Features Pricing
Learn
What is DMARC? What is SPF? What is DKIM? What is BIMI?
Free Tools
DMARC Checker SPF Checker DKIM Checker BIMI Checker MTA-STS Checker Blacklist Checker Header Analyzer Domain Scanner Phishing URL Checker Email Verification BIMI Logo Converter Academy Blog Docs About Contact
Sign in Start →

AI Anomaly Detection

AI Anomaly Detection continuously monitors your DMARC data for unusual patterns that may indicate spoofing attacks, configuration issues, or other security events. By establishing a baseline of normal email sending behavior for your domain, the system can identify deviations and generate alerts when something unexpected occurs.

Pro+ Feature

AI Anomaly Detection is available on Pro, Business, and Enterprise plans. The system begins learning your domain's baseline patterns as soon as DMARC data starts flowing into SpoofWard. Allow at least 7 days of data collection for accurate anomaly detection.

How It Works

The AI engine analyzes your incoming DMARC aggregate reports and builds a model of your domain's normal email behavior. This model includes expected sending volumes, known sending sources, typical authentication pass rates, and geographic distribution patterns. When new data deviates significantly from this baseline, an anomaly is detected and an alert is generated.

The detection process runs automatically in the background each time new DMARC data is received. No manual configuration is required to activate anomaly detection — it starts working as soon as sufficient historical data is available.

Types of Anomalies Detected

The system monitors for four primary categories of anomalies:

Volume Spikes

A sudden and significant increase in the number of messages sent from your domain. Volume spikes may indicate that an attacker is running a large-scale spoofing campaign using your domain, or that a compromised account is being used to send spam. The system compares current volume against your historical average and flags deviations that exceed the expected range.

New Unauthorized Sources

The appearance of a previously unseen sending source in your DMARC data. While new sources can sometimes be legitimate (a new marketing tool, for example), they can also indicate unauthorized use of your domain. The system flags any source that has not been seen before so you can verify whether it is expected.

Authentication Rate Drops

A significant decline in your SPF or DKIM pass rate. If your DMARC compliance rate drops suddenly, it could mean that a legitimate sender has misconfigured their authentication, that your DNS records have been changed or corrupted, or that attackers are sending unauthenticated email using your domain. Even small drops in pass rates can signal problems that need investigation.

Geographic Anomalies

Email sending activity detected from a country or region where your domain has not previously sent email. Geographic anomalies are a strong indicator of spoofing, as attackers often operate from different regions than your legitimate infrastructure. The system uses the Geolocation Analytics baseline to identify unexpected geographic origins.

Anomaly Alerts

When an anomaly is detected, SpoofWard generates an alert containing the following information:

  • Anomaly type — The category of anomaly detected (volume spike, new source, auth rate drop, or geographic)
  • Severity level — Rated as Low, Medium, High, or Critical based on the magnitude of the deviation and its potential impact
  • Description — A human-readable summary of what was detected and why it is unusual
  • Affected domain — The domain where the anomaly was observed
  • Time window — The period during which the anomalous activity occurred
  • Supporting data — Relevant metrics such as message counts, IP addresses, countries, and pass/fail rates that support the finding

Alerts are delivered through your configured Alert Channels, including email, Slack, Microsoft Teams, and webhooks. You can customize which anomaly types and severity levels trigger notifications in Alert Rules.

False Positives

Not every anomaly is a threat. Legitimate events such as launching a new email campaign, onboarding a new email service provider, or seasonal sending volume changes can trigger anomaly alerts. Always investigate the alert context before taking action. Over time, as you acknowledge false positives, the system refines its baseline model.

Investigating Anomalies

When you receive an anomaly alert, follow these steps to investigate:

  • Review the alert details — Check the anomaly type, severity, and supporting data to understand what was detected
  • Cross-reference with known changes — Determine if any legitimate changes (new sender, DNS updates, marketing campaign) could explain the anomaly
  • Check the source — Use Email Source Discovery to identify the sending source and verify whether it is authorized
  • Review geolocation data — For geographic anomalies, use the Geolocation Analytics map to see where the activity originated
  • Take action — If the anomaly is confirmed as malicious, add the source to your Block Rules and consider tightening your DMARC policy to p=reject

Baseline Learning Period

The AI engine requires a minimum of 7 days of DMARC data to establish a reliable baseline. During this initial learning period, anomaly detection may not trigger alerts or may produce less accurate results. After 30 days of data collection, the baseline becomes robust and the system operates at full accuracy.

Tip

AI Anomaly Detection works best when combined with AI Source Classification. When an anomaly flags a new source, the classification engine can immediately tell you what type of sender it appears to be, speeding up your investigation.

Your domain is being tested right now.
Are you watching?

Protect your brand and improve deliverability — automatically, with continuous monitoring and alerts.

Start Free — No Credit Card View Pricing →