Reputation look up for DMARC failed hosts

Hi Dmarcian community. I’m a new user at Dmarcian.
After trial of Dmarcian Free, my company has been considering signing up for the service, starting from Basic plan.

At trial account of DMARC analyzer, we found many DMARC failed hosts. Some of them are hosts that didn’t have correct SPF or DKIM wasn’t set up yet.
But there are many hosts which we didn’t have any knowledge of. I suspect Some of those might be legitimate servers which we are not aware of and others are possible scammers.
How can we tell those possible scammers are legitimate or not. Is there any reputation lookup feature available from dashboard?
I checked Dmarcian features list, but didn’t find reputation features. If there is any way to nail down scanners from this list other than using reputation, please share info.

Thanks for your time in advance.

There is a link to Cisco Talos IP reputation in the Detail Viewer, but I wouldn’t rely on that to determine whether the IP was an unidentified legitimate source. The scam emails have plenty of easily identifiable traits that will be far more obvious than the reputation of a snowshoe spam IP range.

Conversely, the domains and IP allocations from unidentified legitimate sources will align with vendors and service providers that you utilize.

The number of forged sources is staggering and endless.

Thanks for your nice comments.
It would be helpful to have Talos IP reputation link from Dashboard.
I kind of agree to your opinion that IP reputation alone isn’t very reliable. I was hoping to use it as a second opinion.

I monitor customer’s DMARC failure. My goal is to make zero DMARC failure from legitimate hosts, then move from DMARC policy from none to quarantine, then to reject within 1 month.
Unfortunately my client doesn’t have complete list of email server’s where emails are sent from. Even if I ask to the customer from the list of DMARC failed hosts, they wouldn’t be sure if it’s legitimate or not. I suspect this is not unusual for large organizations. How do you solve this problem?

It is. The Detail Viewer is the part of the dashboard where you view the IPs of the relay hosts in your DMARC reports. Just click on the country flag and you will be taken to the Talos IP reputation page for the IP address.

Investigate and document as needed. :wink:

Thanks so much for your kind reply.
I guess there is no easy and quick solutions for that.
I’m a newbie to DMARC , so I’m excited to find out how it works and how useful to prevent phishing attacks.
Thanks again!

I think you’ve gotten on top of the game now but it’s definitely a game of analyze & fix, analyze & fix, particularly for clients that don’t have a clear view on what is happening with their entire email footprint and/or have several shadow IT set ups. That’s where we find dmarcian to be so helpful in analyzing and finding those set ups, then working with the client to get them authenticated and slowly step up their DMARC policy. You are dealing in some unknowns, but you get better with time and experience at moving quicker. We tell clients it takes us about 3-4 wks before we are comfortable setting them all the way up to 100% reject. Some can be shorter (I wouldn’t rec less than 2 wks though… you just never know what is out there) and some longer. Overall, before we are “done” I like to have had our team at least analyze a months worth of data. You do get the occasional once a month type of email that can go missing if you are watching for a full cycle.

Thanks for your wonderful comment.
I have a question with analyzing. When you analyzing DMARC fail, do you need to get a sample of those emails? Or do you analyze only by using Dmarcian analyzer tool? I’m wondering without look at actual emails, especially analyzing email headers how would I be able to tell its legitimacy. I’m still in doubt of reliability of DMARC report alone.
Anyway, I’m very excited to join this DMARC journey but also a bit of worried with lack of experience. At least I know how to use Dmarcian analyzer now, hoping it would help me.