How can you identify a compromised sending domain?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You didn't send that email. But your domain did. That's the moment you realize something is very wrong.
A compromised sending domain doesn't always announce itself loudly. Sometimes it's a flood of angry replies from strangers. Sometimes it's a quiet blocklist notification that shows up days after the damage is done. Knowing what to look for, and where, can make the difference between catching it early and spending months rebuilding your sender reputation.
Here are the four main places to look.
1. Your DMARC aggregate reports
This is your first line of detection. DMARC aggregate reports show you every IP address that sent email claiming to be from your domain. If you see sending sources you don't recognize, especially ones that are failing authentication, that's a sign someone is using your domain without permission. You don't have to read the raw XML yourself. Our free DMARC Parser does the heavy lifting for you.
2. Sudden changes in sending volume
Check your ESP's dashboard regularly. A spike in messages sent, especially at odd hours or to regions you don't normally send to, is a red flag. So is activity from IP addresses you didn't authorize. If your account was accessed by someone else, the logs will usually show it.
3. External signals from the outside world
Sometimes you find out because someone tells you. A contact emails to ask why you sent them something strange. A colleague gets a phishing attempt that looks like it came from your address. Complaints start piling up and your bounce rate climbs. These external signals often surface before your own monitoring catches anything, so take them seriously the moment they appear.
4. Blocklist notifications
Now if your domain or sending IP lands on a blocklist, that's a very loud signal that something went wrong. You can run a quick check with our free Blocklist Checker to see if you're already flagged. Don't wait for your delivery rates to tank before you look.
If you find something suspicious
Act fast. Change your ESP account credentials immediately. Audit every authorized sending source in your DNS records. Check whether your DMARC policy is set to quarantine or reject (if it's still on "none", unauthorized senders are getting a free pass). Then contact your ESP to flag the incident and review your sending logs together.
If this is happening right now and you're not sure where to start, our SOS hotline is free. No pitch, just help.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.