Someone Is Sending Spam Using My Email Address โ
People sometimes report that contacts are receiving spam "from" their address, or that they are getting a flood of bounce-back messages for emails they never sent. This is alarming, but in most cases your account has not been hacked. This page explains why, and how to tell the two situations apart.
Spoofing vs. a compromised mailbox โ
Spoofing means a spammer simply wrote your address into the "From" field of their own message. Email works a lot like postal mail: anyone can write any return address on the envelope. The spammer never logged into your mailbox and never touched your server. When their messages bounce, those bounces come back to the forged address (yours), which is why you suddenly receive bounce-backs for mail you didn't send. (This flood of bounces is called backscatter.)
A compromised mailbox is different: someone actually obtained your password and is logging in and sending through your real account.
Here is how to tell which one you are dealing with:
| Sign | Spoofing (forged sender) | Real compromise |
|---|---|---|
| Messages in your Sent folder you don't recognize | No | Yes |
| The "sending" address is one that doesn't even exist on your account | Common | No |
| Bounce-backs for mail you never sent | Yes | Sometimes |
| Logins from unfamiliar locations / devices | No | Yes |
| Your password recently reused or leaked elsewhere | No | Likely |
billing@yourdomain.com when no such mailbox exists). Seeing that address "send" mail is a strong sign of spoofing, not a break-in, because there is no mailbox there to log into. If it is spoofing โ
You cannot stop other people from writing your address on their messages, but you can tell the rest of the world's mail servers to reject anything that forges your domain. That is exactly what SPF, DKIM, and DMARC do. A strict DMARC policy (p=reject) instructs receiving servers to discard mail that fails authentication, which shuts down most spoofing of your domain.
- Make sure SPF and DKIM are set up for your domain.
- Add a DMARC record and, once you have confirmed your legitimate mail passes, move its policy to
p=reject. - Follow our full walkthrough: SPF, DKIM & DMARC setup.
Backscatter usually dies down on its own once the spam campaign moves on. Strong authentication makes your domain a much less attractive target for the next one.
If it is a real compromise โ
Act quickly:
- Change the mailbox password immediately to a long, unique one.
- Enable two-factor authentication where available, and update the password in every device and app that checks that mailbox.
- Run a malware scan on the computers and phones that use the account, since stolen passwords often come from infected devices.
- Review your account for unfamiliar mail filters or forwarders the attacker may have added.

