Identifying Legitimate Senders
The hardest part of DMARC deployment is determining which senders are legitimate (and need SPF/DKIM configured) versus spoofing attempts (to block). This guide teaches you how to make that distinction confidently.
The Challenge
When you first enable DMARC reporting with p=none, you'll receive reports showing dozens of IP addresses sending email on your behalf. The critical question: which are legitimate?
Legitimate Senders (Configure SPF/DKIM)
Google Workspace, SendGrid, Mailchimp, Salesforce - your actual email infrastructure that needs authentication.
Spoofing Attempts (Block with DMARC)
Unknown IPs from suspicious networks trying to impersonate your domain. These should be rejected.
Unknown (Investigate Further)
Low-volume senders, one-off services, or edge cases that require investigation before deciding.
5 Ways to Identify Legitimate Senders
1. Reverse DNS Lookup
Check if the IP has a proper hostname that reveals the service:
# Check reverse DNS:
dig -x 209.85.220.41
Result: mail-sor-f41.google.com
✅ Legitimate: mail-sor-f41.google.com, sendgrid.net, mcsv.net (Mailchimp)
❌ Suspicious: "unknown", generic hostnames, residential ISP networks
2. WHOIS IP Lookup
Find who owns the IP address:
# Check IP ownership:
whois 209.85.220.41
OrgName: Google LLC
NetRange: 209.85.128.0 - 209.85.255.255
✅ Legitimate: Google, Microsoft, SendGrid, AWS, Mailchimp
❌ Suspicious: Unknown companies, residential ISPs, VPN providers, Tor networks
3. Email Volume Patterns
Analyze message counts in DMARC reports:
✅ High Volume (1,000+ messages/day):
Usually legitimate. Your primary email server (Google Workspace: 15,000/day), marketing ESP (SendGrid: 5,000/day).
❌ Low Volume (1-50 messages/day):
Could be spoofing attempts (testing before larger attack) OR legitimate low-traffic service. Investigate further.
4. Authentication Status
Check if SPF/DKIM are passing or failing:
✅ SPF/DKIM Passing:
Already configured correctly. These are definitely legitimate senders you've set up before.
⚠️ Partially Passing (SPF OR DKIM):
Likely legitimate but needs configuration. Example: SendGrid with SPF passing but DKIM not set up yet.
❌ Both Failing:
Either new legitimate service (not configured yet) OR spoofing. Use other signals (IP, volume, etc.) to decide.
5. Internal Verification
Ask your team if they recognize the sender:
- Marketing team: Do you use SendGrid, Mailchimp, HubSpot?
- Sales team: Do you use Salesforce, Outreach, SalesLoft?
- Support team: Do you use Zendesk, Intercom, Freshdesk?
- IT team: Any monitoring tools sending alerts via email?
Common Legitimate Senders (IP Ranges)
Here are IP ranges for popular email services. If you see these in reports, they're likely legitimate:
| Service | IP Range Examples | Hostname Pattern |
|---|---|---|
| Google Workspace | 209.85.x.x, 172.253.x.x | mail-*.google.com |
| Microsoft 365 | 40.92.x.x, 40.107.x.x | *.outlook.com |
| SendGrid | 167.89.x.x, 168.245.x.x | *.sendgrid.net |
| Mailchimp | 205.201.x.x, 198.2.x.x | *.mcsv.net |
| Amazon SES | 54.240.x.x, 52.x.x.x | *.amazonses.com |
| Salesforce | 136.147.x.x | *.exacttarget.com |
| Zendesk | 192.161.x.x | *.zendesk.com |
| HubSpot | 148.105.x.x | *.hubspotemail.net |
Red Flags for Spoofing
Residential/ISP IP Addresses
Comcast, AT&T, Verizon residential networks. Legitimate businesses use dedicated mail servers, not home connections.
VPN/Proxy/Tor Networks
IP ranges associated with anonymization services. Often used by attackers to hide identity.
High-Risk Countries
If you don't operate in Russia, China, Nigeria, etc. and see IPs from there - likely spoofing.
No Reverse DNS
dig -x returns "NXDOMAIN" or generic hostname. Legitimate mail servers always have proper reverse DNS.
Sudden Spike in Failures
Unknown IP suddenly sending 10,000+ failing messages/day. This is an active attack campaign.
Decision Framework
✅ Configure Authentication (Definitely Legitimate)
Add to SPF and configure DKIM if:
- Known ESP (Google, SendGrid, Mailchimp, etc.)
- High volume (>1,000 messages/day)
- Proper reverse DNS with ESP hostname
- Team confirms they use this service
- Already partially passing (SPF OR DKIM working)
❌ Block with DMARC (Definitely Spoofing)
Let DMARC p=reject block if:
- Unknown IP from suspicious network
- No reverse DNS or generic hostname
- Low volume (<50 messages/day)
- Both SPF and DKIM failing
- No one on your team recognizes the source
⚠️ Investigate Further (Unknown)
Keep DMARC p=none and monitor for 2 weeks if:
- Unknown service but legitimate-looking IP/hostname
- Medium volume (50-500 messages/day)
- One authentication method passing
- Could be legacy system or forgotten integration
After 2 weeks: If still active and no team recognition, treat as spoofing.
Automatic Sender Identification
TrustYourInbox automatically identifies known ESPs and flags suspicious sources. No manual IP lookups needed.