A domain that sends fewer than 10,000 emails a month has, on average, 107 different servers sending email on its behalf. Your newsletter platform, your helpdesk, your CRM, your payment processor, your calendar system - each one uses its own servers, and each one shows up as a separate source in your DMARC reports. Most domain owners don't realize how many IP senders they have. The data below comes from DMARCeye's Q1 2026 industry report, covering several thousand monitored domains.
This article unpacks the sending-footprint finding from DMARCeye's Q1 2026 industry report. The full report and methodology are below.
When someone at your company sends an email, it leaves from a server. That server has an IP address - a unique number that identifies it on the internet, the same way a street address identifies a building. Every tool or service that sends email "from" your domain uses its own server (or group of servers), and each one has a different IP address.
Suppose your company uses:
Each of these services sends email using your domain name in the "From" field. Each one uses different servers (Google alone operates thousands of mail servers, so even your basic work email might come from dozens of IP addresses on any given day).
Multiply this across every tool your company has ever connected to your domain, and the number climbs fast. A few of those tools were set up years ago by someone who no longer works at the company. Others were added by a marketing team running a one-off campaign, or trialed for a week and forgotten. They may still be sending email as your domain.
The DMARCeye Q1 2026 industry report measured the average number of distinct sending IPs per domain across several thousand monitored domains, grouped by monthly email volume:
The numbers, broken down by tier:
The more email your domain sends, the more servers are involved. But even the smallest tier - 107 IPs - is far more than most companies expect.
The IPs sending email as your domain fall into a few categories:
Approved vendors you know about. Your email service provider, your marketing automation platform, your transactional email sender. These are the ones you set up on purpose and configured with proper SPF and DKIM authentication. They should pass DMARC checks without problems.
Tools other departments signed up for. A sales team member starts using a new outreach tool. The HR department picks up a survey platform. The finance team connects a new invoicing service. Each one sends email from your domain, and each one adds IPs to your sending footprint. IT finds out about these when they start failing authentication checks (or when they show up in a DMARC report for the first time). This is sometimes called "shadow IT," and it is one of the most common reasons companies have far more sending IPs than they expect. Sometimes, these systems are forgotten (e.g., after the person that used them leaves the company).
Forwarding and mailing lists. When someone forwards your email through a mailing list or an alias, the forwarding server's IP shows up in reports too. You did not authorize this server, but it is handling your mail.
Unauthorized senders and attackers. Anyone can try to send email using your domain name. Without DMARC enforcement, some of those messages will reach inboxes. Even with enforcement, the attempts show up in your DMARC reports as failed messages from IPs you do not recognize.
An IP you did not authorize is not always an attacker, but you never know unless you investigate.
Legitimate email fails authentication. When a tool sends email from your domain but is not listed in your SPF record or does not sign with your DKIM key, receivers see it as unauthenticated. If your domain is at p=quarantine or p=reject, that email goes to spam or gets blocked. The tool is legitimate, but the configuration is missing. You will not know this is happening unless you are watching your DMARC reports.
Attackers use your domain to send fake email. Phishing emails using your domain name are a direct brand and security risk. The Q1 2026 data shows 36.7% of monitored domains are still at p=none, which means receivers are told to deliver everything regardless of authentication results. For those domains, attackers can send email as the domain with no consequences.
Compliance requirements assume you have visibility. Google's bulk sender requirements (in effect since February 2024) require DMARC authentication for anyone sending more than 5,000 messages a day to Gmail. The EU's NIS2 directive requires organizations in covered sectors to manage and monitor their email infrastructure. Both assume you know who is sending email as your domain. If you cannot list your sending sources, you cannot demonstrate compliance.
DMARC has this visibility built in. When you publish a DMARC record for your domain, email receivers (Gmail, Outlook, Yahoo, and others) start sending you daily aggregate reports. Each report is an XML file listing every IP address that sent email using your domain, along with how many messages each IP sent and whether those messages passed or failed SPF and DKIM checks.
In practice, a single day's reports for a moderately active domain can include hundreds of XML files from different receivers, each listing dozens or hundreds of IP records. Reading them manually is not realistic.
A DMARC monitoring tool parses those reports automatically and groups the data by source, vendor, and authentication status. Instead of a pile of XML, you get a list of every server sending email as your domain, whether each one is authorized, and whether it is passing authentication. You can check what your domain's DMARC record looks like right now:
DMARCeye's free plan covers one domain with up to 5,000 emails per month and includes full report parsing - enough to see your complete sending footprint and identify sources you did not know about.
Your domain's sending footprint is almost certainly larger than you think. Even small domains average over 100 distinct sending IPs, and the number grows steeply with volume. Not all of those sources are ones you approved.
The first step is seeing the list. DMARCeye parses your reports automatically and shows you every sending source, grouped by vendor, with authentication status for each one.