How to identify legitimate senders before tightening policy

Before changing your DMARC policy from monitoring to enforcement, you need to identify every service that legitimately sends email as your domain. Missing one means that service's emails will be quarantined or rejected.

Where to look

1. Check your DMARC reports

DMARC reports show every IP address that sent mail claiming to be from your domain. In dmarco, go to Reports and look at the sender IPs, especially unknown ones.

For each unknown sender:

• Check the reverse DNS — does it belong to a known provider? (e.g., *.google.com, *.sendgrid.net, *.mcsv.net for Mailchimp)
• Check the ASN — the network owner may identify the service
• Check the volume — a sender with 1 message is less concerning than one with 1,000

2. Ask your organization

Common services that send on behalf of your domain:

• Email marketing — Mailchimp, SendGrid, Constant Contact, HubSpot
• CRM — Salesforce, Zoho CRM, Pipedrive
• Helpdesk — Zendesk, Freshdesk, Intercom
• Billing — Stripe, QuickBooks, FreshBooks
• HR/Payroll — BambooHR, Gusto, ADP
• Project management — Asana, Monday.com, Basecamp
• Internal tools — monitoring alerts, automated notifications, CI/CD notifications

3. Check SPF authorization

Use Diagnostics to see which senders are authorized in your SPF record. Senders that appear in reports but aren't in your SPF need to be added or identified as unauthorized.

How to review in dmarco

1. Go to Senders to see identified and unknown senders per domain
2. For each unknown sender, decide: is this a legitimate service or unauthorized?
3. Approve legitimate senders — this marks them as reviewed
4. If unauthorized, leave them unapproved — they'll be blocked when you enforce

Common mistakes