What are signs of internal compromise in an ESP or MTA?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You log into your ESP one morning and notice a campaign you don't recognize. Or your support inbox fills up with angry replies from people who never subscribed to you. Or a blocklist notification lands out of nowhere. Any of these can mean someone else has been using your sending account without your knowledge.

Spotting an account takeover early makes a huge difference. The longer a bad actor sends from your infrastructure, the worse the reputation damage gets. Here's what to actually look for.

Sending behavior that's off

Volume is the first tell. If you normally send 10,000 emails a week and your ESP dashboard suddenly shows 90,000, something's wrong. Look for sends going to unusual domains or geographic regions you've never targeted. Check the timestamps too. Sends firing at 3am in your time zone, when no one on your team is awake, deserve a closer look.

New campaigns or templates appearing in your account that nobody on your team created are a clear red flag. Same goes for contact lists or segments that you don't recognize.

Authentication and admin changes

This is where your audit log earns its keep. Look for new API keys created (especially ones named generically like "test" or "key1"), user accounts added at the admin level, and permission changes on existing accounts. If your SPF or DKIM settings changed without a ticket or a team member doing it intentionally, that's serious.

And most ESPs keep an activity or audit log under account settings. In Mailchimp, it's under Account Activity. In Twilio SendGrid, check the Activity Feed and the API Key management section. Make it a habit to scan these weekly, not only when something feels wrong.

External signals you shouldn't ignore

Sometimes the outside world tells you before your own dashboard does. Spam complaints spiking, blocklist notifications (check with our free blocklist checker), and contacts reaching out to say they got strange messages from your address are all signs worth taking seriously. Bounce rates jumping suddenly on a list that was healthy last week can also mean your account sent to addresses you'd never touch.

A quick weekly audit habit

  • Check your sending volume against your expected calendar
  • Review the API keys list for anything new or unfamiliar
  • Scan the user and permissions list for accounts you don't recognize
  • Look at your DNS records (SPF, DKIM, DMARC) for unexpected changes
  • Pull your complaint and bounce rate trends for the past 7 days
  • Run a blocklist check on your sending domain

If something looks off and you're not sure whether it's a mistake or something worse, that's exactly what our SOS hotline is for. Free, no pitch, just help figuring out what happened.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Build my ESP audit checklist

I just read about signs of internal compromise in an ESP or MTA. I want to audit my own ESP/platform name account right now. Can you help me build a checklist of exactly what to look at, where to find each setting, and how to tell the difference between a team member making a legitimate change versus a bad actor? Please give me a ranked list of the most critical things to check first.

Edit the yellow boxes, then send to the AI of your choice.