DMARC Spoof Detection, Failed Authentications
About this Project
▶Sh4meful tracks IP addresses caught sending unauthorized email, detected through DMARC report analysis across millions of authentication records.
Every entry here is an IP address that failed both SPF and DKIM authentication checks for domains I monitor. In most cases, that means someone (or something) used the domain name without permission; a signature pattern of email spoofing, phishing, spam, and other abusive mail activity.
The dataset is drawn from DMARC aggregate reports and represents a fraction of a larger corpus spanning millions of messages. Each record shows what failed and where: the source IP, its network, its geography, and limited metadata from the authentication event. Determining intent, whether a failure is hostile or incidental, requires context beyond what DMARC provides, but the patterns speak clearly enough at volume.
Not every failure is malicious. Some legitimate services (email security gateways, spam filters, phishing analysis platforms) break authentication as a side effect of message inspection or forwarding. I track these confounders separately and hide them by default, though they remain available for review. Much of that traffic is benign infrastructure noise. Some isn't.
Elements of this dataset and supporting models will eventually be open-sourced on GitHub. (More)
8,902
2,973
1,168
14,902
Failures
Showing 1-10 of 8,902 failures, affecting 14,902 messages| Date ▼ | Source IP | Country | City | Network | Messages |
|---|---|---|---|---|---|
| 7/16/2026 | BE Belgium | Brussels | 1 | ||
| 7/16/2026 | US United States | Los Angeles | 1 | ||
| 7/16/2026 | KZ Kazakhstan | Shymkent | 1 | ||
| 7/16/2026 | TJ Tajikistan | Panjakent | 1 | ||
| 7/16/2026 | AR Argentina | Boca Toma | 4 | ||
| 7/16/2026 | KE Kenya | N/A | 4 | ||
| 7/16/2026 | CN China | Guangzhou | 1 | ||
| 7/16/2026 | CN China | 2 | |||
| 7/16/2026 | KZ Kazakhstan | Atyrau | 2 | ||
| 7/16/2026 | KZ Kazakhstan | Kokshetau | 1 |
DMARC Activity
Most Active Networks by Spoof Volume (30 days)
Top networks by failed message volume over the last 30 days.
OMEGATECH
LT-HOSTBALTIC-10
UZTELECOM
KAPPA-IN
Cogetel
CMNET
CHINANET-NM
T-FGU.EDU.TW-NET
OUL-16
FRTR-LEGACY-FTR13
GPON_FTTH_SERVICES
GOOGLE-CLOUD
Telmex Colombia S.A.
GOOGL-2
DATALIX
Most Active IPs by Spoof Volume (30 days)
Top IP addresses by failed message volume over the last 30 days.
IP Intelligence Report for 141.98.10.86
IP Intelligence Report for 91.92.241.38
IP Intelligence Report for 50.127.181.82
IP Intelligence Report for 176.100.36.170
IP Intelligence Report for 15.204.234.4
IP Intelligence Report for 120.101.61.23
IP Intelligence Report for 178.16.53.39
IP Intelligence Report for 170.80.23.57
IP Intelligence Report for 103.93.177.74
IP Intelligence Report for 193.253.101.87
IP Intelligence Report for 120.101.61.7
IP Intelligence Report for 185.213.116.2
IP Intelligence Report for 123.253.93.94
IP Intelligence Report for 41.220.227.170
IP Intelligence Report for 199.193.205.208
IP Intelligence Report for 203.211.75.89
IP Intelligence Report for 200.142.101.197
IP Intelligence Report for 4.16.147.249
IP Intelligence Report for 186.62.119.215
IP Intelligence Report for 154.255.68.145
Top Threat Countries
- China - Email Spoofing Analysis
- United States - Email Spoofing Analysis
- Russia - Email Spoofing Analysis
- Germany - Email Spoofing Analysis
- India - Email Spoofing Analysis
- United Kingdom - Email Spoofing Analysis
- France - Email Spoofing Analysis
- Brazil - Email Spoofing Analysis
- Japan - Email Spoofing Analysis
- Canada - Email Spoofing Analysis
- Netherlands - Email Spoofing Analysis
- Australia - Email Spoofing Analysis
- South Korea - Email Spoofing Analysis
- Italy - Email Spoofing Analysis
- Spain - Email Spoofing Analysis
- Turkey - Email Spoofing Analysis
- Poland - Email Spoofing Analysis
- Ukraine - Email Spoofing Analysis
- Mexico - Email Spoofing Analysis
- Argentina - Email Spoofing Analysis