Features Pricing
Learn
What is DMARC? What is SPF? What is DKIM? What is BIMI?
Free Tools
DMARC Checker SPF Checker DKIM Checker BIMI Checker MTA-STS Checker Blacklist Checker Header Analyzer Domain Scanner Phishing URL Checker Email Verification BIMI Logo Converter Academy Blog Docs About Contact
Sign in Start →

DMARC Geolocation Analytics

Geolocation Analytics provides an interactive world map that visualizes where emails are being sent from on behalf of your domain. By mapping the source IP addresses found in DMARC aggregate reports to geographic locations, you can quickly identify authorized sending regions and spot unauthorized activity originating from unexpected countries.

Pro+ Feature

Geolocation Analytics is available on Pro, Business, and Enterprise plans. DMARC aggregate report data must be flowing into SpoofWard for the map to populate.

Accessing Geolocation Analytics

Navigate to DMARC → Geolocation in the sidebar. The interactive map loads automatically using data from your most recent DMARC aggregate reports. Use the date range picker to adjust the time period displayed.

The Interactive Map

The world map displays color-coded markers representing email sending activity by country. Larger and darker markers indicate higher message volumes. Click on any country or marker to drill down into the details for that region.

The map supports the following interactions:

  • Zoom and pan — Use scroll or pinch gestures to zoom in on specific regions. Click and drag to pan across the map.
  • Hover tooltips — Hover over any country to see a quick summary of total message volume, pass rate, and fail rate.
  • Click to drill down — Click on a country to view a detailed breakdown of all sending sources originating from that region.

Country Breakdown

Below the map, a table lists all countries where email sending activity has been detected. For each country, the following data is displayed:

  • Country — The name and flag of the country where the sending IP is geolocated
  • Total Messages — The number of emails sent from that country during the selected time period
  • DMARC Pass Rate — The percentage of messages that passed DMARC authentication (both SPF and DKIM aligned)
  • DMARC Fail Rate — The percentage of messages that failed DMARC authentication
  • SPF Pass / Fail — SPF-specific authentication results for messages from this region
  • DKIM Pass / Fail — DKIM-specific authentication results for messages from this region
  • Top Sources — The most active sending IP addresses or organizations in that country

Identifying Unauthorized Sending

Geolocation Analytics is one of the most effective tools for spotting unauthorized email sources. Look for these warning signs:

  • Unexpected countries — If your organization operates only in specific regions, email originating from countries where you have no presence likely indicates spoofing or unauthorized use of your domain
  • High fail rates by region — Countries showing a high DMARC failure rate are strong candidates for spoofing activity, as legitimate senders typically pass authentication
  • Volume anomalies — A sudden spike in message volume from a specific region may indicate a spoofing campaign or compromised infrastructure
  • Unknown sending sources — If the top sources in a country do not correspond to any of your known third-party senders, investigate further
CDN and Cloud Providers

Some legitimate email services route traffic through data centers in various countries. A message geolocated to an unexpected region does not automatically mean it is malicious. Cross-reference the sending IP with known cloud provider ranges and your Email Source Discovery data before taking action.

Filtering and Date Ranges

Use the controls at the top of the page to refine the data shown on the map:

  • Date range — Select a predefined range (7 days, 30 days, 90 days) or set custom start and end dates
  • Authentication status — Filter to show only passing messages, only failing messages, or both
  • Domain selector — If you manage multiple domains, switch between them to view geolocation data for each domain independently
Tip

Use Geolocation Analytics alongside the Threat Intelligence Dashboard to correlate geographic sending patterns with known threat activity. If you spot unauthorized sending from a specific region, check the Threat Dashboard for matching IP addresses and apply Allow/Block Rules as needed.

Your domain is being tested right now.
Are you watching?

Protect your brand and improve deliverability — automatically, with continuous monitoring and alerts.

Start Free — No Credit Card View Pricing →