As a general recommendation to check on the authenticity of an email coming from Notify, a recipient can check the email SMTP headers for security signatures.
For example, in Gmail, click the email options and select "Show original" like so:
There will be DMARC, DKIM and SPF records in the headers that are present and that allows your mail server to check on the authenticity of the sender.
For example, Gmail would tell us that these 3 checks have a PASS status as a summary of the Show original page content:
For example, Gmail would tell us that these 3 checks have a PASS status as a summary of the Show original page content:
A recipient who receives a fake email from Notify would have these to fail. Here is an example of a detailed header when the DMARC check failed:
gmail-smtp-in.l.google.com[172.253.127.27] said: 550-5.*.* Unauthenticated email from neuv*****.*** is not accepted due to 550-5.*.* domain's DMARC policy. Please contact the administrator of 550-5.*.* neuv*****.*** domain if this was a legitimate mail. Please visit 550-5.*.* https://support.google.com/mail/answer/2451690 to learn about the 550.5.*.* DMARC initiative. a17si3360358oiw.140 - gsmtp (in reply to end of DATA command)