What should I do if I receive a suspicious email?

First and foremost, if you don't recognize the sender of a DocuSign envelope and you are uncertain of the authenticity of an email, look for the unique security code at the bottom of the notification email. All DocuSign envelopes include a unique security code. See the example below:
Illustration of DocuSign notification email

If there is a security code...

  • Access your documents directly from www.docusign.com, click Access Documents then enter the unique security code.


If there is NO security code...

  • DO NOT click on links or open attachments within the email. This is not a valid DocuSign email and it should be sent to our security team immediately at spam@docusign.com, then delete the email.


IMPORTANT: If you did click on a link and provided your DocuSign credentials, please be sure to change your password immediately to ensure the security of your account.


To further increase your security, we recommend your organization to implement the following security measures:

  1. To flag and quarantine malicious spam on mail servers, enable both Sender Policy Framework (SPF) lookup functionality and Domain-based Message Authentication, Reporting & Conformance (DMARC). The combination of these technologies helps protect against malware spam attacks. Learn more about SPF at http://www.open-spf.org/, and DMARC at https://dmarc.org/.
  2. Establishing a well-managed email security gateway either via a third party, by upgrading protections within a mail service (e.g. Exchange Advanced Threat Protection (ATP)), or by ensuring available functionality is enabled and well-managed (e.g. checking for a rule that might apply to mail and bypass basic Exchange protection).


Please check out the DocuSign Trust Center for the most up-to-date information and review our technical paper on phishing.