DMARC on Sender Audit Blog

Shadow IT and Email: The Tools Sending on Your Behalf Without You Knowing

Tue, 28 Apr 2026 00:00:00 +0000

You’ve configured SPF, DKIM, and DMARC. Your email infrastructure is under control. Then one day, while analyzing your DMARC reports, you discover dozens of unknown IPs sending emails on behalf of your domain. Not phishing - internal tools that nobody in IT ever approved.

Welcome to the world of email shadow IT.

What Is Email Shadow IT

Shadow IT refers to the use of technology services without explicit approval from the IT team. Applied to email, it’s extremely common: business teams configure SaaS tools to send emails from your domain without going through IT.

Email and DNS: Every Record You Need to Know

Sun, 26 Apr 2026 00:00:00 +0000

DNS is the invisible foundation of email. Without the right records, your emails won’t be delivered, authenticated, or encrypted. Here are all the DNS records a sending domain needs to know and configure.

Overview

Record	Type	Role
MX	MX	Where to deliver emails for your domain
SPF	TXT	Who can send for your domain
DKIM	TXT/CNAME	Public key for verifying signatures
DMARC	TXT	SPF + DKIM alignment policy
MTA-STS	TXT + HTTPS	Enforce TLS encryption
TLS-RPT	TXT	Reports on TLS failures
BIMI	TXT	Verified logo in the inbox
PTR	PTR	Reverse DNS for your sending IPs

MX: Where to Deliver Emails

The MX (Mail Exchange) record specifies which servers receive emails for your domain.

Email Headers Explained: From Received to ARC

Mon, 20 Apr 2026 00:00:00 +0000

Email headers contain the complete story of a message’s journey: who sent it, which servers it passed through, whether authentication succeeded, and why it landed in spam. Knowing how to read them means knowing how to diagnose.

How to Access Headers

Gmail: open the email → ⋮ → “Show original”
Outlook: open the email → File → Properties → “Internet headers”
Apple Mail: View → Message → All Headers
Thunderbird: View → Message Source

Or paste them directly into Sender Audit’s Header Analyzer for a visual analysis.

DMARC: Safely Migrating from p=none to p=reject

Sat, 11 Apr 2026 00:00:00 +0000

You’ve published your DMARC record with p=none. That’s a good start, but p=none blocks nothing: fraudulent emails still get through. The end goal is p=reject, and this guide walks you through the migration without breaking your legitimate mail flows.

Why p=none Isn’t Enough

With p=none, you’re asking mailbox providers to do nothing when an email fails DMARC. You receive RUA reports, but:

Emails spoofing your domain still reach inboxes
Your domain can be used for phishing
Google and Yahoo now require a published DMARC record, but the real benefits start at p=quarantine or p=reject

Recommended Timeline

Week	Policy	Goal
W1-W2	`p=none; rua=mailto:...`	Collect reports, inventory sources
W3-W4	Report analysis	Identify each source IP, fix SPF/DKIM
W5-W6	`p=quarantine; pct=10`	Test on 10% of traffic
W7-W8	`p=quarantine; pct=50`	Gradually increase
W9-W10	`p=quarantine; pct=100`	Observe for 2 weeks
W11-W12	`p=reject; pct=10`	Begin gradual rejection
W13-W14	`p=reject; pct=50`	Scale up
W15+	`p=reject; pct=100; sp=reject`	Full protection

This timeline is indicative. The key is to never skip a step without verifying that reports are clean.

Reading and Understanding DMARC Reports (RUA)

Sun, 05 Apr 2026 00:00:00 +0000

You’ve configured DMARC with a rua= tag and reports are starting to arrive. But what do you do with these often incomprehensible XML files? This guide teaches you how to read them, interpret them, and take concrete action.

What Is a DMARC RUA Report

An RUA (Report URI Aggregate) report is an XML file sent daily by mailbox providers (Google, Microsoft, Yahoo, etc.) to the address defined in your DMARC record.

How to Configure DMARC to Protect Your Domain

Wed, 18 Feb 2026 00:00:00 +0000

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that protects your domain against spoofing and phishing. In this guide, we’ll walk through how to set it up properly.

Why DMARC Is Essential

Without DMARC, anyone can send emails pretending to be your domain. The consequences are serious:

Phishing: malicious actors can impersonate your brand
Damaged reputation: ISPs may penalize your domain
Lost trust: your recipients can no longer tell which emails are legitimate

According to the FBI, business email compromise (BEC) scams, many of which exploit missing DMARC, caused over $2.7 billion in losses in 2022 alone.