How can you identify a compromised sending domain?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You didn't send that email. But your domain did. That's the moment you realize something is very wrong.

A compromised sending domain doesn't always announce itself loudly. Sometimes it's a flood of angry replies from strangers. Sometimes it's a quiet blocklist notification that shows up days after the damage is done. Knowing what to look for, and where, can make the difference between catching it early and spending months rebuilding your sender reputation.

Here are the four main places to look.

1. Your DMARC aggregate reports

This is your first line of detection. DMARC aggregate reports show you every IP address that sent email claiming to be from your domain. If you see sending sources you don't recognize, especially ones that are failing authentication, that's a sign someone is using your domain without permission. You don't have to read the raw XML yourself. Our free DMARC Parser does the heavy lifting for you.

2. Sudden changes in sending volume

Check your ESP's dashboard regularly. A spike in messages sent, especially at odd hours or to regions you don't normally send to, is a red flag. So is activity from IP addresses you didn't authorize. If your account was accessed by someone else, the logs will usually show it.

3. External signals from the outside world

Sometimes you find out because someone tells you. A contact emails to ask why you sent them something strange. A colleague gets a phishing attempt that looks like it came from your address. Complaints start piling up and your bounce rate climbs. These external signals often surface before your own monitoring catches anything, so take them seriously the moment they appear.

4. Blocklist notifications

Now if your domain or sending IP lands on a blocklist, that's a very loud signal that something went wrong. You can run a quick check with our free Blocklist Checker to see if you're already flagged. Don't wait for your delivery rates to tank before you look.

If you find something suspicious

Act fast. Change your ESP account credentials immediately. Audit every authorized sending source in your DNS records. Check whether your DMARC policy is set to quarantine or reject (if it's still on "none", unauthorized senders are getting a free pass). Then contact your ESP to flag the incident and review your sending logs together.

If this is happening right now and you're not sure where to start, our SOS hotline is free. No pitch, just help.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Build my domain compromise response plan

I think my email sending domain may have been compromised. Based on the four detection signals (DMARC reports, volume anomalies, external complaints, and blocklist flags), give me a ranked action list. Start with the fastest thing I can check right now, then list what to do in the first hour, and finally what to do over the next 24-48 hours to contain damage and start reputation recovery.

Edit the yellow boxes, then send to the AI of your choice.