Email Source Discovery
Before implementing DMARC enforcement, you must identify all legitimate sources sending email from your domain. Missing even one source can cause delivery failures.
Pre-Implementation Audit Checklist
Complete this checklist before moving to DMARC enforcement:
Infrastructure
- [ ] Primary mail server(s) / email provider
- [ ] Backup/secondary MX servers
- [ ] On-premises mail servers (if any)
- [ ] Mail relay servers
Business Applications
- [ ] CRM system (Salesforce, HubSpot, etc.)
- [ ] Marketing automation platform
- [ ] Support/helpdesk system
- [ ] E-commerce platform
- [ ] ERP/accounting system notifications
Transactional Email
- [ ] Password reset emails
- [ ] Order confirmations
- [ ] Shipping notifications
- [ ] Invoice/billing emails
- [ ] Account notifications
Development & Operations
- [ ] Application error alerts
- [ ] Monitoring/alerting systems
- [ ] CI/CD pipeline notifications
- [ ] Log aggregation alerts
- [ ] Server notifications (cron jobs, etc.)
Internal Tools
- [ ] HR systems
- [ ] Internal wikis/documentation
- [ ] Project management tools
- [ ] Calendar/scheduling systems
- [ ] Intranet applications
Third-Party Services
- [ ] Survey tools
- [ ] Webinar platforms
- [ ] Social media management
- [ ] Press release distribution
- [ ] Partner/vendor systems
Finding All Outbound Email Sources
Method 1: DMARC Report Analysis
The most reliable method is analyzing DMARC aggregate reports.
- Publish a monitoring DMARC record:
v=DMARC1; p=none; rua=mailto:your-id@reports.mailshield.appWait 2-4 weeks for comprehensive data
Review reports in MailShield:
- Go to your domain's Reports section
- Check the Senders breakdown
- Review all source IPs and hostnames
Categorize each source:
| Source IP/Host | Identified As | Action Needed |
|---|---|---|
| 209.85.x.x | Google Workspace | Already configured |
| 168.245.x.x | SendGrid | Add SPF include |
| Unknown | Investigate | Determine if legitimate |
Method 2: Email Server Logs
If you manage your own mail servers, analyze outbound logs:
Postfix:
bash
grep "status=sent" /var/log/mail.log | awk '{print $7}' | sort | uniq -cExchange: Review Message Tracking Logs in Exchange Admin Center.
Method 3: Network Analysis
Review firewall logs for outbound SMTP traffic (port 25, 465, 587):
- Identify all internal IPs sending email
- Match to servers/applications
- Document unexpected sources
Method 4: DNS Audit
Check existing SPF record for clues:
bash
dig TXT yourdomain.com +shortEach include: mechanism represents a known sender.
Inventory Template
Use this spreadsheet format to track your email sources:
| Source Name | Type | SPF Configured | DKIM Configured | Volume | Priority | Notes |
|---|---|---|---|---|---|---|
| Google Workspace | Primary email | ✅ | ✅ | High | Critical | Main email |
| SendGrid | Transactional | ✅ | ✅ | Medium | High | Order emails |
| Mailchimp | Marketing | ✅ | ❌ | Low | Medium | Newsletters |
| Legacy CRM | Internal | ❌ | ❌ | Low | Low | Migrating |
Inventory Fields Explained
- Source Name: Service or system name
- Type: Primary email, transactional, marketing, internal, etc.
- SPF Configured: Is the service in your SPF record?
- DKIM Configured: Is DKIM signing enabled with your domain?
- Volume: Approximate email volume (high/medium/low)
- Priority: Impact if this source fails (critical/high/medium/low)
- Notes: Migration status, special configuration, etc.
Common Overlooked Sources
These sources are frequently missed during discovery:
Transactional/Automated
| Source | Sends What | Often Missed Because |
|---|---|---|
| Password reset systems | Security emails | Separate from main app |
| Scheduled reports | Automated reports | Run by cron/scheduler |
| Error alerting | Exception notifications | Dev/ops only |
| Backup systems | Completion/failure alerts | Infrastructure team |
| SSL certificate monitors | Expiry warnings | Security team |
Marketing/Sales
| Source | Sends What | Often Missed Because |
|---|---|---|
| Webinar platforms | Invites, reminders | Marketing only |
| Survey tools | Survey invitations | Occasional use |
| Social scheduling | Notification emails | Managed by social team |
| Lead gen forms | Auto-responders | Setup and forgotten |
| Event platforms | Registration emails | Used infrequently |
Internal/HR
| Source | Sends What | Often Missed Because |
|---|---|---|
| HRIS/payroll | Pay stubs, benefits | HR managed |
| Training platforms | Course notifications | L&D managed |
| Expense systems | Approval requests | Finance managed |
| IT ticketing | Ticket updates | IT internal |
| Printer/scanner | Scan-to-email | Office equipment |
Interviewing Stakeholders
Different teams manage different email sources. Interview these stakeholders:
IT/Infrastructure
- What mail servers do we operate?
- What monitoring/alerting sends email?
- Any legacy systems still sending email?
Marketing
- What marketing platforms do we use?
- Any A/B testing or experimental tools?
- Third-party agencies sending on our behalf?
Sales
- CRM email integrations?
- Sales engagement platforms?
- Partner relationship tools?
Development
- What applications send email?
- Which environments send email? (prod, staging, dev)
- Error notification systems?
Customer Support
- Helpdesk/ticketing platform?
- Chat/messaging systems with email fallback?
- Customer survey tools?
HR
- Payroll/HRIS notifications?
- Recruiting platform emails?
- Training/LMS notifications?
Finance
- Invoice/billing systems?
- Expense reporting emails?
- Vendor payment notifications?
Sample Interview Questions
- "Does your team use any tool that sends email to customers or employees?"
- "Are there any automated reports or alerts sent via email?"
- "Do you work with any vendors who send email on our behalf?"
- "Are there any legacy systems still in use that might send email?"
- "Do you manage any email templates or notification settings?"
Using DMARC Reports for Discovery
Reading Source Data
In DMARC aggregate reports, each <record> element shows:
xml
<record>
<row>
<source_ip>192.0.2.1</source_ip>
<count>150</count>
</row>
<identifiers>
<header_from>yourdomain.com</header_from>
</identifiers>
<auth_results>
<spf>
<domain>yourdomain.com</domain>
<result>pass</result>
</spf>
<dkim>
<domain>yourdomain.com</domain>
<result>pass</result>
</dkim>
</auth_results>
</record>MailShield's Sender Identification
MailShield automatically identifies many sources:
- Go to your domain's Reports tab
- View the Senders breakdown
- Known services are labeled automatically
- Unknown IPs show for investigation
Investigating Unknown Sources
For unidentified source IPs:
- Reverse DNS lookup:
bash
dig -x 192.0.2.1- WHOIS lookup:
bash
whois 192.0.2.1Check IP ranges against known services:
- Cloud provider IP ranges (AWS, Google Cloud, Azure)
- Email service provider documentation
Cross-reference with your inventory:
- Does this match any known service's infrastructure?
- Is this a datacenter you use?
Action Plan Template
After discovery, create an action plan:
| Priority | Source | Action | Owner | Due Date | Status |
|---|---|---|---|---|---|
| 1 | SendGrid | Add to SPF | IT | Week 1 | ⬜ |
| 1 | SendGrid | Configure DKIM | IT | Week 1 | ⬜ |
| 2 | Mailchimp | Add to SPF | Marketing | Week 1 | ⬜ |
| 2 | Mailchimp | Configure DKIM | Marketing | Week 2 | ⬜ |
| 3 | Legacy CRM | Plan migration | IT | Week 4 | ⬜ |
Next Steps
After completing discovery:
- Configure all sources - Third-Party Senders
- Begin enforcement - DMARC Enforcement Roadmap
- Monitor progress - Viewing Reports