How to stop spam emails from your own address (Gmail, Outlook, iCloud)

One-paragraph answer. There are two ways to stop spam that appears to come from your own address, and they are not equal. The quick one is a filter inside your current inbox that sends any message claiming to be from you straight to spam or trash — useful as a stopgap, but a band-aid over a forged label. The real one is to read mail in an inbox that refuses to deliver messages which can’t prove who sent them, so the forgery never reaches you in the first place. Below are the exact filter steps for Gmail, Outlook, and iCloud, why those filters only treat the symptom, and what actually closes the gap.

The quick stopgap: a filter in your current inbox

Every major provider lets you write a rule that catches mail where the From address is your own. It takes a minute and it stops the specific forgery you’re seeing today. Set it up, then read the next section so you understand what it does and doesn’t fix.

Gmail

• Open Settings → See all settings → Filters and Blocked Addresses, then Create a new filter.
• In the From field, type your own email address. Click Create filter.
• Choose Skip the Inbox (Archive it) and Mark as read, or Delete it if you never legitimately email yourself. Save.

Outlook.com

• Go to Settings → Mail → Rules → Add new rule.
• Condition: From → your own address. Action: Move to — Junk Email (or Delete). Save.

iCloud Mail

• On icloud.com → Mail, open Settings (gear) → Rules → Add a Rule.
• If a message is from your own address, Move to Trash. Save.

One caution before you reach for “delete forever”: if you ever send yourself notes, reminders, or scans, route the rule to a folder or to Spam rather than Trash, so a real message you wrote doesn’t vanish silently.

Why the filter is only a band-aid

The filter works on exactly the thing the forger controls: the From line, which is editable text. That has three consequences worth understanding before you trust it:

• It catches one disguise, not the trick. The same sender can spoof a colleague, a bank, or a near-miss of your address (a swapped letter, a look-alike domain) and your “from myself” rule won’t fire. You’d be hand-maintaining blocklists forever, one forgery at a time.
• The message was still delivered. A rule that moves mail to Spam runs after your provider already accepted and scored the message. The forgery got in the door; you’re just sweeping it to a different room.
• It can hide a real problem. On the rare occasion the mail truly came from your account — an actual compromise — auto-deleting it removes the very evidence you’d want. Rule out a breach first (we cover how in the companion guide) before you automate anything away.

The filter treats a symptom. The cause is that most inboxes fail open: a message that fails authentication is let through anyway, with at most a small warning, because the filter is tuned not to annoy legitimate senders. Spoofed mail reaches you because nothing refused it.

The real fix: an inbox that won’t deliver unauthenticated mail

Three checks already exist to prove who really sent a message, and one sentence each is the whole story:

• SPF asks whether the sending server is on the list the domain authorized. A forger’s server isn’t.
• DKIM asks whether the message carries an unbroken cryptographic signature from the domain it claims. A forger can’t produce one.
• DMARC ties those to the visible From address and tells the receiver what to do when they don’t line up.

A message forged to look like it’s from your own address fails SPF and DKIM for your domain. The only question is whether your inbox acts on that. Folio runs all three on every incoming letter and files mail that fails authentication straight to Spam on arrival, before it’s ever scored on content. The forgery can’t pass your domain’s checks, so you never see it in your inbox — and the line holds even when the forged domain publishes no policy at all, which is exactly the gap a forger relies on.

Two deliberate safeguards keep that from eating real mail. Authentication that’s merely missing or temporarily unreachable fails open, so an honest-but-misconfigured sender isn’t punished. And anything flagged is explained in plain English and recoverable from Spam, never silently deleted — open the letter and you’ll see which checks failed and what that means. That’s the difference between a rule you maintain by hand and an inbox that does the verifying for you.

If it’s your own domain being forged

If the address being spoofed is one you own — your business appearing to email itself, or customers reporting mail they didn’t send — a receiving-side filter can’t fix it for everyone, because the forgeries land in other people’s inboxes. The durable fix is to publish and tighten your own DMARC policy so every inbox rejects the forgeries on your behalf. Check where your domain stands right now with a free domain health check, build a correct sender record with the SPF record generator, and move your policy up the ladder from p=none toward p=reject once a clean window proves it’s safe.

Frequently asked

How do I stop emails from my own address in Gmail?

Create a filter: Settings → Filters and Blocked Addresses → Create a new filter, put your own address in the From field, and choose Archive, Mark as read, or Delete. It stops the messages you’re seeing now, but because it acts on the editable From line it won’t catch other spoofed senders. The durable fix is an inbox that refuses mail failing SPF, DKIM, and DMARC on arrival.

Will a filter stop all spoofed email?

No. A “from myself” rule catches one disguise. The same forger can spoof a colleague, a vendor, or a look-alike of your address, and the rule won’t fire. Filters key on the From line — the one thing the sender forges — so they treat the symptom. Only authentication enforcement on incoming mail addresses the cause.

Is it safe to auto-delete emails from my own address?

Mostly, but route them to Spam or a folder rather than permanent Trash if you ever email yourself notes or scans, and rule out an actual account compromise first. A self-spoof you only see in Inbox or Spam — never in Sent — was injected from outside; if suspicious messages appear in your Sent folder, that’s a sign of real access, and deleting them would erase the evidence.

Why do I keep getting spoofed emails even after blocking the sender?

Because there is no real sender to block — the From address is forged, and blocking it only adds one editable string to a list. The forger rotates addresses faster than you can add rules. Mail keeps arriving because your provider delivered it despite failed authentication. An inbox that files unauthenticated mail to Spam on arrival removes the supply, not just one address.

What actually prevents email spoofing?

On the receiving side: an inbox that enforces SPF, DKIM, and DMARC and refuses to deliver mail that fails them, so forgeries never reach you. On the sending side, for a domain you own: publishing SPF and DKIM and tightening DMARC to p=reject so other inboxes refuse forgeries of your address. The two work together — one protects what you read, the other protects your name in everyone else’s inbox.