schedule 3-min read

DMARC Client Discovery: How to Find Every Sending Source

A field-tested discovery playbook for MSPs identifying every system sending as a client domain — combining DMARC reports, DNS analysis, and stakeholder interviews.

01

Introduction

DMARC client discovery — the work of identifying every system sending mail as a client's domain — is the first deliverable of any DMARC engagement. Done thoroughly, it surfaces senders the client didn't know existed. This article is the playbook.

02

Why this topic matters

The sender list is the single most important artefact of the DMARC audit. Clients almost always discover 2-5 unexpected senders, and that surprise is the conversation that converts the audit into a rollout.

03

The three discovery channels

Channel 1: DMARC aggregate reports

Once you publish DMARC at p=none with rua=, aggregate reports become the most reliable channel. Receivers report every IP they see sending as the domain, with volumes.

This channel works after 2-4 weeks of monitoring. Use for the comprehensive view.

Channel 2: DNS analysis

The existing SPF record lists declared senders. The DKIM selectors that respond to queries indicate who's already signing.

This channel works immediately but only shows declared senders, not actual.

Channel 3: Stakeholder interviews

Marketing, sales, finance, HR, IT, support. Each team knows which platforms they use.

This channel works immediately and surfaces senders that didn't get added to SPF.

04

Step-by-step approach

  1. Pull existing DNS records. SPF list, DKIM selectors that respond.
  2. Interview team leads. What email platforms does each team use?
  3. Publish DMARC at p=none if not already.
  4. Wait 2-4 weeks. Aggregate reports build the comprehensive list.
  5. Cross-reference all three channels.
  6. Categorize each sender using the four-category framework.
05

Where to focus interview time

Five teams account for most discovery:

  • Marketing. Newsletter platforms, lead-gen tools.
  • Sales. CRM-driven outreach.
  • Finance. Billing, invoicing.
  • Support. Help-desk and ticketing.
  • HR. Onboarding emails, recruiting tools.

Each will name 2-5 platforms. Most clients aggregate 10-20.

06

Best practices

  • Don't trust the SPF record as the inventory. It's what's declared, not what's actually sending.
  • Reverse-DNS unknown source IPs immediately. Most resolve to a recognizable vendor.
  • Document with the client. Joint understanding of who's sending as them.
  • Set up new-sender alerts in the monitoring platform.
  • Re-discover annually. Sender estate changes.
07

For any client engagement starting, schedule the stakeholder interviews in the first week. Publish DMARC at p=none the same week. By week 3, the comprehensive list is ready.

08

FAQ

How long does discovery take?

2-4 weeks calendar (waiting for reports), ~10 hours of MSP work spread across.

What if a sender doesn't show up in aggregate reports?

Either no mail is being sent during the window, or the receiver doesn't report. Low-volume senders may take longer to surface.

What about senders that only send internally?

Internal-only mail (between staff using the company domain) often doesn't show in external aggregate reports. Verify via the M365/Workspace admin console.

How do I differentiate legitimate from attacker?

Reverse-DNS, public threat intelligence, and ask the client. Most unknowns resolve quickly.

Should I include discovery in the audit price?

Yes. It's the audit deliverable.

09

Final thoughts

DMARC client discovery is the foundation of every successful rollout. The discipline is combining the three channels — DNS, reports, interviews — rather than relying on any one.

Productize the playbook once. Run it on every engagement.

Ready to Implement?

Get authenticated mail moving in minutes — start free, book a guided demo, or talk to the team about your stack.

Start free arrow_forward event Book demo mail Contact us