How can I find the source and purpose of emails originating from unrecognized IP addresses?

Key findings

• DMARC reports: These reports are the most effective way to identify unrecognized IPs sending email on behalf of your domain. They provide aggregate data on all IP addresses attempting to send email using your domain, along with their SPF and DKIM authentication results.
• IP ownership: Using a WHOIS lookup tool can reveal who owns a specific IP address, providing initial clues about its nature (e.g., an ISP, a cloud provider, or a specific organization). This is a foundational step in tracing an email's origin.
• Email headers: Analyzing raw email headers can expose the journey an email took, including the originating IP and server hops. Look for 'Received:' headers, which are added by each server in the delivery chain. Some headers like 'X-Originating-IP' may also directly reveal the sender's IP, though their presence varies.
• Reverse DNS (rDNS): Performing an rDNS lookup on an IP address can reveal the hostname associated with it. This hostname can often provide a better indication of the sending entity than the IP alone, especially for cloud providers or large organizations.
• Internal audit: Often, unrecognized sending IPs belong to legitimate, but untracked, internal systems or third-party vendors (e.g., HR systems, CRM, transactional services) that send emails using your domain. An internal audit can help reconcile these.

Key considerations

• Legitimate vs. malicious: Not all unrecognized IP activity is malicious. Many IPs belong to legitimate cloud infrastructure or specific transactional email services. Differentiating between legitimate, untracked sending and actual email spoofing or fraud is crucial for proper action.
• DMARC policy impact: A DMARC policy set to p=none (monitoring mode) is essential for gathering data on unknown senders without impacting deliverability. Gradually moving to p=quarantine or p=reject should only occur after all legitimate sending sources are authorized via SPF and DKIM.
• IP reputation monitoring: Regularly checking IP reputation in tools like Google Postmaster Tools or with a blocklist checker can alert you to issues with unexpected IPs. Poor reputation for unrecognized IPs may indicate spam or phishing.
• Collaboration: Working closely with internal IT, security, and marketing teams is essential to identify and authorize all legitimate email sending sources and to address any unauthorized activity.

For a deeper dive into tracing emails, consider exploring comprehensive guides on email tracing techniques and understanding the complexities of email headers.

Key opinions

• Reputation impact: Many marketers are concerned about unrecognized IP addresses negatively affecting their domain and IP reputation, especially when these IPs appear in tools like Google Postmaster Tools with poor scores.
• Identifying source: Marketers frequently seek tools or methods to directly see what emails are being sent from a specific IP address, especially if it's not one they directly control for marketing sends (e.g., Salesforce Marketing Cloud).
• Platform limitations: Users of email sending platforms often acknowledge that they lack direct access to server logs, requiring them to rely on their platform's delivery managers for insight into sending activity from unfamiliar IPs.
• Trap network utility: Some marketers use or inquire about the ability of trap networks to provide visibility into unknown email sending activity, especially for suspicious IP ranges.

Key considerations

• Proactive monitoring: Regularly monitoring IP reputation in Google Postmaster Tools or similar services is vital for early detection of unauthorized or problematic IP activity.
• Internal communication: Before assuming malicious activity, marketers should first consult their internal IT teams and other departments to identify any legitimate, but previously unknown, email sending systems.
• Understanding DMARC reports: Even for marketers, understanding how to read and act on DMARC aggregate reports is essential to gain insights into all sources sending mail using their domain, authorized or otherwise.
• Leveraging external tools: While direct log access is rare for platform users, external tools that provide visibility into IP activity (e.g., paid monitoring services) can be valuable for tracing email origins. For more details on tracing, see this guide to email tracing.

Key opinions

• DMARC as primary tool: Experts consistently point to DMARC reports as the most effective method for identifying IPs sending email on your domain, providing a comprehensive overview of authenticated and unauthenticated sources.
• IP lookup caveats: While WHOIS and rDNS lookups provide IP ownership details, experts caution that large cloud providers (e.g., Oracle, AWS) own vast IP ranges, so identifying the specific tenant or service using that IP requires further investigation, often via DMARC or internal logs.
• Legitimate but unknown traffic: Experts often find that unrecognized IPs are linked to legitimate, non-marketing email services (e.g., password resets, alerts) running on shared hosting or cloud infrastructure that are simply not properly authorized or tracked.
• Authentication as an indicator: If unrecognized IPs appear in DMARC reports and are DKIM signed, experts suggest it's highly probable the traffic is legitimate, even if the source is initially unknown to the organization.
• Internal inquiry: The first step after identifying an unknown IP's owner should be to ask internal IT or relevant departments if they are using services that leverage those IPs for email sending.

Key considerations

• DKIM selector investigation: For authenticated but unknown sources, asking technical teams for a list of all DKIM selectors associated with the domain can help map legitimate keys to their sending services. This helps in understanding what are unexpected IP addresses.
• Private key management: Enquiring about where DKIM private keys were requisitioned and who uses them can further narrow down the source of authenticated emails from unknown IPs.
• Command line tools: Utilizing command-line tools like whois (e.g., whois -h whois.arin.net IP) offers a direct way to query IP ownership data. This can be critical when your senderscore is reporting unexpected emails.
• Beyond marketing emails: Remember that IP addresses may send various types of emails (transactional, administrative, security alerts) that are not managed by the marketing department. These often originate from different systems and require broader organizational visibility. For more, see this article on tracking IP addresses from email headers.

Key findings

• SMTP headers: RFCs define standard email headers like 'Received:' which are automatically added by each Mail Transfer Agent (MTA) an email passes through. These headers record the IP address of the previous hop, creating a traceable path.
• IP address traceability: The fundamental design of the internet's addressing system (IP addresses) allows for lookups (WHOIS, rDNS) to determine the registered owner or responsible entity for any given IP block. This underpins all IP tracing efforts.
• DMARC reporting: DMARC (Domain-based Message Authentication, Reporting, and Conformance) specifically mandates the generation of aggregate reports (RUA records) that list all IP addresses sending email on behalf of a domain, along with their SPF and DKIM authentication outcomes. This is explicitly designed for discovering unauthorized senders.
• X-Originating-IP: While not a standard RFC header, many email service providers (ESPs) and webmail interfaces add an 'X-Originating-IP' or similar header that directly indicates the IP address of the client (user) who initiated the email send. This can be invaluable for tracing. You can read more about the X-Originating-IP email header.

Key considerations

• Header spoofing: While 'Received:' headers are generally reliable, malicious actors can forge certain headers. However, the innermost 'Received:' header (the first one added by the originating MTA) is typically trustworthy. Understanding how email spoofing works is essential.
• Proxy servers and VPNs: Documentation indicates that the X-Originating-IP header might reveal the true IP, but if a sender uses a proxy or VPN, the IP revealed will be that of the proxy/VPN server, not the end user.
• Private vs. public IPs: Email headers will only contain public IP addresses. Internal, private IP addresses used within a local network are not exposed externally in email headers.
• Compliance and logging: Many email sending systems, particularly those handling sensitive or transactional emails, are designed to log originating IP addresses and user information for compliance and security purposes, even if these logs are not publicly accessible.