How to recover brand trust after a phishing attack?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Your domain just got used to phish your own customers. They clicked a link that looked like it came from you, and now they don't know what to trust. An apology email helps, but it's not enough on its own. You need to show people, not just tell them, that something real has changed.
Here's how to work through it, step by step.
Step 1: Get the basics locked down first
Before you send any recovery email, make sure your email authentication is actually in place. That means SPF, DKIM, and DMARC. If you're missing any of these, attackers can keep spoofing your domain after you've already sent your "we fixed it" message. That would be a disaster.
Set DMARC to at least p=quarantine as an immediate step, then move to p=reject once you've confirmed your own sending sources pass. This is the concrete proof that you've changed the locks. You can check your current DMARC record with our DMARC Parser to see what you're actually publishing right now.
Step 2: Send a clear incident notice
Send one focused email. Not a PR statement. A plain, human message that covers three things: what happened, what you've done to stop it, and what recipients should do if they're concerned. Short sentences. No jargon. No passive voice.
A rough structure that works: "On [date], fraudulent emails were sent using our domain. They didn't come from us. Here's what we've done to prevent it from happening again: [specific steps]. If you clicked anything, here's how to protect yourself: [specific steps]."
This is closely connected to communicating with affected users, which goes deeper on tone and timing.
Step 3: Make your identity visible
Still once your DMARC is enforcing, set up BIMI (Brand Indicators for Message Identification). BIMI displays your verified logo directly in the inbox next to your sender name, in email clients that support it. It's a small thing visually, but it gives recipients a real-world signal that the message is genuinely from you. It won't work without DMARC enforcement in place, so Step 1 isn't optional.
Step 4: Verify your sender domain loudly
In the weeks after the incident, make it easy for recipients to verify they're talking to the real you. Use a consistent sender address. Add a footer note like "To verify this email came from us, check that it was sent from [yourexact@yourdomain.com]." If you have a security page on your website, link to it from every email and keep it updated.
Some companies go further and include a message like "We will never ask you to click a link to log in via email" as a standing footer. That kind of predictability builds trust faster than any single apology.
Step 5: Watch your reputation signals
Phishing attacks often leave a trail of spam complaints and damaged sender reputation, even for the real domain. Monitor your complaint rates and track metrics that show you're recovering. Check whether your domain ends up on any blocklists using our free Blocklist Checker.
Open rates may dip in the short term. That's normal. What you're watching for is engagement stabilizing and complaints dropping back to baseline. That's your signal that trust is rebuilding.
The honest timeline
So you won't undo this in a week. Most senders who handle it well see meaningful recovery in 60 to 90 days. Some subscribers will never re-engage, and that's OK. The ones who stay are worth protecting, and the authentication infrastructure you put in place now protects all future sending.
If you're in the middle of this right now and you're not sure where to start, the SOS hotline is free. No sales pitch, just help.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.