What are the best methods for identifying email sending vendors for DMARC enforcement?
Matthew Whittaker
Co-founder & CTO, Suped
Published 6 Jul 2025
Updated 19 Aug 2025
10 min read
Implementing DMARC (Domain-based Message Authentication, Reporting, and Conformance) is crucial for protecting your domain from spoofing and phishing attacks. However, one of the most common hurdles organizations face during DMARC enforcement is identifying all legitimate email sending vendors.
Many companies, especially larger enterprises, unknowingly use numerous third-party services that send emails on their behalf. These can range from marketing automation platforms and CRM systems to ticketing tools and HR software. If these vendors aren't properly configured to authenticate emails with SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) in alignment with your domain, DMARC will flag their emails as unauthorized, potentially leading to deliverability issues when your policy is set to quarantine or reject.
This challenge highlights the need for a systematic approach to discover every email sending source. The goal is to ensure that all legitimate senders are authorized before moving to a stricter DMARC policy, preventing disruption to critical email flows.
DMARC aggregate reports (RUA) are your primary source of truth for identifying email sending vendors. These XML reports, sent daily to the email address specified in your DMARC record, provide a comprehensive overview of all email traffic purportedly sent from your domain. They contain crucial information such as the sending IP address, the domain in the From header (RFC5322.From), the SPF domain (RFC5321.From), DKIM signing domains, and the DMARC authentication result (pass, fail, quarantine, reject). While raw DMARC reports can be verbose, using a DMARC report analysis service or DMARC analyzing platform can transform this data into an understandable format, making vendor identification much easier.
Begin by monitoring your email traffic with a DMARC policy set to p=none. This policy allows you to collect data on all senders without affecting email delivery. Over several weeks or months, collect and analyze these reports. Look for IP addresses that are sending mail on your behalf but are not yet properly authenticated (i.e., failing SPF or DKIM alignment). These unauthenticated IPs represent unknown or misconfigured sending sources.
For each unfamiliar IP address or domain identified in the reports, you'll need to research its owner. Performing a WHOIS lookup on the IP address can often reveal the underlying service provider, such as Amazon Web Services (AWS), SendGrid, or Mailgun. This provides a lead to investigate further within your organization.
Pinpointing unknown senders
Once you have a list of identified IP ranges or domains, the next challenge is to pinpoint which internal department or team is utilizing that specific vendor. This step is often the most time-consuming, especially for large organizations with decentralized purchasing or marketing activities. Here are some strategies that can help:
Internal audit: Work with IT, finance, marketing, and sales departments to compile a comprehensive list of all third-party services that could potentially send emails on behalf of your domain. Review expense reports and vendor contracts for clues.
Communicate widely: Send internal communications explaining the DMARC enforcement project and asking teams to identify any email sending services they use. Emphasize the importance of proper authentication to avoid email disruption.
DNS record review: Examine your existing SPF and DKIM DNS records. These often contain include statements or CNAMEs that point directly to email service providers, offering immediate identification of known vendors, such as include:servers.mcsv.net for Mailchimp.
Sample email analysis: If you suspect a particular service, send a test email from it and examine the email headers. This can quickly reveal the originating IP, SPF domain, and DKIM signing domain, helping you match it to a vendor.
For some organizations, especially large ones, a detailed audit may be overwhelming. In such cases, a DMARC policy of p=quarantine with a low percentage (pct tag) can serve as a canary. By moving a small percentage of unauthenticated emails to the spam folder, you can gauge reactions and identify critical, unauthenticated mail flows that need immediate attention. This approach, while effective, should be done cautiously to avoid significant disruption.
Proactive identification and governance
Identifying all email sending vendors is not a one-time task but an ongoing process. New services are constantly adopted, and existing ones might change their sending infrastructure. Establishing robust internal governance is key to maintaining DMARC compliance and email security.
Vendor onboarding policy: Implement a policy that requires all new email sending vendors to be vetted by the IT or security team before deployment. This ensures their email authentication capabilities are understood and configured correctly from the start.
Regular DMARC report review: Continuously monitor your DMARC aggregate reports for any new, unauthenticated senders. This proactive approach allows you to catch new vendors or misconfigurations quickly. You can learn more about DMARC reports through Google's guidelines.
Inter-departmental collaboration: Foster strong communication channels between IT, security, and departments that frequently use third-party tools. This helps bridge the gap between technical implementation and business operations.
By combining technical analysis of DMARC reports with internal communication and robust governance, you can effectively identify and manage all email sending vendors. This ensures a smooth transition to DMARC enforcement policies like p=quarantine or p=reject, significantly enhancing your domain's protection against email fraud.
Challenges in DMARC enforcement
One of the most common issues arises when a known vendor, like a CRM or marketing platform, uses a different underlying email service provider (ESP) such as Amazon SES, Mailgun, or SendGrid. Your DMARC reports might show IPs from the underlying ESP, leading to confusion because your team knows they use VendorX, not Amazon SES. In such cases, direct communication with the vendor about their email sending infrastructure is necessary to ensure proper authentication. This is an essential step when working towards full DMARC enforcement.
Another common scenario is when multiple individuals or departments within an enterprise use separate accounts on the same email sending platform, such as many different Mailchimp accounts. This can make it difficult to centralize authentication and manage compliance, particularly regarding unsubscribe requests and brand consistency. While DMARC reports won't typically show individual sender email addresses due to privacy considerations, they will show the SPF domain and DKIM signing domain, which can help pinpoint the specific service being used.
The transition from a p=none policy to p=quarantine or p=reject must be done incrementally and with careful monitoring. Cutting off legitimate mail flow due to unauthenticated senders is a significant risk. By thoroughly identifying all vendors and ensuring their proper authentication through SPF and DKIM alignment, you can safely transition your DMARC policy and achieve full protection.
Practical steps for identifying vendors
To effectively manage your email sending landscape for DMARC enforcement, consider these practical steps:
Initial discovery phase: Start by gathering all DMARC aggregate reports for at least six months, covering major holiday periods to capture seasonal email flows.
Data analysis and correlation: Use a DMARC analysis tool to parse the raw data. Focus on identifying the source IP addresses and associated SPF and DKIM domains. Cross-reference these with your internal list of approved vendors and services.
Internal communication and engagement: Engage department heads and procurement teams. Ask them about their current email sending services. Finance departments can often provide lists of vendors that invoice your company, which can be cross-referenced with your DMARC reports.
Vendor outreach and configuration: For each identified vendor, ensure they are properly authenticating emails on your behalf with SPF and DKIM. Provide them with the necessary DNS records (TXT records for SPF, CNAME records for DKIM) to update their settings. Sometimes, their documentation on email authentication will be helpful.
Iterative policy enforcement: Once you're confident that all legitimate senders are authenticating correctly, incrementally increase your DMARC policy from p=none to p=quarantine (starting with a low percentage) and then to p=reject, continuously monitoring for any unexpected failures.
By following these steps, you build a robust system for identifying and managing all your email sending vendors, paving the way for successful DMARC enforcement and enhanced email security.
Conclusion
Identifying all email sending vendors for DMARC enforcement is a journey, not a destination. It requires a combination of technical diligence, internal communication, and robust governance. While DMARC aggregate reports provide the necessary data, the human element of investigation and coordination is crucial to translating that data into actionable insights.
By systematically uncovering every service sending email on your domain's behalf and ensuring their proper authentication, you can confidently move to stricter DMARC policies. This not only protects your brand from phishing and spoofing but also significantly improves your email deliverability, ensuring your legitimate messages reach their intended recipients.
Views from the trenches
Best practices
Actively analyze DMARC reports for unknown senders regularly and investigate them.
Establish a clear internal policy for onboarding new email sending vendors to ensure DMARC compliance from day one.
Collaborate closely with finance and procurement teams to identify all services invoicing the company that might send emails.
Use a structured approach to transition DMARC policies incrementally, starting with `p=none` and moving to `p=quarantine` or `p=reject`.
Common pitfalls
Underestimating the number of third-party vendors sending emails on behalf of the domain.
Moving to an enforced DMARC policy (quarantine or reject) too quickly without proper discovery, leading to legitimate email blocking.
Failing to engage non-technical departments (sales, marketing) in the vendor identification process.
Neglecting ongoing monitoring of DMARC reports after initial setup, missing new or changed sending sources.
Expert tips
Leverage the IPs and domains in DMARC aggregate reports, then use internal billing or change management logs to trace vendors and departments.
Consider a phased rollout for DMARC enforcement using a low percentage (`pct`) to identify problem areas without full disruption.
If an email flow is unauthenticated and no one claims it, blocking it can be a last resort to prompt identification.
Look for SPF include statements and DKIM selectors in DNS records, as they often point directly to email service providers being used.
Expert view
Expert from Email Geeks says that working around uncooperative vendors can be a significant time commitment.
2020-08-19 - Email Geeks
Marketer view
Marketer from Email Geeks says that while DMARC reporting services are more accessible now, client time commitment remains a challenge.
Amazon Web Services (AWS), 
SendGrid, or 
Mailgun. This provides a lead to investigate further within your organization.
Mailchimp.
