DMARC aggregate reports: finding unknown senders
How to use DMARC aggregate reports to find forgotten SaaS tools, misaligned ESPs, and suspicious sources before moving to enforcement.
What counts as an unknown sender
An unknown sender is any source IP or provider in your DMARC reports that your team cannot confidently map to an approved system. Sometimes it is abuse. Often it is an old CRM, helpdesk, billing tool, or marketing platform that nobody documented.
Triage workflow
- 01
Group by source IP and provider
Sort by failed DMARC volume first, then total volume.
- 02
Label known senders
Mark Google Workspace, SendGrid, Mailgun, support tools, billing tools, and CRMs as approved when verified.
- 03
Fix misalignment
Configure custom DKIM or Return-Path alignment for legitimate senders that fail.
- 04
Remove stale senders
Delete SPF includes, old API keys, or abandoned integrations that still send mail.
- 05
Only then enforce
Move from p=none toward quarantine and reject after legitimate traffic aligns.
Why WillItInbox helps
WillItInbox parses aggregate reports, normalizes rows, tracks alignment and disposition, and lets teams label sources so future reports become easier to read. Read the existing DMARC rollout guide before changing policy.
Keep reading