What are warning signs of compromise?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Something feels off. Maybe a subscriber emailed you saying they got a weird message from your address. Maybe your open rates crashed overnight. Maybe you got a blocklist notification out of nowhere. These are the moments when you stop and ask: has my account been compromised?
Here's what to actually check, and what each signal means.
Your account login activity
Go to your ESP's security or account activity page and look for logins from locations or devices you don't recognize. Most platforms (and tools like Google Workspace) let you see a log of recent sessions. An unfamiliar IP from a country you've never visited is a genuine red flag. A login at 3am when you were asleep is worth investigating. If your ESP doesn't show login history, that's worth flagging to their support team.
Email forwarding rules and delegates
One of the first things an attacker does after getting into an account is set up a forwarding rule. This lets them keep reading your emails even after you change your password. Check your inbox rules and delegates. Any rule you didn't create, especially one forwarding messages to an outside address, is a serious warning sign. In Gmail, you'll find this under Settings, then Forwarding and POP/IMAP, and then Filters.
API keys and access tokens
Still if your sending platform uses API access (and most modern ESPs do), check the list of active API keys. Any key you don't recognize or can't attribute to a specific integration should be revoked immediately. Attackers use stolen API keys to send spam from your domain without ever needing your password again. Don't assume an old key is harmless because it's been sitting there quietly.
Your authentication records
Check your SPF record and DKIM selectors. If something was added or changed that you didn't authorize, someone may have modified your DNS to allow unauthorized senders to send on your behalf. This is harder to pull off than account access, but it happens. You can run a quick check with our free SPF checker to see what your current record actually says.
Signals coming from outside your account
Sometimes you find out from others first. Recipients telling you they got messages you didn't send. A spike in spam complaints (visible in your ESP's dashboard or in DMARC reports). A sudden bounce rate jump suggesting your domain is being flagged by filters. Landing on a blocklist like Spamhaus without a clear reason. Any of these can mean unauthorized sending happened from your domain or account.
If you're seeing more than one of these signs at the same time, don't wait. Change your passwords, revoke any API keys you can't verify, check your DNS, and contact your ESP. If things are breaking right now and you're not sure what to look at first, our SOS hotline is free and we'll walk through it with you.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.