AI Source Classification

AI Source Classification uses machine learning to automatically categorize email sending sources detected in your DMARC aggregate reports. Instead of manually reviewing each IP address and organization to determine what service it belongs to, SpoofWard's AI engine identifies and labels sources for you, saving significant time during source discovery and DMARC enforcement.

How It Works

When SpoofWard processes your DMARC aggregate reports, the AI engine analyzes each sending source using multiple signals:

• IP address and range — Matches IP addresses against known infrastructure of major email service providers, marketing platforms, and transactional senders
• Reverse DNS (PTR) records — Analyzes the hostname associated with the sending IP for service identification clues
• Organization name from WHOIS — Uses the registered organization to identify the entity operating the IP
• Sending patterns — Examines volume, frequency, and authentication pass/fail ratios to infer the type of traffic
• Historical classification data — Leverages classifications from other SpoofWard users (anonymized) to improve accuracy for well-known services

Classification Categories

Each detected source is assigned to one of the following categories:

• Marketing — Email marketing platforms and bulk senders such as Mailchimp, HubSpot, SendGrid (marketing), Campaign Monitor, and similar services used for newsletters and promotional campaigns
• Transactional — Services that send automated, one-to-one emails such as order confirmations, password resets, invoices, and notifications. Common examples include SendGrid (transactional), Amazon SES, Postmark, and Mandrill
• Internal — Your organization's own mail servers, including on-premises Exchange or Google Workspace / Microsoft 365 infrastructure sending directly
• Unknown — The source could not be confidently classified. This may indicate a lesser-known service, a self-hosted mail server, or insufficient data to make a determination
• Suspicious — The source exhibits characteristics commonly associated with unauthorized sending or spoofing, such as failing authentication consistently, originating from residential IP ranges, or using infrastructure not associated with any known email service

Viewing Classifications

Source classifications appear throughout SpoofWard wherever sending sources are displayed:

• Email Source Discovery — The Source Discovery page shows each source with its AI-assigned category badge, making it easy to sort and filter by type
• Aggregate Reports — When drilling into Aggregate Report data, each sending source row includes its classification
• DMARC Dashboard — The DMARC Dashboard uses classifications to group traffic by source type, giving you a high-level view of your email ecosystem

Overriding Classifications

If the AI assigns an incorrect category to a source, you can override the classification manually. Click on any source to open its detail panel, then select the correct category from the dropdown. Manual overrides take precedence over AI classifications and persist across future report processing.

Using Classifications for DMARC Enforcement

AI Source Classification directly supports your path to DMARC enforcement. By categorizing sources automatically, you can:

• Prioritize authorization — Focus on configuring SPF and DKIM for Marketing and Transactional sources first, as these represent legitimate email that should not be disrupted
• Investigate unknowns — Sources classified as Unknown need manual review to determine if they are authorized senders that should be added to your SPF record
• Act on suspicious sources — Sources flagged as Suspicious should be investigated immediately. If confirmed as unauthorized, you can block them via Allow/Block Rules and tighten your DMARC policy
• Track progress — Monitor how many sources in each category have been authorized. When all Marketing, Transactional, and Internal sources pass authentication, you are ready to move to p=reject