← Back to Blog

Why Your Business Keeps Getting Spam (And How to Stop It)

You check your inbox and there are 47 new emails. 38 of them are junk. Sound familiar?

Spam isn't just annoying — it's a security risk. Phishing emails hide in the noise, and one bad click can compromise your entire business. Here's how to fight back.

Why You're Getting So Much Spam

Your email is on public lists

If your email appears on your website, social media profiles, or business directories, bots have already scraped it. This is the #1 source of spam for small businesses.

You've been in a data breach

Check Have I Been Pwned — enter your email and see if it's been exposed. If it has, your address is on lists being sold to spammers.

You signed up for something

That "free whitepaper" or trade show registration? They sold your email to a marketing list.

Someone is spoofing your domain

If people are reporting spam "from" your email address, attackers may be spoofing your domain. This is fixable (see below).

How to Fix It

Level 1: Quick Wins (5 minutes)

Unsubscribe from legitimate marketing emails: Don't just delete them — scroll to the bottom and unsubscribe. This reduces the volume of "gray mail" that clutters your inbox.

Use your email provider's "Report Spam" button: This trains the spam filter. The more you report, the smarter it gets. Never just delete spam — always report it.

Create email rules: Set up rules to auto-delete or auto-archive emails with common spam keywords. In Outlook: Rules → New Rule → apply conditions.

Level 2: Server-Side Protection (15 minutes)

Set up SPF, DKIM, and DMARC records: These three DNS records tell email servers that only authorized senders can use your domain. Without them, anyone can send emails pretending to be you.

  • SPF (Sender Policy Framework): Lists which servers are allowed to send email for your domain
  • DKIM (DomainKeys Identified Mail): Adds a digital signature to your emails
  • DMARC (Domain-based Message Authentication): Tells receiving servers what to do with emails that fail SPF/DKIM checks
If you use Microsoft 365, here's what to add to your DNS:

SPF Record: `v=spf1 include:spf.protection.outlook.com -all`

DKIM: Enable in Microsoft 365 Admin → Settings → Domains → select domain → DKIM

DMARC Record: `v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com`

Level 3: Advanced Protection

Use an email security gateway: Services like Barracuda, Proofpoint, or even Microsoft Defender for Office 365 (included with Business Premium) add an extra layer of filtering before emails reach your inbox.

Set up a catch-all rejection: If you're using a custom domain, make sure emails to non-existent addresses (randomname@yourbusiness.com) bounce instead of being delivered. This prevents dictionary attacks.

Use email aliases for different purposes:

  • info@ for your website
  • billing@ for invoices
  • a unique address for each service you sign up for
This way, if one alias starts getting spam, you know exactly which source leaked it and can shut it down.

The Nuclear Option

If your email is hopelessly compromised:

  1. Create a new email address on your domain
  2. Notify your important contacts
  3. Set up forwarding from the old address with aggressive spam filtering
  4. Gradually phase out the old address over 3-6 months

How AI IT Guy Helps

We set up SPF, DKIM, and DMARC correctly on day one. We configure your spam filters, monitor for spoofing, and help you clean up an inbox that's gotten out of control.

Get your email under control — $29/month →

Need IT Help Right Now?

AI IT Guy gives you unlimited IT support starting at $29/month. No contracts, no jargon.

Get Started — $29/month