How can I prevent account compromise (e.g., MFA)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine someone on your team clicks a convincing phishing link, hands over their password, and your sending account is wide open before anyone notices. It happens more often than you'd think. The good news is that a few layered protections make this kind of account takeover dramatically harder to pull off.
Here's a practical order of operations.
Step 1: Turn on MFA everywhere, today
Multi-factor authentication (MFA) is the single highest-impact thing you can do. A stolen password alone isn't enough to get in if there's a second factor required. Enable MFA on your ESP account, your domain registrar, your DNS host, and any email admin panel your team touches.
Which MFA method should you pick? Authenticator apps (like Google Authenticator or Authy) are stronger than SMS codes because SMS can be intercepted via SIM-swapping. Hardware security keys (like a YubiKey) are stronger still, though they add friction. For most email teams, an authenticator app is the right balance. SMS MFA is better than nothing, but don't stop there if you can help it.
Step 2: Get everyone on a password manager
Unique, complex passwords for every account aren't realistic without a tool to store them. Password managers like 1Password or Bitwarden handle that completely. Your team doesn't need to remember any password except the one master login.
If someone genuinely can't use a password manager (device restrictions, access policies), the fallback is a passphrase: four or five random unrelated words strung together. It's long enough to resist brute-force attacks and memorable enough to not get written on a sticky note. That said, push for the manager first.
Never reuse passwords across accounts. One compromised address (say, from an old data breach) can cascade through every service if the password matches.
Step 3: Reduce who has access at all
Fewer people with sending account credentials means a smaller attack surface. Audit who actually needs admin-level access vs. who just needs to pull reports. Most ESPs have role-based permissions for exactly this reason. Use them.
But when a team member leaves, revoke access the same day. Not the same week.
Step 4: Teach the team to spot phishing
Technical controls help a lot, but most account compromises still start with someone clicking something they shouldn't. A quick regular reminder about what phishing looks like (mismatched URLs, urgent "verify your account" emails, login pages that look slightly off) goes a long way. You don't need a formal training program. A monthly team message works fine.
So it also helps to create a simple habit: if someone gets a suspicious login prompt or email, they report it rather than ignore it. Catching one real attempt early can prevent a much bigger problem later.
If you're already doing all of this and something still feels off, check out the signs of a compromised sending account so you know what to watch for. And if things are actively broken right now, our SOS hotline is free.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.