My App Is Sending Spam Emails I Didn't Create
Users are telling you they're getting weird emails from your app — promotional messages, phishing attempts, or password reset links they didn't request. You didn't set up any of these emails, and you have no idea how they're being sent.
This usually means someone has gained access to your email sending service (like SendGrid, Mailgun, or your SMTP credentials) and is using your account to blast out spam. Your domain and reputation are being destroyed with every email sent.
The damage goes beyond annoying your users. Email providers like Gmail and Outlook may permanently blacklist your domain, meaning even your legitimate emails will go to spam forever if you don't act quickly.
Error Messages You Might See
Common Causes
- Email API key stolen — Your SendGrid, Mailgun, or other email service API key is exposed in your code or has been stolen
- Contact form exploited — Your app's contact form or email feature has no rate limiting, so bots are using it to send thousands of messages
- Open email relay — Your email server is configured to let anyone send emails through it without authentication
- Compromised server — Someone gained access to your server and installed their own email-sending scripts
- Spoofed sender address — Someone is sending emails that look like they're from your domain (you can't fully prevent this without proper DNS records)
How to Fix It
- Revoke your email API key immediately — Go to your email service dashboard and delete/rotate the current API key to stop all sending
- Check your email service logs — Look at SendGrid, Mailgun, or your email provider to see how many emails were sent and to whom
- Add rate limiting to forms — Limit how many emails any single user or IP address can trigger per hour
- Set up SPF, DKIM, and DMARC records — These DNS records help prove that only you can send emails from your domain
- Add CAPTCHA to public forms — Prevent bots from abusing any form that triggers email sending
- Check for malicious code on your server — Have a developer scan your server for unauthorized scripts or files
Real developers can help you.
Taufan
I’m a product-focused engineer and tech leader who builds scalable systems and turns ideas into production-ready platforms.
Over the past years, I’ve worked across startups and fast-moving teams, leading backend architecture, improving system reliability, and shipping products used by thousands of users. My strength is not just writing code — but connecting product vision, technical execution, and business impact.
BurnHavoc
Been around fixing other peoples code for 20 years.
Richard McSorley
Full-Stack Software Engineer with 8+ years building high-performance applications for enterprise clients. Shipped production systems at Walmart (4,000+ stores), Cigna (20M+ users), and Arkansas Blue Cross. 5 patents in retail/supply chain tech. Currently focused on AI integrations, automation tools, and TypeScript-first architectures.
ISHANTDEEP SINGH
Senior Software Engineer with 7+ years of experience in React, JavaScript, TypeScript, Next.js, and Node.js. I’ve also worked as a tech lead for startups, owning end-to-end technical execution including architecture, development, scaling, and delivery. I bring a strong mix of hands-on coding, product thinking, and technical leadership, and I’m comfortable building products from scratch as well as improving and scaling existing systems.
Jaime Orts-Caroff
I'm a Senior Android developer, open to work in various fields
Yovel Cohen
I got a lot of experience in building Long-horizon AI Agents in production, Backend apps that scale to millions of users and frontend knowledge as well.
Anthony Akpan
Developer with 8 years of experience building softwares fro startups
Jen Jacobsen
I’m a Full-Stack Developer with over 10 years of experience building modern web and mobile applications. I enjoy working across the full product lifecycle — turning ideas into real, well-built products that are intuitive for users and scalable for businesses.
I particularly enjoy building mobile apps, modern web platforms, and solving complex technical problems in a way that keeps systems clean, reliable, and easy to maintain.
Nam Tran
10 years as fullstack developer
Meïr Ankri
Full-stack developer specializing in React / Next.js / Node.js with 6+ years of experience. I've worked across various sectors including automotive (Reezocar/Société Générale), healthcare (Medical Link SaaS), and e-commerce (Glasman). I build web apps end-to-end, from architecture to production, with a focus on scalability, performance, and code quality. I also mentor junior developers and contribute to technical decisions and code reviews.
Describe what's wrong in plain English. No technical knowledge needed.
Get HelpFrequently Asked Questions
How do I know if my domain has been blacklisted?
Use free tools like MXToolbox.com or mail-tester.com to check if your domain or IP is on any email blacklists. If it is, you'll need to clean up the issue and then request removal from each blacklist.
Can I stop people from sending emails that look like they're from my domain?
You can make it much harder by setting up SPF, DKIM, and DMARC records in your domain's DNS settings. These tell email providers which servers are authorized to send email on your behalf.