Once in a while a question like this will end up in my inbox,
“I just received a ton of bounced emails that aren’t written by me. The email address is mine, but honestly, I did not send them. Has my email/website I been hacked?”
While hacking is always a possibility and I do not want to discount that at all, the reason is probably not that but rather email hijacking. You see, it is easy to change the “From” address. All you need to do is change it in your email program. Instead of your name and email address, you can change it to just about any email address. That’s what they are doing. They aren’t sending emails via your account or your server. Just using your email address as the “From” address. Because bounces go back to the “From” address, that’s why you are receiving them.
For a long time, there is really little you can do about this. I can send an email pretending to be you and vice versa any time. But if your web host supports DomainKeys Identified Mail (DKIM), you might want to have it turned on. What it does is only allow email to be sent from specified domain. This way, a hijacker who always sends emails from his own or any spoofed/fake domain, is prevented from sending any mail. The thing you need to watch when turning this on is to make sure that any other domain you may be sending email from is in this ‘whitelist’ or your own emails won’t go out either.
