An email from your own address? You weren’t hacked — here’s what happened

One-paragraph answer. Getting a spam or threatening email that appears to come from your own address is alarming, and almost always harmless. The “From” line of an email is just text the sender types in — anyone can write your address there without ever touching your account, the same way anyone can write your name as the return address on a paper envelope. It is forgery, not access. The exceptions are narrow and checkable, and we walk through exactly how to rule them out below. Then we explain why your inbox showed you the message at all, and what an inbox that actually verifies senders does instead.

First: were you actually hacked?

Almost certainly not — but you don't have to take that on faith. A forged From line proves nothing about access to your mailbox. To confirm your account itself is fine, check the things that do require access:

• Recent sign-in activity. Every major mail provider keeps a log of where and when your account was accessed. Open it and look for sessions, devices, or locations you don't recognize. No unfamiliar logins means no one is in your account.
• Sent mail. If an attacker were really inside your mailbox sending as you, the messages would appear in your Sent folder. A self-spoof you only see in Spam or Inbox — never in Sent — was injected from the outside.
• Your password and second factor. If you're still unsettled, change the password and turn on two-factor authentication. That closes the only door that actually matters, regardless of what the From line claims.

One genuine wrinkle: if the email quotes a real password you've used, that didn't come from your mailbox — it came from a third-party data breach, and the sender is bluffing that it implies more access than it does. Change that password everywhere you reused it. It is still not evidence that your email account was opened.

How a stranger sends mail “from you”

Email was designed in an era of mutual trust, and the protocol never required the From address to be true. A sender can put any address in that header. Three modern checks exist precisely to catch that, and understanding them in one sentence each is the whole story:

• SPF asks: is the server that sent this message on the list of servers the domain authorized to send for it? A forger's server isn't.
• DKIM asks: does this message carry an unbroken cryptographic signature from the domain it claims? A forger can't produce one, because they don't hold the domain's private key.
• DMARC ties the two together and aligns them with the visible From address, then tells receiving servers what to do when they don't line up — nothing, quarantine, or reject.

A message forged to look like it's from your address fails SPF and DKIM for that domain. The only question left is whether your provider does anything about it.

Why it reached your inbox at all

Here's the uncomfortable part: most inboxes were tuned to avoid annoying legitimate senders, so they fail open. A message that fails authentication isn't refused — it's let through, sometimes with a small “be careful” banner clipped on, sometimes with nothing. The verdict gets delegated to whatever policy the forged domain happens to publish, and if that domain stays silent, the forgery gets the benefit of the doubt.

That's why “email from my own address” is one of the most-searched email questions there is. The filter saw a message fail every check that proves identity and showed it to you anyway, with at most a vague warning — which is why the most common follow-up search is how to make that warning go away. A black box that says maybe teaches people to click.

What actually stops it

The fix isn't a smarter guess about content — it's refusing to deliver mail that can't prove who sent it. Folio runs SPF, DKIM, and DMARC on every incoming letter and files mail that fails authentication straight to Spam on arrival, before it's ever scored on content. A message forged to look like it's from your own address can't pass your domain's checks, so you never see it in your inbox. The line holds even when the forged domain publishes no policy at all, so a forger can't slip through by staying silent.

Two deliberate safeguards keep that from eating real mail. Authentication that's merely missing or temporarily unreachable fails open, so a misconfigured-but-honest sender isn't punished. And anything that is flagged is explained and recoverable from the Spam folder, never silently deleted — open the letter and you'll see, in plain English, which checks failed and what that means. The reasoning sits right next to the verdict.

One honest boundary worth stating, because the whole point is trustworthiness: a sender's reputation — what an inbox has seen of a domain's history — is not proof of identity, and a careful product never treats it as such. Reputation keys on the From domain, which is exactly the thing a forger controls. Authentication answers is it really them; history only answers should I care. A green “trusted sender” badge handed out on reputation alone is worse than useless on a spoofed message. Folio shows positive history only on mail that has already passed authentication, and words it as how recipients behave, never as a guarantee.

If it's your own domain being forged

When the address being spoofed is one you own — your business sending “to” itself, or customers reporting mail they didn't get — the durable fix is to publish and tighten your own DMARC policy so other inboxes reject the forgeries too. You can check where a domain stands right now with a free domain health check, build a correct sender record with the SPF record generator, and, inside Folio, read the DMARC reports other providers file about your domain on a Deliverability dashboard — per-domain pass rates and the IPs sending as you and failing — then move your policy up the ladder from p=none toward p=reject once a clean window proves it's safe.

Frequently asked

I got an email from my own email address — was I hacked?

Almost certainly not. The From line is editable text; anyone can write your address into it without any access to your account. Confirm you're fine by checking your provider's recent sign-in activity for unfamiliar logins and your Sent folder for messages you didn't write. If both are clean, it's forgery, not a breach. Changing your password and enabling two-factor authentication closes the only door that matters either way.

How can someone send an email that looks like it's from me?

The email protocol never required the From address to be truthful, so a sender can put any address there. Modern checks — SPF, DKIM, and DMARC — exist to catch this, but they only help if the receiving inbox actually enforces them. A spoofed message fails SPF and DKIM for the domain it claims; whether you see it depends entirely on what your provider does with that failure.

How do I check whether my email account was actually compromised?

Look at the three things that require real access: recent sign-in activity (any device or location you don't recognize), your Sent folder (an intruder sending as you would leave traces there), and your security settings (unexpected forwarding rules or recovery addresses). If those are clean, a scary From line is just forgery. If anything looks wrong, change your password and turn on two-factor authentication immediately.

Why does my spam filter let these through?

Most inboxes fail open: a message that fails authentication is delivered anyway, with at most a warning, because the filter is tuned to avoid blocking legitimate senders by mistake. The verdict is effectively delegated to the policy the forged domain publishes — and if that domain stays silent, the forgery is given the benefit of the doubt. An inbox that files unverifiable mail to Spam on arrival doesn't have that gap.

Someone is spoofing my domain — how do I stop it?

Publish authentication records for your domain and tighten the DMARC policy so other inboxes reject forgeries on your behalf. Practically: confirm SPF and DKIM are correct, set DMARC to p=none first to collect reports, watch who's sending as you, and once legitimate mail passes cleanly, move the policy to p=quarantine and then p=reject. A domain health check and an SPF generator make the first steps quick; DMARC reporting tells you when it's safe to tighten.

Does a “trusted sender” badge mean an email is genuine?

No — and treat any product that implies otherwise with suspicion. A sender's reputation is only what an inbox has seen of a domain's sending history, and that history keys on the From domain, which is the very thing a forger controls. Only authentication — SPF, DKIM, and DMARC — cryptographically verifies that a message is really from the domain it claims. Reputation answers whether a sender is worth your attention; it never answers whether a message is authentic.