How can you detect unusual sending patterns?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Imagine you wake up to a flood of bounce notifications and angry replies. Your sending domain has been blasting emails all night to addresses in countries you've never marketed to. By the time you notice, the damage to your sender reputation is already done. That's what account compromise looks like in practice, and catching it early is all about knowing what "normal" looks like first.

Step 1: Establish your baseline. Before you can spot something unusual, you need to know what usual looks like. Document your typical daily send volume, the hours you normally send, the countries your recipients are in, your average bounce rate, and your complaint rate. Even a simple spreadsheet works to start. The point is to have a reference you can compare against.

Step 2: Know what to watch for. Once you have a baseline, these are the patterns that should put you on alert:

  • Emails sent outside your normal business hours (especially late night or early morning)
  • A sudden spike in send volume with no corresponding campaign scheduled
  • New recipient geographies you don't normally send to
  • A rise in bounce rates or spam complaints that doesn't match any recent campaign
  • Content that doesn't match your usual tone, links, or formatting

Step 3: Use the tools already available to you. Your ESP's analytics dashboard is the first place to look. Most platforms (including Mailchimp, Twilio SendGrid, and Postmark) show send volume over time, bounce trends, and complaint rates. Set up email alerts where you can so the platform notifies you of unusual activity automatically.

Step 4: Add DMARC reporting. DMARC aggregate reports show you every sending source that's using your domain, including ones you didn't authorize. If you're not already reading these reports, now is a good time to start. They're sent directly to an address you set in your DNS record, and they'll surface unauthorized senders you'd never spot any other way.

Step 5: Check your sending logs regularly. Raw logs from your ESP or mail server will show you IP addresses, message IDs, and recipient data. If you see IPs you don't recognize or recipient lists you didn't create, that's a red flag worth investigating right away. (Yes, it's a bit tedious. But a ten-minute log review once a week beats discovering a compromise after the fact.)

If something looks off and you're not sure what you're looking at, our free Email Header Analyzer can help you read the technical details without needing to be an expert. And if things feel urgent, the SOS hotline is free to use.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get monitoring thresholds for your setup

I just read about detecting unusual email sending patterns. My ESP is YOUR ESP, we typically send NUMBER emails per day during YOUR NORMAL SENDING HOURS, mostly to recipients in YOUR MAIN COUNTRIES. Based on those numbers, give me: (1) the specific alert thresholds I should set for volume spikes, bounce rate increases, and complaint rate jumps; (2) the top three dashboard metrics I should check weekly; (3) one DMARC monitoring step I can take this week with no budget.

Edit the yellow boxes, then send to the AI of your choice.