MDaemon Technologies Blog

How to Stop Spam Emails: 10 Ways to Clean Your Inbox in 2026

By Brad Wyro posted in Email Security, Stop Spam Email

0 Comments

Before email, the mail that piled up in your physical mailbox was full of pamphlets, sales brochures, credit card offers, and product catalogs. Most of it went straight into the trash. Today the equivalent, and often far more dangerous, nuisance is spam. It has evolved from dubious product claims, miracle supplements, and offers of easy money into ransomware, targeted spear-phishing, and business email compromise (BEC) scams that can drain a company's bank account in a single afternoon.

Here's the part that's changed most. For years, the easiest way to spot a scam email was its broken grammar and clumsy wording. That tell is gone. Attackers now use generative AI to write phishing messages that are linguistically perfect, contextually relevant, and personalized to you, produced at scale with almost no effort. Security researchers reported a sharp spike in phishing through 2025, and Kaspersky found that roughly 45% of all email traffic was still spam, with malicious attachments climbing about 15% year over year. The volume hasn't gone away, and the messages that do get through are harder than ever to recognize.

So how can users protect themselves from becoming the next victim? There are numerous spam-fighting tools in MDaemon and other mail servers, but server-side tools are only half of the equation. The other half is user education. With that in mind, here are 10 things you can do to reduce the amount of spam you receive and avoid the threats hiding inside it.

1. Unsubscribe, but only from senders you actually recognize. How often have you been asked for your email address at checkout or while placing an order online? In either case, you may have ended up on a company's mailing list. When email from a legitimate, recognizable company arrives, it's fine to open it and click the Unsubscribe link. The important caveat in 2026: do not unsubscribe from messages sent by senders you don't recognize. With spam, the "unsubscribe" link is often there to confirm that your address is live and that a real person reads it, which gets you more spam, not less, and can lead to a malicious site. If you're not completely sure where a message came from, report it as spam instead of unsubscribing.

2. Create a secondary email address, or use aliases. While we're on the subject of retailers having your address, consider keeping a second address used solely for store records, order confirmations, and sign-ups. That keeps vendor solicitations out of your primary inbox. Many email platforms now make this even easier with aliases, "plus addressing" (e.g., yourname+shopping@domain.com), or masked-address features like Apple's Hide My Email, all of which let you hand out a disposable address you can cut off the moment it starts attracting spam.

3. Keep your email address private. If your address is visible on social media (Facebook, X, LinkedIn, Instagram), it's also visible to spammers, who run automated tools that scrape public addresses and add them to mailing lists. If you must post an address publicly, mask the format (for example, write "name at domain dot com" instead of using the @ symbol). With the prevalence of Business Email Compromise (BEC) attacks, this matters even more for executives and finance staff, since scammers use details harvested from public profiles to craft convincing, well-targeted spear-phishing emails.

4. Before you join a mailing list, check whether the owner can sell your address. If the list has a privacy policy, read it and confirm your information can't be shared with or sold to third parties.

5. Don't reply to ANY spam or unsolicited marketing message. Most spam uses forged sender (return-path) addresses, so a reply almost never reaches the spammer anyway. And replying to a legitimate-but-unwanted marketing message just confirms your address is valid, which invites more of the same.

6. Don't click links, and be especially wary of QR codes. Clicking a link in a spam email can identify you to the spammer as a live recipient, and can lead to malware or a credential-stealing page. A newer twist is "quishing," phishing that hides the malicious link inside a QR code, often in an attachment or image, specifically to slip past filters and your own instincts. Treat an unexpected QR code in an email the same way you'd treat an unexpected link: don't scan it unless you're certain of the source.

7. Block images by default. Even if you never click a link, an image that loads automatically can signal to spammers that your address is active. Spammers embed tiny, often single-pixel "tracking" images for exactly this purpose. Configure your email client to block images by default, and choose to display them only when you're sure the sender and content are legitimate.

8. Make your email address harder to guess. Spammers run dictionary attacks that guess common addresses (info@, john.smith@, and so on). A less predictable address is harder to land on by brute force.

9. Don't fall for scams, and know what they look like now. The classic "anonymous stranger promises you a fortune for a small up-front payment" scam, the old Nigerian prince or advance-fee scheme, is still around, but it has evolved. Today's versions are more patient and more costly: fake cryptocurrency "investment" opportunities (often called "pig butchering," where a scammer builds trust over weeks before the fake payout never comes), romance scams, and fraudulent job offers aimed at remote workers. The common thread hasn't changed: if someone you've never met contacts you out of the blue with an offer that depends on your money, your trust, or your urgency, it's a scam. The FTC's consumer advice site tracks the current variants.

10. Never forward chain email from people you don't know. You've seen them: the public service announcement, the petition, the "forward this to ten friends" plea. Don't. Forwarding chains is a prime way for spammers to harvest fresh, valid email addresses.

Blocking junk email isn't just the mail server administrator's job. A well-informed user is the difference between spam that's manageable and spam that's out of control, and in the AI era that informed instinct matters more than ever, because the messages no longer announce themselves with obvious mistakes. A few extra habits go a long way here too: turn on multi-factor authentication so a stolen password alone can't compromise your account, and periodically check whether your address has turned up in a known data breach. Combined with the ten tips above, that vigilance will help keep your inbox clean and keep you from becoming the next phishing or malware victim.

Read More

Encrypting vs. Signing with OpenPGP. What’s the Difference?

By Brad Wyro posted in Email Gateway How-To, Email How To, Email Security, Email Encryption

18 Comments

 

Many businesses are responsible for maintaining large amounts of confidential data, including customer records, medical records, financial reports, legal documents, and much more. It’s very common for these types of information to be transmitted via email, especially as the Covid-19 pandemic has forced many businesses to embrace working from home. So how can you ensure confidential data transmitted via email is kept private? How can you ensure the integrity of transmitted data?

Read More

Steps to Track Spam Sent Out From a Local Machine on Your Network

By Brad Wyro posted in Email Gateway How-To, Email How To, Email Security, Cybersecurity, Stop Spam Email, Tutorial, Email Security Trends

0 Comments

 

Has this happened to you? Let’s say you’re the MDaemon administrator for your company, and you’ve noticed that somewhere, somehow, spam messages are being sent from within your network. Perhaps one of your PCs has been compromised. What do you do? Here are some tips to help you track the issue down.

Read More

18 Email Safety Tips Every User Should Know

By Brad Wyro posted in Email Security, Two-Factor Authentication, Email Best Practices

4 Comments

Read More

Follow these 15 email server security tips to avoid being blocklisted

By Brad Wyro posted in Email Security, Two-Factor Authentication, Email Security Trends, Email Best Practices

4 Comments

In 2025, spam and phishing continue to be significant threats, with spam making up over 46.8% of email traffic and the volume of phishing emails increasing sharply. Phishing attacks are becoming more sophisticated, with a large percentage of AI-generated campaigns bypassing traditional filters. As a result, 96% of US adults are targeted by at least one scam every week, and businesses are experiencing growing financial losses from attacks like Business Email Compromise (BEC).  

With the prevalence of spam & phishing attacks circulating the globe in massive amounts, it becomes increasingly important for email administrators to understand the potential causes of their IP address ending up on a blocklist. Spammers employ all kinds of tricks to try to send out as many spam messages as possible without revealing their identities. They do this through various techniques such as social engineering, employing malware, botnets, forging of message headers, and exploiting weaknesses in email systems or network infrastructures. For the spammer, it’s basically a numbers game. It costs next to nothing to send out thousands of spam messages, and if even a small handful of people click on a link or purchase a product advertised in a spam message, the spammer can profit.

If your email infrastructure is not properly secured, then you risk being infected with malware and becoming part of a spam botnet. Even if your server is not infected with malware, if your firewall and mail server security settings are not configured properly, your IP address could wind up on a blocklist.

To protect your mail server from being blocklisted, consider the following recommendations:

Read More

Why Your Business Needs Email Encryption in 2026

By Brad Wyro posted in Email Security, Email Encryption

0 Comments

How often have you heard someone say, "If you're not doing anything illegal, then you have nothing to hide?" When asked this, I tend to respond with, "OK, then how about you give me the login credentials for all of your email accounts, including the ones you use for personal use?"

Read More

Protect sensitive data in email: SSL & TLS Best Practices

By Brad Wyro posted in Email Security, Email Encryption, Email Security Best Practices, Two-Factor Authentication, Email Security Trends, Email Best Practices

6 Comments

You may have heard the terms SSL and TLS, but do you know what they are and how they’re different?

Read More

This MDaemon Email Security Feature Protects Against Spambots

By Brad Wyro posted in Email Gateway How-To, Email Security, Stop Spam Email

0 Comments

Business woman hand typing on keyboard with chat icons around

 

Ever wonder why so much spam exists today? Though spam volumes have decreased from a high of over 90% of global email traffic, it still makes up roughly a third of that traffic, and though the numbers of junk email messages are decreasing, their malware and ransomware payloads are evolving and becoming much more dangerous. Some of the most common types of spam messages include financial scams, phishing attempts, ransomware, and botnet malware. In this article, we focus primarily on botnets.

Read More

Server-side email encryption, decryption & key management with OpenPGP

By Brad Wyro posted in Email How To, Email Security, Email Encryption, Cybersecurity, Health Care Security

0 Comments



Whether you work in healthcare, finance, legal, government, or any other field that handles sensitive records, there's always someone out there who would love to get their hands on your confidential data. And in 2026, they're trying harder than ever. Email remains the number-one entry point for attacks, and reported losses from email-driven fraud keep climbing year over year, now supercharged by AI-generated phishing and deepfake-based social engineering. At the same time, Microsoft's end of support for Exchange 2016 and 2019 has pushed many organizations to re-evaluate their mail platform and the security that comes with it.

Don't let the bad guys read your mail. Protect it with server-side encryption. MDaemon includes OpenPGP support through its built-in MDPGP component, which lets the server handle encryption, decryption, signing, and key management for your users, with no email client plugin required. Below, we'll cover what's new in the OpenPGP world, why doing this at the server makes life easier, and how to turn it on.

What's new with OpenPGP

OpenPGP is an open standard for sending encrypted and digitally signed messages. In July 2024, a newer standard called RFC 9580 replaced the older RFC 4880 as the main OpenPGP rulebook.

The update adds a newer “version 6” format and sets a modern baseline of tools for encryption and signatures, including X25519 and Ed25519. It also supports stronger options like X448, Ed448, AES-256, SHA2-384, and SHA2-512, and adds newer protection methods that help make messages harder to tamper with.

Work is also underway on support for post-quantum cryptography, which means cryptography designed to hold up better if future computers become powerful enough to break today’s common methods.

Why handle encryption at the server?

Traditional OpenPGP usually requires every sender and recipient to install and configure a plugin in their email client, then manually trade and import keys. That's a lot to ask of end users, and it tends to break down at scale.

MDPGP moves that work to the server, which means:

  • No client plugins to deploy or support. Users send and receive mail as usual; MDaemon does the cryptography behind the scenes.
  • Centralized key management. MDPGP maintains two keyrings, one for public keys and one for private keys. It can generate users' key pairs automatically as needed, let you create them manually for specific users, or import keys created elsewhere.
  • Automatic key import. MDaemon can detect a public key attached to an authenticated message from a local user and import it automatically, so onboarding a new contact's key is as simple as emailing it to yourself.
  • Automatic or manual operation. In automatic mode, MDPGP signs and encrypts whenever the necessary keys are available; in manual mode, users opt in per-message using a simple command in the subject line. Either way, actions only happen for accounts you've authorized.
  • Server-side decryption and signature verification. Incoming encrypted mail is decrypted when the recipient's private key is known, and embedded signatures on inbound mail can be verified for you.

Because it's all asymmetric (public/private key) cryptography, the model is straightforward: others encrypt messages to you with your public key, and only your private key can decrypt them. Signing works in reverse: you sign with your private key, and anyone with your public key can confirm the message is authentic and unaltered, which supports data integrity and non-repudiation.

Compliance, made a little easier

If your organization deals with HIPAA, GDPR, FERPA, PCI DSS, or similar requirements, encryption is one of the most effective ways to keep sensitive data unreadable to unauthorized parties, and to demonstrate due diligence if something does go wrong. Handling it centrally at the server gives you consistent enforcement and a single place to manage policy, rather than relying on each user to do the right thing.

See it in action

Want to watch how it works? Our video walks through enabling OpenPGP support in MDaemon and sending an encrypted message:

Read More

Are You Receiving Replies to Messages you Never Sent?

By Brad Wyro posted in Email Gateway How-To, Email How To, Email Security, Cybersecurity, MDaemon Email Server, Stop Spam Email, Email Server, Email Security Trends

0 Comments

Read More
BACK TO ALL ARTICLES

Subscribe to Email Updates