Seeing your domain's email apparently sent from countries you have never operated in is one of the most common triggers for a spoofing scare. In almost every case, it is a false alarm. Those IP addresses usually belong to your email providers' sending infrastructure, which runs in data centers around the world, not to an attacker. The real sign of spoofing is not a foreign location by itself, but a source you do not recognize that sends mail carrying your domain and fails DMARC, often from a place where you have no presence.
Quick answer: DMARC reporting. Once you publish a DMARC record with a reporting address, mailbox providers like Google, Microsoft, and Yahoo send you daily aggregate reports. Each report lists every source that used your domain, the IP address it sent from, and whether it passed authentication.
These reports list IP addresses, not places. You can paste any single IP into a geolocation lookup tool and see the country it is registered in. This is how many spoofing scares start: someone pulls one address from a report, checks it, and finds it in a country they have no presence in. Doing that for every sending IP by hand is impractical, so the best way is to use a DMARC monitoring platform (like DMARCeye) that geolocates them all and plots them on a map.
Almost no company sends its own email directly anymore. Your mail goes out through providers: a marketing platform, a CRM, a help desk, Google Workspace or Microsoft 365, a payment processor. Each provider runs servers in data centers around the world, and the location you see belongs to whichever server handled your message.
DMARC aggregate reports list every source that sent mail using your domain, along with the IP address each one used. When a service like DMARCeye plots those IPs on a map, a single newsletter send can appear from three or four countries at once. That spread is the shape of modern email, where a handful of services send on your behalf from infrastructure across continents.
From the DMARCeye platform.
Geolocation turns an IP address into a place by looking up which network owns it. The regional internet registries hand out blocks of IP addresses to internet providers, hosting companies, and cloud platforms, and geolocation databases record where each block is registered and used. So the location attached to a sending IP describes the infrastructure that owns it, not a person typing at a keyboard.
That lookup is an estimate, and the precision drops fast below the country level. Country is reliable, region or state much less so, and city is often wrong. A cloud provider, a VPN, or a content delivery network can place an IP hundreds of miles from anyone real. MaxMind, which supplies much of the industry's geolocation data, is direct about these limits in its own accuracy guidance. Read a sending location as a rough signal, not a fact.
A foreign IP address alone does not mean you are being spoofed. It is the most common reason people assume their domain has been hijacked, yet on its own it proves nothing either way. If your email service provider sends from a data center in Germany or Virginia, your mail geolocates to Germany or Virginia, and nothing is wrong.
This is a different question from how DMARC adoption varies across regions, which is a pattern in the wider data rather than a signal about your own domain. If that macro view interests you, we covered it in regional DMARC compliance variance and DMARC policy by country TLD. For triaging your own reports, location matters once you read it alongside the authentication result, not before.
The real sign is a source that does two things at once: it sends mail carrying your domain, and that mail fails DMARC. DMARC checks whether a message passes SPF or DKIM and whether the result aligns with the domain in the visible From address. Senders you have set up pass this check. An attacker forging your domain from their own server usually cannot, because they do not control your SPF record or your DKIM keys.
Location becomes useful once you start from the authentication result. A failing source in a country where you have no providers and no operations is a stronger lead than a failing source down the street. The failure comes first, and the map sharpens it.
Start with authentication, not geography. When an unfamiliar location catches your eye, work through it in order:
DMARCeye plots every sending IP for a source on a clustered map (pictured above), so a large sender stays readable, and lets you open any single IP to see its location next to its authentication result. The value is the pairing: location sitting beside whether that source passes or fails DMARC, so you can tell normal global infrastructure from a source that deserves a second look.
From the DMARCeye platform. The IP addresses shown are examples, not real addresses.
Because the authentication result and the location share one view, you spend less time guessing and more on the one or two sources that warrant attention.
Sender geolocation is context that sharpens the authentication result, not a verdict on its own. Mail from many countries is normal, since your providers send on your behalf from infrastructure all over the world. What separates noise from a real threat is the combination: an unfamiliar source sending as your domain and failing DMARC, from a location where you have no presence. Seeing the location and the authentication result in one view is what makes that combination stand out, which is the point of mapping your sending locations. DMARCeye puts the two side by side, so a real impersonation attempt is easy to spot.