๐ŸŸข Network Status| First month from $2.00 โ€” fully managed | Contact Support
Skip to content
Need help? Real engineers available 24/7. Average response under 15 minutes. Open a support ticket โ†’

Someone Is Sending Spam Using My Email Address โ€‹

People sometimes report that contacts are receiving spam "from" their address, or that they are getting a flood of bounce-back messages for emails they never sent. This is alarming, but in most cases your account has not been hacked. This page explains why, and how to tell the two situations apart.

Spoofing vs. a compromised mailbox โ€‹

Spoofing means a spammer simply wrote your address into the "From" field of their own message. Email works a lot like postal mail: anyone can write any return address on the envelope. The spammer never logged into your mailbox and never touched your server. When their messages bounce, those bounces come back to the forged address (yours), which is why you suddenly receive bounce-backs for mail you didn't send. (This flood of bounces is called backscatter.)

A compromised mailbox is different: someone actually obtained your password and is logging in and sending through your real account.

Here is how to tell which one you are dealing with:

SignSpoofing (forged sender)Real compromise
Messages in your Sent folder you don't recognizeNoYes
The "sending" address is one that doesn't even exist on your accountCommonNo
Bounce-backs for mail you never sentYesSometimes
Logins from unfamiliar locations / devicesNoYes
Your password recently reused or leaked elsewhereNoLikely
โ„น
A forged address does not have to be a real mailbox
Spammers often forge an address that was never created on your account at all (for example billing@yourdomain.com when no such mailbox exists). Seeing that address "send" mail is a strong sign of spoofing, not a break-in, because there is no mailbox there to log into.

If it is spoofing โ€‹

You cannot stop other people from writing your address on their messages, but you can tell the rest of the world's mail servers to reject anything that forges your domain. That is exactly what SPF, DKIM, and DMARC do. A strict DMARC policy (p=reject) instructs receiving servers to discard mail that fails authentication, which shuts down most spoofing of your domain.

  1. Make sure SPF and DKIM are set up for your domain.
  2. Add a DMARC record and, once you have confirmed your legitimate mail passes, move its policy to p=reject.
  3. Follow our full walkthrough: SPF, DKIM & DMARC setup.

Backscatter usually dies down on its own once the spam campaign moves on. Strong authentication makes your domain a much less attractive target for the next one.

If it is a real compromise โ€‹

Act quickly:

  1. Change the mailbox password immediately to a long, unique one.
  2. Enable two-factor authentication where available, and update the password in every device and app that checks that mailbox.
  3. Run a malware scan on the computers and phones that use the account, since stolen passwords often come from infected devices.
  4. Review your account for unfamiliar mail filters or forwarders the attacker may have added.
โš 
Not sure which one it is?
Open a support ticket. We can check the server's mail logs and confirm whether anything actually left your account or whether the traffic is purely external forgery, then advise on the right fix.

Next steps โ€‹

Managed hosting that actually manages.