2020-10-12
If you send automated email, you should scan it with anti-spam software
Partly in light of Microsoft SharePoint's problem with spam, here is an obvious thing:
If you send automated email to the outside world, you should always run it through some anti-spam system and raise big alarms if they ever trigger.
(If I was doing this today I would use ClamAV and rspamd because they're free and what I'm used to, but anything will do.)
You should do this even if you aren't allowing external people to initiate the email and put content in it (which you shouldn't, because allowing that leads to spam).
You might say that your automated system can never be exploited to send spam. That may or may not be true, but even if your automated email genuinely has no spam, having ClamAV, rspamd, or whatever dislike it is a very bad sign that you should pay attention to, because it likely means that a lot of people will not be receiving the email. And beyond that, checking your automated email is an important and generally easily done insurance policy.
The gold standard for doing this check is to have an external email server in a separate domain with an address (or several addresses) that you send the automated email to on a regular basis, that runs these anti-spam tools. That gives you the closest you can get to how anti-spam tools on other people's systems will perceive your email, complete with any effects from your sending IP and so on. Running scanners on your outgoing email before it leaves your system doesn't quite capture everything, but it will generally cover scanning the content for bad things and it lets you react faster and earlier (for example, by completely stopping the automated email if it triggers anti-spam systems). It may also be easier to implement.
(There are multiple reasons to not put visible spam results on outgoing email in general, and there can be political ones to not block email written by your local people if it triggers your outgoing anti-spam checks. But I feel that automated email is different; it's much less risky to block it, presuming that you immediately alarm on this and get people's attention.)