What are the signs of a compromised sending account?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You open your dashboard and notice emails going out to addresses you've never seen. Or someone emails you back asking why you sent them spam. Or your ESP suddenly flags your account for unusual activity. These are the moments you don't want to ignore.
A compromised sending account doesn't always announce itself loudly. Sometimes the signs are subtle. Here's what to actually look for.
Unusual sending activity
The most obvious sign is email you didn't send. Pull up your sent folder and your ESP's activity log. Look for messages going to addresses you don't recognize, sends that happened at odd hours (especially outside your timezone), and volumes that are way higher than your usual pattern. If you normally send 500 emails a week and the logs show 50,000 went out last Tuesday at 3am, that's not a scheduling quirk.
One thing worth knowing: not every unfamiliar send is a compromise. API integrations, automated sequences, and team member activity can all show up as unexpected sends. The difference is that legitimate sends will trace back to a workflow you set up. Suspicious sends won't.
External reports coming in
Still this is often how people find out. Replies from strangers asking why you emailed them. Bounce notifications for messages you never drafted. Spam complaints spiking in your ESP's report. If your domain suddenly shows up on a blocklist and you haven't changed anything, that's a signal worth taking seriously.
Account changes you didn't make
Log into your account settings and check everything carefully. Password changed without your action. Recovery email or phone number swapped out. New email forwarding rules sending copies somewhere you don't control. Unfamiliar apps in your connected applications list. Any one of these could mean someone else has had access (and may still have it).
On Google Workspace you can check account activity and active sessions directly. Microsoft 365 has a sign-in log in the admin portal that shows every login attempt, where it came from, and whether it succeeded. On your ESP, look for API key creation timestamps and any new SMTP credentials you don't remember generating.
What to do right now
If more than one of these signs points your way, assume it's real and act fast. Change your password, revoke any API keys you didn't create, remove unfamiliar forwarding rules, and check which apps have OAuth access. The faster you lock things down, the less damage to your sender reputation.
If you're not sure what you're looking at in your logs, or things are moving fast and you need a second opinion, our SOS hotline is free and we actually pick up.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.