← Back to Learn Understanding Reports

Common causes of unknown senders

Unknown senders are IP addresses in your DMARC reports that don't match any recognized email service. They're the most important thing to investigate before tightening your DMARC policy.

Not all unknown senders are threats

An unknown sender simply means dmarco doesn't recognize the IP. Many unknown senders are legitimate services that haven't been identified yet. Before assuming malicious intent, investigate.

Common legitimate causes

Third-party services you forgot about

  • Marketing platforms (Mailchimp, HubSpot, Constant Contact)
  • Transactional email services (SendGrid, Postmark, Amazon SES)
  • CRM systems sending notifications as your domain
  • Helpdesk tools sending ticket replies
  • Billing/invoicing systems
  • HR platforms sending employee notifications

Internal infrastructure

  • On-premise mail servers with IPs not in the sender library
  • Application servers sending alerts or notifications
  • Print-to-email or scan-to-email devices
  • Monitoring systems sending alerts

Email forwarding

When emails are forwarded, the forwarding server's IP appears as the sender. If someone forwards mail from your domain to a personal address, the forwarding server shows up as an unknown sender.

Shared hosting

If you use shared web hosting that sends email (contact forms, order confirmations), the hosting provider's IP may not match any known sender. Check the reverse DNS — it often identifies the hosting provider.

Common unauthorized causes

Spoofing

Someone pretending to be your domain. Usually low volume and from IPs with no reverse DNS or suspicious hosting providers. These are exactly what DMARC enforcement is designed to block.

Compromised accounts

If a user's email account is compromised, the attacker sends from their account through infrastructure you don't control. Check for unusual sending patterns.

Backscatter

When a spammer spoofs your domain and the receiving server sends a bounce notification, some DMARC reporters log this. Usually very low volume.

How to investigate in dmarco

  1. Go to Reports and filter for unknown senders
  2. For each unknown IP, check:
    • Reverse DNS — does it belong to a recognizable provider?
    • ASN / Network — which organization operates this IP?
    • Message count — high volume from one IP suggests a legitimate service; low volume may be spam or testing
    • SPF/DKIM results — if both fail, it's more likely unauthorized
  3. Once identified, approve legitimate senders in Senders
  4. For legitimate services: add them to your SPF record and configure DKIM

Rule of thumb: Investigate high-volume unknown senders first. A sender with 1 message over 30 days is rarely urgent. A sender with 500 messages needs immediate attention.

Related: How to identify legitimate senders · How to read a DMARC report