Common Issues security

My App Is Sending Spam Emails I Didn't Create

Users are telling you they're getting weird emails from your app — promotional messages, phishing attempts, or password reset links they didn't request. You didn't set up any of these emails, and you have no idea how they're being sent.

This usually means someone has gained access to your email sending service (like SendGrid, Mailgun, or your SMTP credentials) and is using your account to blast out spam. Your domain and reputation are being destroyed with every email sent.

The damage goes beyond annoying your users. Email providers like Gmail and Outlook may permanently blacklist your domain, meaning even your legitimate emails will go to spam forever if you don't act quickly.

Error Messages You Might See

Bounce notification: message rejected Email delivery failed: blacklisted Your sending has been suspended SPF check failed Users reporting phishing from your domain
Bounce notification: message rejectedEmail delivery failed: blacklistedYour sending has been suspendedSPF check failedUsers reporting phishing from your domain

Common Causes

  • Email API key stolen — Your SendGrid, Mailgun, or other email service API key is exposed in your code or has been stolen
  • Contact form exploited — Your app's contact form or email feature has no rate limiting, so bots are using it to send thousands of messages
  • Open email relay — Your email server is configured to let anyone send emails through it without authentication
  • Compromised server — Someone gained access to your server and installed their own email-sending scripts
  • Spoofed sender address — Someone is sending emails that look like they're from your domain (you can't fully prevent this without proper DNS records)

How to Fix It

  1. Revoke your email API key immediately — Go to your email service dashboard and delete/rotate the current API key to stop all sending
  2. Check your email service logs — Look at SendGrid, Mailgun, or your email provider to see how many emails were sent and to whom
  3. Add rate limiting to forms — Limit how many emails any single user or IP address can trigger per hour
  4. Set up SPF, DKIM, and DMARC records — These DNS records help prove that only you can send emails from your domain
  5. Add CAPTCHA to public forms — Prevent bots from abusing any form that triggers email sending
  6. Check for malicious code on your server — Have a developer scan your server for unauthorized scripts or files

Real developers can help you.

MFox MFox Full-stack professional senior engineer (15+years). Extensive experience in software development, qa, and IP networking. Kingsley Omage Kingsley Omage Fullstack software engineer passionate about AI Agents, blockchain, LLMs. Sage Fulcher Sage Fulcher Hey I'm Sage! Im a Boston area software engineer who grew up in South Florida. Ive worked at a ton of cool places like a telehealth kidney care startup that took part in a billion dollar merger (Cricket health/Interwell health), a boutique design agency where I got to work on a ton of exciting startups including a photography education app, a collegiate Esports league and more (Philosophie), a data analytics as a service startup in Cambridge (MA) as well as at Phillips and MIT Lincoln Lab where I designed and developed novel network security visualizations and analytics. I've been writing code and furiously devoted to using computers to make people’s lives easier for about 17 years. My degree is in making computers make pretty lights and sounds. Outside of work I love hip hop, the Celtics, professional wrestling, magic the gathering, photography, drumming, and guitars (both making and playing them) Franck Plazanet Franck Plazanet I am a Strategic Engineering Leader with over 8 years of experience building high-availability enterprise systems and scaling high-performing technical teams. My focus is on bridging the gap between complex technology and business growth. Core Expertise: 🚀 Leadership: Managing and coaching teams of 15+ engineers, fostering a culture of accountability and continuous improvement. 🏗️ Architecture: Enterprise Core Systems, Multi-system Integration (ERP/API/ETL), and Core Database Structure. ☁️ Cloud & Scale: AWS Expert; architected systems handling 10B+ monthly requests and managing 100k+ SKUs. 📈 Business Impact: Aligning tech strategy with P&L goals to drive $70k+ in monthly recurring revenue. I thrive on "out-of-the-box" thinking to solve complex technical bottlenecks and am always looking for ways to use automation to improve business productivity. Milan Surelia Milan Surelia Milan Surelia is a Mobile App Developer with 5+ years of experience crafting scalable, cross-platform apps at 7Span and Meticha. At 7Span, he engineers feature-rich Flutter apps with smooth performance and modern UI. As the Co-Founder of Meticha, he builds open-source tools and developer-focused products that solve real-world problems. Expertise: 💡 Developing cross-platform apps using Flutter, Dart, and Jetpack Compose for Android, iOS, and Web. 🖋️ Sharing insights through technical writing, blogging, and open-source contributions. 🤝 Collaborating closely with designers, PMs, and developers to build seamless mobile experiences. Notable Achievements: 🎯 Revamped the Vepaar app into Vepaar Store & CRM with a 2x performance boost and smoother UX. 🚀 Launched Compose101 — a Jetpack Compose starter kit to speed up Android development. 🌟 Open source contributions on Github & StackOverflow for Flutter & Dart 🎖️ Worked on improving app performance and user experience with smart solutions. Milan is always happy to connect, work on new ideas, and explore the latest in technology. Caio Rodrigues Caio Rodrigues I'm a full-stack developer focused on building practical and scalable web applications. My main experience is with **React, TypeScript, and modern frontend architectures**, where I prioritize clean code, component reusability, and maintainable project structures. I have strong experience working with **dynamic forms, state management (Redux / React Hook Form), and complex data-driven interfaces**. I enjoy solving real-world problems by turning ideas into reliable software that companies can actually use in their daily operations. Beyond coding, I care about **software quality and architecture**, following best practices for componentization, code organization, and performance optimization. I'm also comfortable working across the stack when needed, integrating APIs, handling business logic, and helping transform prototypes into production-ready systems. My goal is always to deliver solutions that are **simple, efficient, and genuinely useful for the people using them.** prajwalfullstack prajwalfullstack Hi Im a full stack developer, a vibe coded MVP to Market ready product, I'm here to help Anthony Akpan Anthony Akpan Developer with 8 years of experience building softwares fro startups Bastien Labelle Bastien Labelle Full stack dev w/ 20+ years of experience Stanislav Prigodich Stanislav Prigodich 15+ years building iOS and web apps at startups and enterprise companies. I want to use that experience to help builders ship real products - when something breaks, I'm here to fix it.

Describe what's wrong in plain English. No technical knowledge needed.

Get Help

Frequently Asked Questions

How do I know if my domain has been blacklisted?

Use free tools like MXToolbox.com or mail-tester.com to check if your domain or IP is on any email blacklists. If it is, you'll need to clean up the issue and then request removal from each blacklist.

Can I stop people from sending emails that look like they're from my domain?

You can make it much harder by setting up SPF, DKIM, and DMARC records in your domain's DNS settings. These tell email providers which servers are authorized to send email on your behalf.

Related Common Issues Issues

Someone Hacked My AI-Built App

security

My Users' Passwords Might Be Exposed

security

Can't fix it yourself?
Real developers can help.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help