What is email relay and why is it sometimes abused?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Picture this: you send an email from your Gmail account while traveling in Tokyo. That email goes to a friend in Berlin, who then forwards it to a colleague in Chicago. That forwarding step? That's email relay. One mail server accepts a message and passes it along to another server. It's how mail moves across the internet when the sender and recipient aren't on the same mail system.

Relay is totally normal. Every ESP (like SendGrid, Postmark, Mailchimp) runs relay servers. When you hit send in your marketing platform, that platform's mail server relays your message to Gmail, Outlook, or wherever your recipient checks mail. The relay server is just the middleman.

But The problem happens when a mail server is configured as an open relay. That means it accepts mail from anyone, even strangers, and forwards it anywhere. No authentication required. In the 1990s and early 2000s, tons of mail servers were set up this way because nobody thought to lock the door. Spammers found them fast.

Why spammers love open relays: they can blast millions of emails through someone else's server and the spam comes from that server's IP address, not theirs. The open relay gets blocklisted and blamed while the spammer stays hidden. It's perfect for hiding identity, distributing malware, and sending scam emails without burning your own infrastructure.

These days, most mail servers require authentication before they'll relay anything. You prove you're allowed to use that server (username, password, API key) before it forwards your mail. Open relays still exist but they're rare and usually the result of a misconfigured legacy system or a compromised server.

And if you're running your own mail server, check that relay is restricted to authenticated users only. If you're using an ESP, you're fine. They handle relay security for you. The bigger risk is accidentally getting blocklisted because you're sending from the same IP pool as someone else who got flagged.

Want to check if your domain or IP is on any blocklists? Try our free blocklist checker. Takes 10 seconds and you'll know if something's wrong.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get relay advice for your setup

I read this on the Email Almanac about email relay and open relay abuse. I want to understand how this applies to my setup and whether I need to worry about relay configuration. Help me figure out: 1. My relay risk profile based on: - Email platform/ESP I use: [e.g. Mailchimp, SendGrid, custom SMTP server, Google Workspace] - Whether I run my own mail server or use a hosted service - My sending setup: marketing emails, transactional, both 2. What I should check right now: - Do I need to configure relay settings myself or does my ESP handle it? - How do I verify my server isn't accidentally acting as an open relay? - Are there any blocklists I should check? 3. Red flags that my relay might be misconfigured: - What symptoms would I see if my server was being abused? - How would I know if spammers found my server? 4. Next steps for my situation: - If I'm on an ESP: what relay settings (if any) do I control? - If I run my own server: how do I lock down relay to authenticated users only? - If I'm already blocklisted: how do I prove the abuse wasn't me? My details: - Platform: Mailchimp / SendGrid / custom SMTP / Google Workspace / etc. - Do I manage my own mail server? yes/no - Current issue (if any): describe what made you ask this question - Experience level: beginner / intermediate / advanced

Edit the yellow boxes, then send to the AI of your choice.