What should I do if an unexpected IP address appears in Google Postmaster Tools?

Key findings

• Authentication Signal: If an IP appears in Google Postmaster Tools, it means that an email originating from that IP address successfully authenticated as your domain.
• Potential Sources: Unexpected IPs can stem from overlooked third-party email service providers (ESPs), internal systems (like CRMs or HR platforms), corporate mail servers, or even email forwarding that doesn't alter DKIM signatures.
• SPF Discrepancies: An unfamiliar IP might appear even if it's not explicitly included in your SPF record, indicating a sending source that you need to account for.
• Shared IP Considerations: Some ESPs use shared IP pools that might change or expand, leading to new IPs appearing in your reports, as explained by Mailgun.

Key considerations

• DMARC Reports: Leverage your DMARC aggregate reports as the primary source to identify all IPs sending on your behalf and confirm their authentication status.
• Source Identification: Conduct a reverse lookup (WHOIS lookup) on the IP address to determine its owner, which can hint at the sending entity. This is one of the key steps to investigate unfamiliar IP addresses in Postmaster Tools.
• Audit Sending Services: Review all your ESPs and any other platforms that might send email for your domain, including transactional or marketing automation services.
• SPF Record Updates: Ensure your SPF record is comprehensive and includes all authorized sending IPs and domains to prevent legitimate traffic from being flagged as unauthorized.

Key opinions

• Overlooked ESPs: Many marketers find the unexpected IP belongs to an ESP or service they use but hadn't considered, like transactional email providers or marketing automation platforms, as highlighted in SocketLabs' guide to Postmaster Tools.
• SPF Record Checks: Marketers frequently check their SPF records to see if the IP is listed and if it aligns with their authorized sending ranges.
• DMARC Data Challenges: Processing raw DMARC XML reports can be cumbersome for marketers without dedicated tools, delaying investigations.
• Shared IP Pools: Some marketers using shared IPs acknowledge that new IPs can appear without direct notification from their ESP.

Key considerations

• Comprehensive Inventory: Maintain an up-to-date inventory of all services and systems authorized to send email on behalf of your domain.
• Cross-Referencing: Compare the unexpected IP with the IP ranges provided by your ESPs and any other known sending services.
• DNS Verification: Regularly verify your DNS records, including SPF and DKIM, to ensure they accurately reflect your current sending infrastructure.
• Timely Investigation: Address unexpected IPs promptly to prevent potential negative impacts on your sender reputation and deliverability. Delays can lead to emails landing in spam folders or being blocked entirely.

Key opinions

• Authentication Validation: Experts agree that if an IP shows up in GPM, it means it successfully authenticated as your domain, signifying that it's an authorized (or spoofed) sender.
• DMARC as Key: The consensus is that DMARC reports are the most effective way to identify and analyze all IP addresses sending on behalf of a domain, providing the necessary visibility into authenticated and unauthenticated traffic. More details are available in the Iterable blog on Google Postmaster Tools.
• Investigative Tools: Using tools like WHOIS, reverse DNS lookups (dig), and even command-line utilities like grep for raw DMARC data are standard expert recommendations.
• Root Cause Analysis: The goal is always to pinpoint the exact origin, whether it's corporate mail, a forwarding service, or a newly adopted ESP, to resolve the discrepancy.

Key considerations

• DMARC Implementation: If not already in place, implement DMARC with reporting enabled to gain full visibility into your sending ecosystem.
• Thorough Investigation: Don't dismiss an unexpected IP; investigate it fully, even if it seems benign, as it could signal a lapse in your email security or configuration.
• Regular Audits: Periodically audit all your sending sources and ensure they are properly configured within your SPF and DKIM records.
• Expert Assistance: If the source remains elusive or the issue persists, consider consulting with a deliverability expert to help pinpoint the cause and mitigate any risks. Understanding IP reputation in Postmaster Tools is critical.

Key findings

• Data Aggregation: Google Postmaster Tools aggregates data based on email authentication to provide insights into traffic originating from specific IP ranges, indicating how closely you should monitor your email's journey to the inbox.
• DMARC Visibility: DMARC aggregate reports (RUA) are designed to offer domain owners comprehensive visibility into all mail streams using their domain, regardless of their SPF or DKIM alignment.
• IP Ownership Data: Public internet registries (like ARIN, RIPE NCC) maintain databases of IP address allocations, allowing for queries to identify the registered organization behind an IP.
• Sender Responsibility: Documentation often places the onus on senders to ensure all their legitimate sending IPs, whether shared or dedicated, are properly authorized and included in their SPF records.

Key considerations

• Strict DMARC Policy: Best practices recommend moving towards a stricter DMARC policy (p=quarantine or p=reject) once you have full visibility of your sending sources to prevent unauthorized sending.
• Regular Review: Domains should regularly review their DMARC aggregate reports to detect any anomalous sending activity from unapproved or unexpected sources, reinforcing the benefits of DMARC.
• Dynamic IP Pools: Cloud-based email services may utilize dynamic IP pools, meaning the set of IPs sending on your behalf can change over time, requiring continuous monitoring.
• Configuration Accuracy: Accurate configuration of SPF and DKIM records for all sending sources is fundamental for proper attribution in Postmaster Tools and overall deliverability.