Common Issues security

My App Is Sending Spam Emails I Didn't Create

Users are telling you they're getting weird emails from your app — promotional messages, phishing attempts, or password reset links they didn't request. You didn't set up any of these emails, and you have no idea how they're being sent.

This usually means someone has gained access to your email sending service (like SendGrid, Mailgun, or your SMTP credentials) and is using your account to blast out spam. Your domain and reputation are being destroyed with every email sent.

The damage goes beyond annoying your users. Email providers like Gmail and Outlook may permanently blacklist your domain, meaning even your legitimate emails will go to spam forever if you don't act quickly.

Error Messages You Might See

Bounce notification: message rejected Email delivery failed: blacklisted Your sending has been suspended SPF check failed Users reporting phishing from your domain
Bounce notification: message rejectedEmail delivery failed: blacklistedYour sending has been suspendedSPF check failedUsers reporting phishing from your domain

Common Causes

  • Email API key stolen — Your SendGrid, Mailgun, or other email service API key is exposed in your code or has been stolen
  • Contact form exploited — Your app's contact form or email feature has no rate limiting, so bots are using it to send thousands of messages
  • Open email relay — Your email server is configured to let anyone send emails through it without authentication
  • Compromised server — Someone gained access to your server and installed their own email-sending scripts
  • Spoofed sender address — Someone is sending emails that look like they're from your domain (you can't fully prevent this without proper DNS records)

How to Fix It

  1. Revoke your email API key immediately — Go to your email service dashboard and delete/rotate the current API key to stop all sending
  2. Check your email service logs — Look at SendGrid, Mailgun, or your email provider to see how many emails were sent and to whom
  3. Add rate limiting to forms — Limit how many emails any single user or IP address can trigger per hour
  4. Set up SPF, DKIM, and DMARC records — These DNS records help prove that only you can send emails from your domain
  5. Add CAPTCHA to public forms — Prevent bots from abusing any form that triggers email sending
  6. Check for malicious code on your server — Have a developer scan your server for unauthorized scripts or files

Real developers can help you.

Matthew Jordan Matthew Jordan I've been working at a large software company named Kainos for 2 years, and mainly specialise in Platform Engineering. I regularly enjoy working on software products outside of work, and I'm a huge fan of game development using Unity. I personally enjoy Python & C# in my spare time, but I also specialise in multiple different platform-related technologies from my day job. Daniel Vázquez Daniel Vázquez Software Engineer with over 10 years of experience on Startups, Government, big tech industry & consulting. Simon A. Simon A. I'm a backend developer building APIs, emulators, and interactive game systems. Professionally, I've developed Java/Spring reporting solutions, managed relational and NoSQL databases, and implemented CI/CD workflows. Taufan Taufan I’m a product-focused engineer and tech leader who builds scalable systems and turns ideas into production-ready platforms. Over the past years, I’ve worked across startups and fast-moving teams, leading backend architecture, improving system reliability, and shipping products used by thousands of users. My strength is not just writing code — but connecting product vision, technical execution, and business impact. Pratik Pratik SWE with 15+ years of experience building and maintaining web apps and extensive BE infrastructure ISHANTDEEP SINGH ISHANTDEEP SINGH Senior Software Engineer with 7+ years of experience in React, JavaScript, TypeScript, Next.js, and Node.js. I’ve also worked as a tech lead for startups, owning end-to-end technical execution including architecture, development, scaling, and delivery. I bring a strong mix of hands-on coding, product thinking, and technical leadership, and I’m comfortable building products from scratch as well as improving and scaling existing systems. Stanislav Prigodich Stanislav Prigodich 15+ years building iOS and web apps at startups and enterprise companies. I want to use that experience to help builders ship real products - when something breaks, I'm here to fix it. Kingsley Omage Kingsley Omage Fullstack software engineer passionate about AI Agents, blockchain, LLMs. Jacek Rozanski Jacek Rozanski Senior PHP/Symfony developer and DevOps engineer with 20+ years of professional experience, running opcode.pl (web development agency, est. 2004). Day job: I'm the sole backend developer at merketing company where I own and maintain 11 PHP/Symfony microservices on AWS (ECS Fargate, RDS, S3, CloudFront), handle the full CI/CD pipeline (Bitbucket Pipelines, Docker), and manage monitoring with Sentry and CloudWatch. These services handle high request volumes in production every month. What I bring to AI-built apps: - I audit and fix security issues (OWASP methodology), performance bottlenecks, and architectural problems in codebases generated by Cursor, Claude Code, Lovable, Bolt, and v0 - I refactor AI-generated prototypes into production-grade applications with proper error handling, testing, and clean architecture (SOLID, DDD, hexagonal architecture) - I set up the infrastructure AI tools don't touch: AWS hosting, CI/CD pipelines, automated deployments, database optimization, monitoring, and alerting - I integrate external services: payment providers, email systems, partner APIs, SSO/auth Tech stack: PHP 8.x, Symfony, React, Next.js, PostgreSQL, MySQL, Docker, AWS (ECS, RDS, S3, SQS/SNS, CloudFront), Terraform, Supabase. I also use AI tools daily (Claude Code, Cursor) in my own workflow, so I understand both the strengths and the gaps in AI-generated code. Based in Poland (CET timezone). Available for async work and calls during EU/US business hours. Tejas Chokhawala Tejas Chokhawala Full-stack engineer with 5 years experience building production web apps using React, Next.js and TypeScript. Focused on performance, clean architecture and shipping fast. Experienced with Supabase/Postgres backends, Stripe billing, and building AI-assisted developer tools.

Describe what's wrong in plain English. No technical knowledge needed.

Get Help

Frequently Asked Questions

How do I know if my domain has been blacklisted?

Use free tools like MXToolbox.com or mail-tester.com to check if your domain or IP is on any email blacklists. If it is, you'll need to clean up the issue and then request removal from each blacklist.

Can I stop people from sending emails that look like they're from my domain?

You can make it much harder by setting up SPF, DKIM, and DMARC records in your domain's DNS settings. These tell email providers which servers are authorized to send email on your behalf.

Related Common Issues Issues

Someone Hacked My AI-Built App

security

My Users' Passwords Might Be Exposed

security

Can't fix it yourself?
Real developers can help.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help