When you’re analyzing DMARC reports, you might notice the Unknown column and might be wondering about those Unknown sources. What do they mean? Should you be worried?
Any Unknown source is either a legitimate sender that needs to be authorized by your SPF record in DNS or an illegal sender that should not be sending emails on your behalf.
You’ll want to click on the Unknown number in the dashboard and look at the sending IP addresses.
For your convenience, you can group the records by Organization or Host as it is sometimes difficult to correlate the sending IP with the service.
For legitimate senders, you’ll want to verify the SPF record and add those legitimate IP to the record or publish the correct SPF record if it doesn’t exist. If you notice the senders that are unfamiliar to you, you can generally ignore them unless you see a large number of messages.
To understand which senders are legitimate and which ones are not, you can create a list of all of the services that you use and then narrow the list down to services that send emails on your behalf. Review each service’s configuration for SPF and DKIM to ensure that they’re correctly configured.
Unknown sources that you don’t recognize may be malicious. If the volume they sent is low, it’s not worth worrying about. For an unknown source with a high volume, you may want to take some action to protect your domain.
Using the “quarantine” or “reject” DMARC policy, you can tell email receivers to send malicious emails to Spam or block them at a gateway.
However, you should set the “quarantine” or “reject” policy only when you see a large number of messages from a malicious source or when your DMARC compliance rate for legitimate sources is 99-100%. Otherwise, the risk of blocking legitimate emails is higher than the risk of letting a small number of illegitimate emails through.
In addition to the policy, you can also specify a percentage (pct) value that governs the percentage of emails to which the DMARC policy is applied. It’s recommended that you start doing it to a small percentage and then increase it every one-two weeks:
Monitor all (p=none; pct=100;)
Quarantine 25% (p=quarantine; pct=25)
Quarantine 50% (p=quarantine; pct=50)
Quarantine 75% (p=quarantine; pct=75)
Quarantine all (p=quarantine; pct=100)
Reject 25% (p=reject; pct=25)
Reject 50% (p=reject; pct=50)
Reject 75% (p=reject; pct=75)
Reject all (p=reject; pct=100)
This gradual increase helps minimize the risks of losing legitimate emails whilst also starting to provide a level of filtering to protect your domain and control email delivery.