What is the primary method for identifying all email sending tools?

DMARC aggregate reports are the most comprehensive way. They provide data from mailbox providers on all email traffic using your domain, including authorized and unauthorized senders. Supplement this with internal audits and discussions with various departments.

How does the 'rua' tag in a DMARC record help identify mail streams?

The rua tag in your DMARC record specifies the email address where mailbox providers send aggregated reports. Without this, you won't receive the crucial data needed to identify all sources.

Why is internal investigation necessary if DMARC reports provide a comprehensive view?

While DMARC is powerful, it primarily tracks mail using your domain in the From header. Internal discussions can uncover systems sending emails from other domains, or direct SMTP connections not reflected in DMARC, or simply reveal tools that haven't generated enough volume to appear prominently yet.

What is 'shadow IT' in the context of email sending?

These are applications or services used by individual departments without central IT oversight. They often send emails that can impact your domain's reputation if not properly authenticated, making them crucial to identify through DMARC reports and internal inquiry.

Once a mail stream or tool is identified, what is the next step?

You should verify that DMARC, SPF, and DKIM are properly configured for each identified sender to ensure proper authentication and DMARC alignment. This helps prevent legitimate emails from being marked as spam and protects against spoofing.

What is the best way to identify all company mail streams and sending tools? - Technical - Email deliverability - Knowledge base

When managing email deliverability, one of the most fundamental steps is to accurately identify every single mail stream and sending tool a company uses. This isn't just about knowing your marketing automation platform or transactional email service. It’s about uncovering every system, application, and even individual user that sends email on behalf of your domain. Missing even one can lead to significant deliverability issues, from emails landing in spam folders to unauthorized sending that damages your domain's reputation.

The challenge is that organizations often have many departments, each using different tools for their specific needs, and these tools might not always be centrally managed or even known to the IT department. This 'shadow IT' for email sending can be a major blind spot. Over the years, I've seen countless instances where a forgotten system or a rogue application causes email deliverability headaches, leading to domain blacklisting (or blocklisting) and reduced inbox placement.

Successfully identifying all these sources is crucial for maintaining a healthy email ecosystem, ensuring compliance with new sender requirements, and protecting your brand. It allows you to configure your authentication records properly, monitor performance effectively, and quickly address any issues that arise. Let's explore the best approaches to tackle this comprehensive task.

The role of DMARC reports

The most powerful method for discovering all email sending sources associated with your domain is through DMARC aggregate reports. These XML reports are sent by mailbox providers (like

Google and

Yahoo) to the email address specified in your DMARC record's rua tag. They provide an overview of all mail streams using your domain in the visible From header, as seen by these providers.

These reports categorize email traffic by sending IP address, SPF and DKIM authentication results, and DMARC policy alignment. This means you'll see legitimate emails sent by your authorized senders, emails sent by authorized senders but failing authentication, and crucially, emails sent by unauthorized parties (like phishers or spammers) attempting to spoof your domain. Analyzing these reports is a detailed process and is often best done with a DMARC monitoring tool that can parse the XML data into an understandable format. DMARC analysis software can help simplify this complex data.

Implementing a DMARC record, even with a policy of p=none, is the first step. This allows you to gather the aggregate reports without impacting your current email delivery. From there, you can identify all the legitimate sending sources and then work towards configuring their SPF and DKIM records correctly to achieve DMARC alignment.

Understanding DMARC aggregate reports

DMARC aggregate reports provide a comprehensive view of all email traffic originating from your domain. They are crucial for identifying both legitimate and unauthorized senders.

Legitimate mail: Emails sent by your known marketing platforms, transactional services, and internal systems, showing their authentication status.
Misconfigured mail: Traffic from authorized senders that are not properly authenticating via SPF or DKIM, leading to DMARC failures.
Unauthorized mail: Spoofed emails sent by malicious actors attempting to use your domain for phishing or spam, which will fail DMARC checks.

Supplementing DMARC with internal checks

While DMARC reports are paramount, they should be supplemented with proactive internal investigations. Relying solely on DMARC might miss some niche internal tools or newly adopted services that haven't yet generated enough traffic to appear prominently in reports, especially if your policy is still at p=none. Start by engaging with key stakeholders across departments.

Your IT department and system administrators are critical resources. They often have insights into internal applications, server logs, and DNS records. Checking SPF records is a good starting point, as they list authorized IP addresses and domains that can send email on your behalf. However, SPF records have a 10-lookup limit, so they might not be exhaustive if your organization uses many services. A detailed discussion with those who manage your DNS records can uncover domains and subdomains used for email that you might not be aware of.

Furthermore, talk to marketing, sales, HR, customer support, and product teams. Each might be using their own dedicated tools for email communication, such as CRM systems (

HubSpot,

Salesforce), applicant tracking systems, or even event registration platforms (WebinarJam). These often send emails like confirmations, password resets, or promotional campaigns. Documenting these tools and their associated sending domains is vital for a complete overview.

Identifying unexpected sending tools

One of the biggest hurdles is identifying email streams that fall outside the traditional marketing or transactional categories. These are often sent from niche third-party applications or internal systems not typically associated with high-volume email sending. Think about HR platforms sending onboarding emails, project management tools sending notifications, or even internal server monitoring systems sending alerts.

These less obvious sources are often the culprits behind unexpected deliverability issues, including IP blocklistings (or blacklistings) or poor inbox placement. Because they might not send a high volume of email, their impact can be overlooked until a problem arises. For example, a small, misconfigured application sending out a handful of unauthenticated emails daily can still contribute to a negative domain reputation over time.

To catch these, a combination of DMARC monitoring and proactive investigation is essential. Make sure your DMARC reports are regularly reviewed for new or unexpected sending IP addresses. Also, establishing a culture within the organization where new email-sending tools are registered with a central team can prevent future surprises.

Consider this example of a typical DMARC record, which includes the rua tag to receive aggregate reports:

Example DMARC recordDNS

v=DMARC1; p=none; rua=mailto:dmarcreports@yourdomain.com; fo=1;

The rua tag directs aggregated DMARC reports to the specified email address, providing critical data on your domain's email traffic patterns and sources. You can use a DMARC record generator to help set this up.

Combining DMARC and internal discovery

Manual review and interviews

This involves direct communication with department heads and IT staff to list all known email sending applications. It's time-consuming but can uncover internal, less obvious systems.

Process: Conduct interviews, review internal documentation, and check DNS records like SPF manually. Review email log files for outgoing connections.
Scope: Primarily identifies applications known to IT or those with explicit internal policies. May miss 'shadow IT'.
Limitations: Relies on human memory and reporting. Can be incomplete, especially for large organizations with decentralized operations.

DMARC aggregate reports

These reports offer an automated, comprehensive view of all email streams using your domain, regardless of whether they are authorized or known internally.

Process: Set up a DMARC record with an rua tag to receive daily XML reports from mailbox providers. Use a DMARC analysis tool to parse and visualize the data.
Scope: Identifies all sending IPs, associated domains, and authentication results for mail using your domain's From header.
Benefits: Automated, comprehensive, and reveals unauthorized (spoofed) traffic as well as misconfigured legitimate sources. Ideal for achieving DMARC enforcement.

To effectively manage your email security and deliverability, combine both approaches. Use DMARC reports as your primary detection engine and supplement them with targeted internal inquiries to clarify identified sources and uncover any that might be sending mail via other means (e.g., direct SMTP, not using your primary domain in the From header).

Here's a table summarizing common email sending tools and their typical uses:

Category	Example Tools	Typical Use Cases
Marketing Automation	Mailchimp, ActiveCampaign, Sendinblue	Newsletters, promotional emails, drip campaigns
Transactional Email	Postmark, Mailgun, SendGrid	Password resets, order confirmations, shipping notifications
CRM Systems	Salesforce, HubSpot, Zoho CRM	Sales outreach, customer service communications
HR Platforms	Workday, BambooHR	Onboarding emails, benefit notifications, payroll updates
Web Servers / Apps	Internal SMTP relays, custom applications	System alerts, internal reports, contact forms

A complete view of your email landscape

Successfully identifying all company mail streams and sending tools is a foundational step towards robust email security and optimal deliverability. While DMARC aggregate reports offer the most comprehensive and automated view, they are most effective when coupled with proactive internal investigation and stakeholder engagement.

By meticulously reviewing your DMARC data and systematically auditing internal departments, you can gain a complete understanding of your email landscape. This holistic approach ensures that all legitimate sending sources are properly authenticated, reducing the risk of your emails being flagged as spam or your domain appearing on a blocklist. It also empowers you to quickly detect and neutralize unauthorized sending activity, safeguarding your brand's reputation and ensuring your messages reach the inbox.

Views from the trenches

Best practices

Regularly review your DMARC aggregate reports for new or unexpected sending IP addresses and domains.

Establish a centralized register for all email sending services used across the organization.

Conduct periodic internal audits by interviewing department heads about their communication tools.

Common pitfalls

Overlooking 'shadow IT' where departments use unauthorized or unknown email sending applications.

Ignoring smaller, lower-volume email streams that can still negatively impact domain reputation.

Failing to update SPF records when new sending services are adopted, leading to authentication failures.

Expert tips

When onboarding new clients or systems, always verify their DMARC setup and sending tool inventory.

Consider using a DMARC analysis platform to automate the parsing and visualization of complex aggregate reports.

For larger organizations, a dedicated email governance committee can help centralize oversight of all mail streams.

Expert view

Expert from Email Geeks says DMARC aggregate reports are specifically designed to identify all uses of a given domain in the visible From header of messages, as seen by mailbox providers.

2024-03-05 - Email Geeks

Expert view

Expert from Email Geeks says DMARC reports show mail sent and authenticated, mail sent but not authenticated, and mail sent by others in an unauthorized manner.

2024-03-05 - Email Geeks