten the security settings via your DNS backend to prevent future malicious actors from attempting to spoof your from/reply-to address.

As a precaution, I would also suggest changing your password and enabling multi-factor authentication if you haven’t already. Since you mentioned you weren’t able to locate the profiles of the customers who reached out in your Klaviyo account, it would mean it’s highly unlikely your account was compromised. Oftentimes there would be “fingerprints” left behind if a malicious actor did get into your account to send inappropriate content. 

When you looked into the email that these customers replied to, was it the content of the recent campaign you sent? If so, then it sounds more like a recipient forwarding your emails, rather than spoofing your from/reply-to address - similar to the experience from the Community post below:

If the content was different, then it does support the first theory that @Jessica eCommerce Badassery brought up. 

One of the main reason malicious actors spoof a brand’s from/reply-to address is an attempt to lend the email more credibility to the recipients. 

I hope this helps!

David


Reply