5
Apr 16

SPF-Identified Servers - How and Why

To turn DMARC into something useful to people, dmarcian processes DMARC data using a big pile of rules.  These rules identify sources of email, and dmarcian presents users with DMARC compliance information based on email source.

One identified source of email is called "SPF-Identified Servers", and dmarcian users are often curious as to how data ends up in this source.  How and why this source works is explained below.

SPF allows a domain owner to publish a list of servers that are allowed to send on behalf of a domain.  When processing a domain's DMARC data, dmarcian will use the domain's SPF-published list of servers to identify chunks of infrastructure that are related to the domain.

dmarcian maintains a large set of rules to identify infrastructure.  (Identified infrastructure is published by dmarcian on dmarc.io.)  If a piece of DMARC data can be identified using an existing rule, it will be.  However, the bits of data that are not immediately identified by an existing rule might match something found in the domain's list of SPF-identified servers.  If so, then that data is placed into the "SPF-Identified Servers" source.

The identification of "SPF-Identified Servers" is dynamic, as it is based on whatever is discovered in a domain's SPF-published list of servers.  This dynamic source is great for dmarcian as it allows the site to produce meaningful results using the domain owner's own declaration of what they consider should be considered authorized.

Sometimes this source is populated with surprising data.  One reason is due to how SPF is often misunderstood, which leads people to add lots of unnecessary stuff to their SPF records.  The other reason is that some sources of email send out lots of different types of email, and the rules that dmarcian maintains are not 100% accurate.  For example: Google, Microsoft, and Yahoo run huge infrastructures that emit email directly on behalf of domains, indirectly through forwarding, and sometimes they offer people the ability to run their own email servers which can produce odd email streams.  Sorting the resulting DMARC data out and making it relevant to people is not always an exact science!

If you encounter weird results in your "SPF-Identified Servers", feel free to contact support@dmarcian.com and we'll take a look.

Tags: