Getting started

How to tell if your email account has been hacked

A hand inserting a red envelope into a mailbox with the Gandi logo on it

Is your email account acting weird and you think it may have been hacked?

Here are a few tips to help you recognize the signs of hacking, how to stop it, and how to better protect your email account.

First sign that your email account has been hacked: a preponderance of “bounce” messages or “non delivery reports”

The word “bounce” might not be super meaningful to you right away, but you’ve definitely seen this type of email.

It’s the notification you get in your inbox that tells you that a message that you sent couldn’t be delivered to its intended recipient.

Generally, that happens when you send an email to an address that no longer exists or when you make a typo or an error in “To:” address.

But when you start to see this type of message for emails you don’t remember sending, and with recipients you don’t recognize, that’s an alarming sign that someone else is using your email account.

“I’m receiving bounce messages even though the ‘Sent’ folder in my email account is empty.”

The confusing part about your email account getting hacked is that you’ll get many “non delivery reports” in your inbox.

If the emails referenced were in fact sent and they have your email address as the “Sender” address, with the non delivery reports as proof, why wouldn’t you see those in your outbox or sent folder?

It’s because actually, whoever got access to your account has configured your email address on their own computer, using the connection credentials they stole from you. The contents of the “Sent” folder or outbox are only visible locally in your email client, so you wouldn’t have access to their “Sent” folder.

These bounces can result from one of the following scenarios:

  • your email account password has been stolen
  • an identity theft method known as Spoofing

Case study 1: Your email password has been exposed

The spammer has configured their email software using your stolen email login.

Emails are then sent using their own software, or as is more often the case, using a script on a web server.

“I don’t use Gandi’s SMTP”

SMTP, or “Simple Mail Transfer Protocol,” is the communication protocol used to send an email to an email server. If you use your ISP’s SMTP, that doesn’t mean that Gandi’s SMTP is automatically deactivated. You can only deactivate this manually.

That’s why when your email password is stolen, emails can still be sent from Gandi’s network.

If you don’t need Gandi’s SMTP, you can prevent any potential fraudulent use by deactivating Gandi’s SMTP for the email address in question.

Feel free to consult our documentation for help deactivating Gandi’s SMTP service.

How to secure an email account once the password has been compromised

  • Create a new password 

To put an end to any fraudulent use of and to secure your email account, you’ll need to change the password using a few simple rules to ensure it’s strong enough.

You should also make sure that this password is unique and not one that you use for anything other than this email account.

The new password should have at least 8 characters, composed of letters, numbers, and special characters.

For help changing your password, we recommend this page from our documentation on the subject.

  • Activate two-factor authentication on your email account

Sometimes called “2FA”, or “two-step verification,” two-factor authentication adds an additional layer of security. Instead of limited access to your email account using a single authentication (your password), you can add a second step to the login process and protect your account even further.

  • Use a password manager

There are different solutions, often in free and subscription variants, according to the level of security you’re looking for. This “vault” saves your passwords in order to make it easier for you to access your passwords for all the various sites and applications you use without having to memorize them all or save them insecurely. The programs can also generate strong passwords themselves, and that way you can avoid using the same password for multiple accounts.

Case study 2: Spoofing

When it comes to spoofing, a spammer uses your email address in the “sender” field of their spam without having access to your email account.

It’s the equivalent of using your address as the return address on a piece of snail mail.

How to protect your email account from spoofing: implement DKIM

In order to avoid your email address being used in this way, we recommend that you implement DKIM on your domain name.

DKIM, or DomainKeys Identified Mail, is a protocol that enables you to attach a cryptographic “signature” to your emails that means the email is authorized. The receiver of the email can automatically verify this signature by comparing it to a public key. This “signature” verifies that the email, including any attachments, has not been modified en route.

Read more about how to activate it in our DKIM documentation.

Second sign your email account has been hacked: you receive an alert message from Gandi

Another sign that might indicate abnormal usage of your email account is if you receive an automatic alert from Gandi informing you that your account has sent too many emails in a given day.

The message will read: “Too many emails per day/hour for domain”

If you haven’t changed the amount of email your sending out, or if you never use this address to send emails, it’s possible someone else is sending a large number of emails from your address.

How to secure your email account after getting an abnormal use message

In this case, we recommend changing your email account password, as indicated above.

If you find yourself in any of the scenarios above, we encourage you to react swiftly in order to limit the impact of your email account being compromised.