Email Source Discovery

One of SpoofWard's most powerful features is automatic discovery of all email senders using your domain. This guide explains how email source discovery works and how to use it to improve your security posture.

How Email Source Discovery Works

Analyzing DMARC Reports

When email is sent from your domain:

  1. The receiving mail server (Gmail, Outlook, Yahoo, etc.) checks authentication
  2. It records the result in a DMARC report
  3. The report includes the sender IP address and organization
  4. That report is sent to [email protected]

SpoofWard processes these reports and identifies:

  • IP Address - Source IP of the email
  • Organization - Who owns/operates that IP (via reverse DNS and threat intelligence)
  • Mail Service - Identified email service (SendGrid, Mailchimp, Office 365, etc.)
  • Volume - How many messages came from this source
  • Authentication Status - Did it pass SPF/DKIM/DMARC?

Automatic Identification

SpoofWard's database includes millions of mail service IPs. It automatically matches discovered IPs against known services:

  • Marketing Platforms - Mailchimp, HubSpot, Constant Contact, Campaign Monitor, etc.
  • Transactional Email - SendGrid, Twilio, Amazon SES, Postmark, etc.
  • Cloud Email - Office 365, Google Workspace, Zoho Mail, etc.
  • Helpdesk/Ticketing - Zendesk, Jira Service Management, Freshdesk, etc.
  • CRM Systems - Salesforce, HubSpot, Pipedrive, etc.
  • Internal Servers - Your company's mail servers and backup services

Accessing Email Sources

Navigate to DMARC > Email Sources (or Vendors in your dashboard):

You'll see a table of all discovered senders:

  • Sender/Service - Identified service name
  • Messages - Total volume sent (7 days, 30 days, all time)
  • IP Addresses - Source IPs associated with this sender
  • SPF/DKIM - Authentication alignment status
  • Status - Authorized, Unknown, or Blocked
  • Actions - Manage this sender

Managing Senders

Mark as Authorized

Click a sender and select Authorize:

  • Removes it from the "investigate" list
  • Updates your mental model of legitimate senders
  • Helps SpoofWard provide better recommendations
  • Does NOT affect email policy (marking as authorized doesn't SPF/DKIM align them)

Authorized senders are marked with a green checkmark.

Block Senders

Click Block to add a sender to your blocklist:

  • Flagged as unauthenticated/suspicious
  • Recommendations suggest blocking their email
  • You can still allow them later if needed
  • Helps prevent spoofing attempts

Blocked senders are marked in red.

Investigate Further

Click Investigate to see detailed information:

  • IP Address - With reverse DNS
  • Organization - Company owning the IP
  • Threat Intelligence - Flags from security feeds
  • Volume Trend - Is volume increasing? Decreasing?
  • Geographic Origin - Where are they sending from?
  • Email Authentication - Do they support SPF/DKIM?
  • Service Website - Link to their main website
  • Your History - Previous actions you took on this sender

Add Notes

Add internal notes to senders (visible only to your team):

  • "This is our backup email service"
  • "From marketing campaign in Q4"
  • "Recently added for HR notifications"
  • "Should be removed by end of month"

Common Scenarios

Unknown Service Appears

A new sender in your DMARC reports:

  1. Click the sender name
  2. Check if you recognize it (search your organization)
  3. Look up the organization - is it familiar?
  4. Check threat intelligence - is it flagged as malicious?
  5. If legitimate - mark as Authorized
  6. If unsure - Investigate further or ask colleagues
  7. If malicious - Block it

Authorized Service Sending Without SPF/DKIM

Example: A CRM you use is authorized but emails are flagged as unauthenticated.

Solution:

  1. Contact the service provider for SPF/DKIM setup
  2. Add their IPs to your SPF record: include:crm-provider.com
  3. Request they send with DKIM signing enabled
  4. Re-check DNS health after updates

Service No Longer in Use

An old email service appears in historical reports:

  1. Verify it's no longer active (no recent messages)
  2. Check with team members who might use it
  3. If confirmed inactive - Block it or add note "Inactive"
  4. Remove its configuration from SPF record (to reduce SPF lookup count)

Internal Server Not Being Discovered

Your company's own mail server isn't showing up:

This usually means:

  • No one has sent email FROM your domain through it yet
  • The server isn't configured to use your domain in the From header
  • Emails are being forwarded/relayed through another service
  • The server is configured correctly but just hasn't sent in the reporting period

To ensure it's discovered:

  1. Send yourself a test email from that server
  2. Wait 24 hours for reports to arrive
  3. The server will appear in your sender list
  4. Mark it as Authorized

Using Discovery for SPF Configuration

Email source discovery guides your SPF record configuration.

Building Your SPF Record

  1. Review discovered senders in SpoofWard
  2. Mark legitimate ones as Authorized
  3. Use the SPF Builder tool
  4. For each authorized sender, add to SPF:
  • Known service? Use their include: include:sendgrid.net
  • Custom IP? Add as ip4:192.0.2.1
  1. End with ~all (soft fail) or -all (hard fail)

Example:


v=spf1 include:sendgrid.net include:_spf.google.com include:mailchimp.com ip4:203.0.113.5 ~all
SPF Best Practice

Aim for 8 or fewer DNS lookups. Start with service includes, then add direct IPs for custom senders. Remove old/unused services.

Threat Detection

SpoofWard flags suspicious senders:

  • Flagged IPs - On security blacklists (Spamhaus, etc.)
  • Spoofing Attempts - Email claiming to be from your domain but from unauthorized sources
  • Geographic Anomalies - Emails from unexpected countries
  • Volume Spikes - Sudden increase from a sender

Investigating Threats

When SpoofWard detects suspicious activity:

  1. Check the Threat Summary on your domain overview
  2. Navigate to the suspicious sender
  3. Review threat intelligence data
  4. If malicious - Block and alert your security team
  5. If false positive - Authorize or note as safe

Spoofing Attempts

These are emails claiming to be from your domain but NOT coming from your authorized senders:

  • Attacker sending "[email protected]"
  • Phishing email impersonating your executives
  • Messages from unverified IPs in your domain

SpoofWard flags these because they fail DMARC alignment. Your p=none policy currently accepts them. When you move to p=quarantine or p=reject, they'll be stopped.

Rebuilding Discovery

Sometimes you need to refresh the discovery database.

When to rebuild:

  • Added many new email senders recently
  • Haven't seen a recently added service yet
  • Want to re-analyze all historical data
  • Updated DMARC reports configuration

To rebuild:

  1. Go to Email Sources
  2. Click Rebuild Discovery (top right)
  3. SpoofWard re-processes all DMARC reports
  4. Newly discovered senders appear within minutes
Processing Time

Rebuilding may take a few minutes depending on your report volume. You can continue using SpoofWard while it processes.

Advanced Features (Pro+ Plans)

Vendor Authorization Rules

Set rules to automatically authorize senders:

  • "All senders on the public cloud provider list"
  • "All senders from this company"
  • "All senders with SPF/DKIM alignment"

IP Reputation Integration

Deep integration with threat intelligence:

  • Real-time IP reputation scores
  • Historical IP analysis
  • Geolocation tracking
  • ASN information
  • Detailed threat reason codes

Forensic Report Analysis

For each sender:

  • Access to full forensic reports
  • Headers and authentication details
  • Per-message analysis
  • Authentication failure reasons

API Integration

Integrate email source discovery into your workflows.

Example use cases:

  • Automatically authorize senders from your approved vendor list
  • Block senders flagged by your security team
  • Extract sender data for CMDB/asset management
  • Trigger alerts when unauthorized senders appear

See API Tokens for integration details.

Best Practices

Review Discovery Weekly

Set a calendar reminder to check for new senders. Investigate unfamiliar ones promptly.

Mark Senders Explicitly

Don't leave senders in "Unknown" status. Explicitly authorize or block them.

Keep SPF Updated

As senders are discovered and authorized, add them to SPF immediately.

Monitor for Changes

If a known sender's IP changes, investigate why (service migration, etc.).

Document Your Decisions

Add notes to senders explaining why they're authorized or blocked.

Troubleshooting

Why isn't a sender I use appearing?

  • They haven't sent email from your domain yet (or not recently)
  • Their email didn't go through receiving servers that report DMARC
  • They're using a different domain
  • Send a test email to force report generation

Why is an internal server not discovered?

  • See "Internal Server Not Being Discovered" above
  • Check that the server is actually sending with your domain in the From header

How far back does discovery go?

  • SpoofWard maintains history for 90 days
  • Older senders may still appear in historical reports

Related Documentation

Your domain is being tested right now.
Are you watching?

Protect your brand and improve deliverability — automatically, with continuous monitoring and alerts.

Start Free — No Credit Card View Pricing →