How do ESPs prevent account compromise or abuse?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine logging in one morning to find your ESP account sent 50,000 phishing emails overnight. You didn't do it. Someone else got in, used your verified domain and trusted sending reputation, and now your deliverability is in freefall. That's exactly the scenario ESPs build their security layers to prevent.
The attack usually starts with stolen credentials, a leaked API key, or a phishing attempt targeting your login. Once an attacker is inside a legitimate account, they can send from your domain and your IPs without triggering external spam filters the way a brand-new bad actor would. They're piggybacking on your good name.
What ESPs do on their end
Most ESPs layer several defenses together. Two-factor authentication (2FA) is the baseline. Even if your password leaks, a second factor blocks unauthorized logins. Beyond that, ESPs monitor for unusual sending patterns in real time. If your account normally sends 500 emails a day and suddenly fires off 200,000 in an hour, that triggers an automatic pause and a review. Geographic anomalies matter too. A login from a country you've never accessed before gets flagged.
API key security is another big one. Good ESPs let you create scoped keys with limited permissions, so a compromised key can't do everything. They also log API usage patterns and alert you when something looks off. And SMTP AUTH controls which connections can submit mail at all.
Content scanning runs in the background too. ESPs match outgoing emails against known spam and phishing templates, and check URLs against threat databases. If a batch of your emails starts looking like a credential-harvesting campaign, sending pauses before much damage is done.
What happens to your reputation if it goes wrong
Here's the uncomfortable truth. Even if the attack wasn't your fault, the spam complaints and blocklist hits land on your domain and your sending IPs. Mailbox providers don't distinguish between "you sent spam" and "someone sent spam from your account." The result is the same. Your deliverability takes a real hit. Recovery means cleaning up blocklist listings, warming reputation back up, and sometimes explaining the incident directly to ESPs and blocklist operators.
On shared IP infrastructure (which is common on entry-level plans), a compromised account doesn't just hurt you. Other senders on the same IPs absorb some of the reputational damage too. That's why ESPs are aggressive about pausing suspicious accounts fast.
What you need to do on your end
ESPs can't protect you from yourself (or from your own team's weak security habits). That part is on you.
- Enable 2FA on every account that touches email sending. Every one.
- Rotate API keys regularly, and immediately if a developer leaves your team.
- Use scoped keys with minimum necessary permissions. Don't create one master key for everything.
- Audit who has access to your ESP account and remove old users.
- Watch your sending stats. A sudden unexplained spike in volume or bounces is a signal worth investigating before it becomes a crisis.
And the ESP builds the fence. You're responsible for locking the gate. (Both need to be doing their part for this to actually work.)
So if something feels wrong right now, our SOS hotline is free and we actually pick up. And if you want to check whether your domain's authentication is set up in a way that limits the blast radius of any account compromise, the Email Header Analyzer is a good place to start.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.