What are warning signs of compromise?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Something feels off. Maybe a subscriber emailed you saying they got a weird message from your address. Maybe your open rates crashed overnight. Maybe you got a blocklist notification out of nowhere. These are the moments when you stop and ask: has my account been compromised?

Here's what to actually check, and what each signal means.

Your account login activity

Go to your ESP's security or account activity page and look for logins from locations or devices you don't recognize. Most platforms (and tools like Google Workspace) let you see a log of recent sessions. An unfamiliar IP from a country you've never visited is a genuine red flag. A login at 3am when you were asleep is worth investigating. If your ESP doesn't show login history, that's worth flagging to their support team.

Email forwarding rules and delegates

One of the first things an attacker does after getting into an account is set up a forwarding rule. This lets them keep reading your emails even after you change your password. Check your inbox rules and delegates. Any rule you didn't create, especially one forwarding messages to an outside address, is a serious warning sign. In Gmail, you'll find this under Settings, then Forwarding and POP/IMAP, and then Filters.

API keys and access tokens

Still if your sending platform uses API access (and most modern ESPs do), check the list of active API keys. Any key you don't recognize or can't attribute to a specific integration should be revoked immediately. Attackers use stolen API keys to send spam from your domain without ever needing your password again. Don't assume an old key is harmless because it's been sitting there quietly.

Your authentication records

Check your SPF record and DKIM selectors. If something was added or changed that you didn't authorize, someone may have modified your DNS to allow unauthorized senders to send on your behalf. This is harder to pull off than account access, but it happens. You can run a quick check with our free SPF checker to see what your current record actually says.

Signals coming from outside your account

Sometimes you find out from others first. Recipients telling you they got messages you didn't send. A spike in spam complaints (visible in your ESP's dashboard or in DMARC reports). A sudden bounce rate jump suggesting your domain is being flagged by filters. Landing on a blocklist like Spamhaus without a clear reason. Any of these can mean unauthorized sending happened from your domain or account.

If you're seeing more than one of these signs at the same time, don't wait. Change your passwords, revoke any API keys you can't verify, check your DNS, and contact your ESP. If things are breaking right now and you're not sure what to look at first, our SOS hotline is free and we'll walk through it with you.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Tell me what's acting suspicious and I'll help you figure out where to look first.

I think my email account or sending domain might have been compromised. I'm using ESP NAME and I've noticed [DESCRIBE WHAT YOU SAW, e.g. 'a login from an unknown location', 'a spike in complaints', 'a blocklist notification']. Can you walk me through the most important things to check right now? I want to know: what to look for in my login activity, how to find any forwarding rules I didn't create, how to audit my API keys, and whether my SPF or DKIM records might have been changed.

Edit the yellow boxes, then send to the AI of your choice.