How do I identify the owner of an unfamiliar IP address?

You can use WHOIS lookup tools to identify the registered owner of an IP address and its associated Regional Internet Registry (RIR). This can help determine if it's a known service provider or an unknown entity. Additionally, checking DNS records like PTR can provide more context.

What role do DMARC reports play in investigating unknown IPs?

DMARC aggregate and forensic reports provide comprehensive data on all email traffic originating from your domain. They show which IPs are sending, their authentication results (SPF and DKIM), and how receiving mail servers are handling these messages. This visibility is crucial for uncovering unauthorized sending and understanding alignment issues.

Could Google Postmaster Tools show incorrect IP addresses in its reports?

While Google Postmaster Tools is generally reliable, minor anomalies can occur. However, if you see a large number of unfamiliar IPs, it's highly unlikely to be an error on PMT's part. It almost always indicates actual email sending activity from those IPs under your domain, whether authorized or not. The focus should be on investigation rather than dismissing the data.

What is snowshoe spam and how is it related to this issue?

Snowshoe spam refers to a technique where spammers distribute their messages across a large number of IP addresses and domains. This strategy aims to evade detection by mail servers, as no single IP sends enough volume to trigger spam filters. The presence of many unfamiliar IPs with poor or misconfigured DNS records can be a sign of snowshoe activity.

What could cause unfamiliar IP addresses to appear in PMT, and what steps should be taken to investigate? - Troubleshooting - Email deliverability - Knowledge base

Discovering unfamiliar IP addresses appearing in your Google Postmaster Tools (PMT) can be unsettling for any email sender. PMT is a crucial tool for monitoring your domain's email health, and unexpected IPs can indicate anything from misconfigurations to potential security breaches. My immediate concern upon seeing this would be to pinpoint the source and understand the implications for my sender reputation and overall email program.

The appearance of unknown IPs suggests that emails are being sent under your domain's authority from servers you do not recognize. This could lead to deliverability issues, including emails landing in spam folders, or even signal a broader security compromise. Prompt investigation is essential to mitigate any negative impact.

Potential causes of unfamiliar IPs

Several factors can cause unfamiliar IP addresses to surface in PMT reports. One common scenario involves various SaaS products or third-party services that send emails on your behalf, often for transactional purposes like password resets, notifications, or customer support communications. If these services are configured to use your domain for authentication, their sending IPs will appear in your PMT data.

Another possibility is a recent migration or change to your internal mail servers. If your company has moved its email infrastructure or spun up new instances, such as an Amazon SES instance for specific email types, these new IPs would naturally appear in PMT. Similarly, forgotten or low-volume SMTP connectors that suddenly reach Google's reporting threshold can also introduce new, seemingly unknown IPs.

In more concerning cases, the presence of unknown IPs might point to unauthorized sending, potentially due to a compromised account or domain spoofing. These malicious activities can severely impact your domain's reputation and lead to your legitimate emails being marked as spam or even triggering blocklist (or blacklist) listings. It's crucial to differentiate between legitimate third-party senders and potentially malicious ones to address the issue effectively.

Initial investigation steps

The first step in investigating unfamiliar IPs is to identify their owners. Tools like WHOIS lookups can help you determine the registered owner of an IP address and its associated Regional Internet Registry (RIR). This information can provide clues about whether the IP belongs to a legitimate service provider, a cloud hosting service, or an unknown entity.

Next, examine your DNS records, specifically SPF and DKIM records. An IP appearing in PMT indicates that Google received mail from it purporting to be from your domain. If your SPF record is configured incorrectly, it might authorize IPs that you don't control. Additionally, check for proper DMARC alignment, as DMARC can help identify unauthorized senders more effectively.

DMARC reports (RUA and RUF) are invaluable for forensic analysis. They provide detailed insights into all email traffic claiming to be from your domain, including the originating IPs, authentication results, and receiving mail server actions. If you don't have access to these reports, it's critical to gain it. This data can reveal if the unfamiliar IPs are legitimately sending on your behalf or if they represent a spoofing attempt against your customers.

Manual investigation

Time-consuming: Requires manual lookup of each IP address and cross-referencing with internal records.
Limited visibility: May not capture all sending sources, especially if they are low volume or transient.
Prone to error: Easy to miss subtle indicators of malicious activity.

Advanced investigation and resolution

Once you have identified the owner of the IP addresses, correlate this information with your internal records. Review your list of authorized third-party senders, marketing platforms, and any internal systems that might send email. This helps determine if the IPs are legitimate but previously unknown to you, or if they are genuinely unauthorized. If the IPs are associated with domains that do not have matching forward and reverse DNS records, this could be a red flag for suspicious activity, as this is a common characteristic of spamming operations.

If the unfamiliar IPs appear to be related to external entities like Namecheap or other registrars, and particularly if they are associated with domains using email privacy services, it might indicate snowshoe spam. Snowshoe spam involves distributing spam across a wide range of IP addresses and domains to evade detection. If this is the case, your security and abuse teams should be immediately involved. They often have more sophisticated tools to monitor outbound traffic and analyze potential attacks.

For ongoing monitoring and to prevent future surprises, consider implementing robust DMARC reporting and blocklist monitoring solutions. These tools provide continuous visibility into your email ecosystem, allowing you to quickly detect and respond to any unauthorized or suspicious sending activity from IPs you do not recognize. Ensure your internal teams are aligned on all email sending sources.

Responding to unauthorized sending

Actionable steps for resolution

Review DMARC reports: Analyze DMARC aggregate reports to identify all sending sources.
Update SPF records: Ensure only authorized IPs are included in your SPF record.
Enhance security measures: Implement multi-factor authentication for email platforms.
Collaborate internally: Work with IT and security teams to identify unknown senders.

If, after thorough investigation, you confirm that the unfamiliar IPs are indeed unauthorized and malicious, the focus shifts to mitigation. This involves implementing a strict DMARC policy (e.g., p=quarantine or p=reject) to instruct receiving mail servers on how to handle emails that fail DMARC authentication. This will help prevent forged emails from reaching inboxes.

Additionally, consider updating your DNS records, particularly your SPF record, to explicitly exclude any unauthorized IPs. Regularly auditing your SPF and DKIM configurations is a best practice to maintain control over your email sending. For persistent issues, contacting your email service provider (ESP) or domain registrar might be necessary, especially if you suspect a larger-scale compromise or unaccounted-for email volume.

Maintaining email security and trust

The appearance of unfamiliar IP addresses in PMT is a call to action. While it can stem from legitimate, but unacknowledged, third-party senders, it also serves as a critical warning for potential security vulnerabilities or malicious activity. Proactive monitoring, thorough investigation using DMARC reports, and close collaboration with your security teams are fundamental to maintaining a healthy sender reputation and ensuring the integrity of your email program.

Staying vigilant and promptly addressing any anomalies will safeguard your domain's trustworthiness and ensure your emails consistently reach their intended recipients. Remember that a clean reputation is built on consistent authentication and quick responses to potential threats.

Views from the trenches

Best practices

Always maintain comprehensive DMARC monitoring to track all sending sources for your domain.

Regularly audit your SPF and DKIM records to ensure they accurately reflect all authorized senders.

Work closely with your IT and security teams to identify and validate any unknown IP addresses.

Keep an inventory of all third-party services authorized to send emails on your domain's behalf.

Common pitfalls

Ignoring unfamiliar IP addresses, assuming they are harmless or Postmaster Tools errors.

Lack of a centralized inventory for all email sending services and their associated IPs.

Not having access to or regularly reviewing DMARC aggregate and forensic reports.

Failing to update DNS records after changes to mail infrastructure or third-party senders.

Expert tips

Implement a DMARC 'p=reject' policy gradually to prevent unauthorized email delivery.

Utilize IP reputation services to quickly assess the risk level of unfamiliar IP addresses.

Conduct periodic email deliverability audits to catch issues before they escalate.

Educate internal teams about email sending policies and security best practices.

Expert view

Expert from Email Geeks says that sometimes someone within a company might be using a SaaS product, inadvertently sending email from their domain via an unfamiliar IP address for authentication purposes.

2020-12-10 - Email Geeks

Expert view

Expert from Email Geeks says that companies moving internal mail servers can lead to new, unfamiliar IP addresses appearing in PMT.

2020-12-10 - Email Geeks