When you’re analyzing DMARC reports, you might notice the Unknown column and might be wondering about those Unknown sources. What do they mean? Should you be worried?
Any Unknown source is either a legitimate sender that needs to be authorized by your SPF record in DNS or an illegal sender that should not be sending emails on your behalf.
You’ll want to click on the Unknown number in the dashboard and look at the sending IP addresses.
For your convenience, you can click on the domain name in the Domains Overview dashboard and examine your sending sources.
GlockApps DMARC Analyzer: Email sources
To understand which senders are legitimate and which ones are not, you can create a list of all of the services that you use and then narrow the list down to services that send emails on your behalf. Those will be your legitimate sending sources.
In GlockApps, your legimiate senders, which are authorized by the SPF record published for your domain, are shown in the Known category.
Unknown sources are typically illegal senders using your domain without authorization. If you notice a legitimate sender among the Unknown ones, you need to correct the SPF record and include that sender.
Unknown sources that you don’t recognize may be malicious. If the volume they sent is low, it’s not worth worrying about. For an unknown source with a high volume, you may want to take some action to protect your domain.
Using the “quarantine” or “reject” DMARC policy, you can tell email receivers to send malicious emails to Spam or block them at a gateway.
However, you should set the “quarantine” or “reject” policy only when you see a large number of messages from a malicious source or when your DMARC compliance rate for legitimate sources is 99-100%. Otherwise, the risk of blocking legitimate emails is higher than the risk of letting a small number of illegitimate emails through.
In addition to the policy, you can also specify a percentage (pct) value that governs the percentage of emails to which the DMARC policy is applied. It’s recommended that you start doing it to a small percentage and then increase it every one-two weeks:
Monitor all (p=none; pct=100;)
Quarantine 25% (p=quarantine; pct=25)
Quarantine 50% (p=quarantine; pct=50)
Quarantine 75% (p=quarantine; pct=75)
Quarantine all (p=quarantine; pct=100)
Reject 25% (p=reject; pct=25)
Reject 50% (p=reject; pct=50)
Reject 75% (p=reject; pct=75)
Reject all (p=reject; pct=100)
This gradual increase helps minimize the risks of losing legitimate emails whilst also starting to provide a level of filtering to protect your domain and control email delivery.