How can you detect unusual sending patterns?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine you wake up to a flood of bounce notifications and angry replies. Your sending domain has been blasting emails all night to addresses in countries you've never marketed to. By the time you notice, the damage to your sender reputation is already done. That's what account compromise looks like in practice, and catching it early is all about knowing what "normal" looks like first.
Step 1: Establish your baseline. Before you can spot something unusual, you need to know what usual looks like. Document your typical daily send volume, the hours you normally send, the countries your recipients are in, your average bounce rate, and your complaint rate. Even a simple spreadsheet works to start. The point is to have a reference you can compare against.
Step 2: Know what to watch for. Once you have a baseline, these are the patterns that should put you on alert:
- Emails sent outside your normal business hours (especially late night or early morning)
- A sudden spike in send volume with no corresponding campaign scheduled
- New recipient geographies you don't normally send to
- A rise in bounce rates or spam complaints that doesn't match any recent campaign
- Content that doesn't match your usual tone, links, or formatting
Step 3: Use the tools already available to you. Your ESP's analytics dashboard is the first place to look. Most platforms (including Mailchimp, Twilio SendGrid, and Postmark) show send volume over time, bounce trends, and complaint rates. Set up email alerts where you can so the platform notifies you of unusual activity automatically.
Step 4: Add DMARC reporting. DMARC aggregate reports show you every sending source that's using your domain, including ones you didn't authorize. If you're not already reading these reports, now is a good time to start. They're sent directly to an address you set in your DNS record, and they'll surface unauthorized senders you'd never spot any other way.
Step 5: Check your sending logs regularly. Raw logs from your ESP or mail server will show you IP addresses, message IDs, and recipient data. If you see IPs you don't recognize or recipient lists you didn't create, that's a red flag worth investigating right away. (Yes, it's a bit tedious. But a ten-minute log review once a week beats discovering a compromise after the fact.)
If something looks off and you're not sure what you're looking at, our free Email Header Analyzer can help you read the technical details without needing to be an expert. And if things feel urgent, the SOS hotline is free to use.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.