[jeroenhd]

Something to consider if you haven't yet: have you checked that your website hasn't been compromised? I've seen something similar happen to a domain that got their WordPress hacked and was used to host malware.

I think it's also possible a large amount of people on Outlook (or LinkedIn?) lost interest and clicked "report spam" because it's quicker and more effective than unsubscribing from most automated messaging.

Edit: another thing I caught O365 doing was rewriting the headers in my email (it didn't like the way my From:-address was structured by my server) and then checked the DKIM headers. Obviously the email they altered themselves didn't pass the DKIM signature check. Worked around it by altering my email client to set the From address in a way that Outlook liked.

[joaopbnogueira]

We thought about it but: - this a statically generated site (SSG using Next.js), so there's backend runtime for the FE itself. - we do have a contact form, but under the hood it sends an email to our own inbox through internal APIs and the destination email is hard-coded, so I don't think they could hijack this (will check the audit log just in case). - it's hosted using Cloudflare pages - the worker/api part is severely rate limited - we would notice abuse since we have low monthly email sending limits on this api service