SPF-Identified Servers—What is this Source?
To turn DMARC into something useful to people, dmarcian processes DMARC data using the most accurate source classification engine in the industry. The classification rules identify sources of email, whether they are the customer’s own servers or third-party sources that send on their behalf. dmarcian presents users with DMARC compliance information based on these email sources.
Many of the sources are name brands that customers will recognize instantly, such as Amazon SES or Google; however, there are others that may not be quite as obvious. One source of email recognized by the dmarcian platform is called “SPF-Identified Servers”; dmarcian customers are often curious to find out how data ends up in this source.
SPF allows a domain owner to publish a list of servers that are allowed to send on behalf of a domain. When processing a domain’s DMARC data, dmarcian uses the domain’s SPF record to identify IPs that are authorized by the domain.
dmarcian maintains a large set of rules to identify infrastructure; if a piece of DMARC data can be identified using an existing rule, it will be. However, the bits of data that do not fall into an existing rule might match an IP found in the domain’s SPF record. If so, then that data is placed into the “SPF-Identified Servers” source. This is a catchall source—a way to extract data that we feel likely represents legitimate mailstreams, as it was authorized in a customer’s SPF record.
If you run across this source in your dmarcian account, the first thing you should do is investigate! Here are some things to consider in your investigation. Identify if this source is your infrastructure or a third party’s sending on your behalf. You can look at the IP address or the Cisco Talos information (the clickable country flag) that are present in the Detail Viewer.
If you discover that this is a third-party sender, determine if the infrastructure is actively utilized or if it is a service that has been off-boarded but never removed from your SPF record. Removing unnecessary entries not only helps limit SPF clutter, it follows good security principles.
If you deem this source to be legitimate, there is one more thing to consider. Just because this source shows up in “SPF-Identified Servers” does not mean that SPF is the only way to authenticate legitimate email. DKIM should also be considered if the source supports it.
SPF-Identified Servers can sometimes be populated with surprising source data. There are many variables, such as forwarding, that will affect how data appears in the platform. Sorting the resulting DMARC data and making it relevant to people is not always an exact science and sometimes the rules are not 100% accurate.
If you encounter weird results in your “SPF-Identified Servers,” feel free to contact email@example.com, and we’ll take a look.
We’re Here to Help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.
Want to continue the conversation? Head over to the dmarcian Forum.