DMARC Spoof Detection, Failed Authentications

Sh4meful tracks IP addresses caught sending unauthorized email, detected through DMARC report analysis across millions of authentication records.

Every entry here is an IP address that failed both SPF and DKIM authentication checks for domains I monitor. In most cases, that means someone (or something) used the domain name without permission; a signature pattern of email spoofing, phishing, spam, and other abusive mail activity.

The dataset is drawn from DMARC aggregate reports and represents a fraction of a larger corpus spanning millions of messages. Each record shows what failed and where: the source IP, its network, its geography, and limited metadata from the authentication event. Determining intent, whether a failure is hostile or incidental, requires context beyond what DMARC provides, but the patterns speak clearly enough at volume.

Not every failure is malicious. Some legitimate services (email security gateways, spam filters, phishing analysis platforms) break authentication as a side effect of message inspection or forwarding. I track these confounders separately and hide them by default, though they remain available for review. Much of that traffic is benign infrastructure noise. Some isn't.

Elements of this dataset and supporting models will eventually be open-sourced on GitHub. (More)