What is backscatter and why is it a problem?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Backscatter is what happens when a mail server accepts a spoofed email, then realizes it can't deliver it, and sends a bounce notification to the forged sender address. The innocent domain whose address was faked ends up flooded with bounce messages for mail they never sent.

Here's how it works: A spammer forges "From: contact@yourcompany.com" on thousands of spam messages. Receiving servers that accept first and validate later generate "Delivery failed" bounces back to contact@yourcompany.com. Your inbox fills with failure notices for messages you never sent, your mail server gets overwhelmed processing bounces, and mailbox providers start to think your domain is the spam source.

The damage is real. Your domain reputation drops because mailbox providers see your address on thousands of bounce messages. Your support inbox becomes unusable (imagine 10,000 "Undeliverable: Re: Cheap Watches" messages). And confused recipients sometimes file spam complaints against your domain, thinking you're the spammer.

The fix isn't on your end, it's on receiving servers. Properly configured servers reject spoofed mail during the SMTP conversation (before accepting the message), so they never generate a bounce. That's why SPF and DKIM matter so much. They let receiving servers verify whether mail claiming to be from your domain is actually from you, and reject forgeries before accepting them.

If you're getting backscatter floods right now, it means someone is actively spoofing your domain. Check your authentication setup with our free SPF checker and make sure you have a published DMARC policy. A DMARC policy of "p=reject" tells receiving servers to refuse forged mail outright, which stops backscatter before it starts.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get personalized backscatter mitigation advice

I read this on the Email Almanac about backscatter: "Backscatter is what happens when a mail server accepts a spoofed email, then realizes it can't deliver it, and sends a bounce notification to the forged sender address. The innocent domain whose address was faked ends up flooded with bounce messages for mail they never sent. Your domain reputation drops, your support inbox becomes unusable, and confused recipients sometimes file spam complaints against your domain." Help me understand how this applies to MY specific situation. Based on what I share below, give me: 1. Authentication gaps to check: Which records (SPF, DKIM, DMARC) I should verify first and what "reject" vs "quarantine" means for my situation 2. Backscatter volume assessment: How to tell if I'm experiencing backscatter vs legitimate bounces from my own sends 3. Immediate mitigation steps: What to do if backscatter is flooding my inbox right now (filters, suppression, reporting) 4. Long-term prevention: DMARC policy progression (none → quarantine → reject) and monitoring setup --- My details (the more you share, the better the advice): - Email platform/ESP: e.g. Mailchimp, Google Workspace, custom SMTP - Domain(s): your sending domain(s) - Current situation: [Are you getting bounce floods right now? How many per day? Do you have SPF/DKIM/DMARC set up?] - Sending volume: e.g. 500 emails/month or 10,000/day - Experience level: beginner / intermediate / advanced

Edit the yellow boxes, then send to the AI of your choice.