I don't think it's possible to 100% prevent it as you point out. The main concern would be if you are somehow allowing customization of the email design, but not requiring an API key to trigger it. If they all look the same by default then I would not worry much about that case. But if you provide ability to add a logo or something, then it would make sense to tie that to an API key. Yes, anyone could register one and upload the same logo or use the same title, but that doesn't mean it isn't worth doing. You would at least have some more info about who is doing the spoofing.