Shame on you, stupid spammers.. Sh4meful  DMARC Spoof Detection
🦋 Bluesky 🐘 Mastodon

DMARC Spoof Detection, Failed Authentications

Sh4meful tracks IP addresses caught sending unauthorized email, detected through DMARC report analysis across millions of authentication records.

Every entry here is an IP address that failed both SPF and DKIM authentication checks for domains I monitor. In most cases, that means someone (or something) used the domain name without permission; a signature pattern of email spoofing, phishing, spam, and other abusive mail activity.

The dataset is drawn from DMARC aggregate reports and represents a fraction of a larger corpus spanning millions of messages. Each record shows what failed and where: the source IP, its network, its geography, and limited metadata from the authentication event. Determining intent, whether a failure is hostile or incidental, requires context beyond what DMARC provides, but the patterns speak clearly enough at volume.

Not every failure is malicious. Some legitimate services (email security gateways, spam filters, phishing analysis platforms) break authentication as a side effect of message inspection or forwarding. I track these confounders separately and hide them by default, though they remain available for review. Much of that traffic is benign infrastructure noise. Some isn't.

Elements of this dataset and supporting models will eventually be open-sourced on GitHub. (More)

Failures Detected

55,367

Unique IPs

7,319

Unique Networks

924

Failed Messages

93,248

Viewleaf Signal
Viewleaf Signal by the makers of sh4meful
Simple, visual DMARC monitoring for your domains. Spot spoofing, track authentication failures, and protect your sending reputation. Free to start.
Try Free
Try Free

Failures

Showing 1-10 of 55,367 failures, affecting 93,248 messages
Date ▼ Source IP Country City Network Messages
4/15/2026 193.46.217.240 US United States Fremont sixtwoyun-hosting 1
4/15/2026 77.90.156.235 DE Germany ValkyrieHosting 1
4/15/2026 161.22.40.38 ES Spain Barcelona NET-161-22-40-0-0 1
4/15/2026 85.29.157.130 KZ Kazakhstan Karaganda FTTB_Taraz 1
4/15/2026 87.255.229.102 RU Russia Ivanovo komtel 1
4/15/2026 63.143.86.162 JM Jamaica DIGICEL 1
4/15/2026 217.119.20.150 RU Russia SMART-NET-BUSINESS-CUST-119-20 1
4/15/2026 81.30.178.213 RU Russia Ufa UBN 1
4/15/2026 168.90.211.134 BR Brazil Sinop DOMINA NET TELECOM 1
4/14/2026 35.196.101.190 US United States North Charleston GOOGLE-CLOUD 1

DMARC Activity

Browse by Country

Afghanistan · Albania · Algeria · Angola · Argentina · Armenia · Australia · Austria · Azerbaijan · Bangladesh · Belarus · Belgium · Bhutan · Bolivia · Bosnia and Herzegovina · Brazil · Bulgaria · Burkina Faso · Cambodia · Canada · Chile · China · Colombia · Congo Republic · Costa Rica · Croatia · Cyprus · Czechia · Dominica · Dominican Republic · DR Congo · Ecuador · Egypt · Estonia · Ethiopia · Finland · France · Gambia · Germany · Ghana · Greece · Guinea · Honduras · Hong Kong · Hungary · Iceland · India · Indonesia · Iran · Iraq · Ireland · Israel · Italy · Ivory Coast · Jamaica · Japan · Jordan · Kazakhstan · Kenya · Kosovo · Kuwait · Kyrgyzstan · Laos · Lebanon · Lithuania · Luxembourg · Mauritania · Mauritius · Mexico · Moldova · Morocco · Mozambique · Myanmar · Nepal · New Zealand · Nigeria · North Macedonia · Norway · Oman · Pakistan · Palestine · Panama · Peru · Philippines · Poland · Portugal · Qatar · Réunion · Romania · Russia · Saudi Arabia · Senegal · Seychelles · Singapore · Slovenia · Somalia · South Africa · South Korea · Spain · Sri Lanka · Suriname · Sweden · Switzerland · Syria · Taiwan · Tajikistan · Thailand · The Netherlands · Togo · Trinidad and Tobago · Tunisia · Türkiye · Uganda · Ukraine · United Arab Emirates · United Kingdom · United States · Uruguay · U.S. Virgin Islands · Uzbekistan · Venezuela · Vietnam

Most Active Networks by Spoof Volume (30 days)

Top networks by failed message volume over the last 30 days.

AT-88-Z

704 spoofing attempts
19 unique source IPs

UK-MICROSOFT-20060601

369 spoofing attempts
48 unique source IPs

MSFT

81 spoofing attempts
72 unique source IPs

AMAZO-4

43 spoofing attempts
5 unique source IPs

AMAZON-2011L

23 spoofing attempts
2 unique source IPs

UZTELECOM

21 spoofing attempts
15 unique source IPs

GOOGLE

18 spoofing attempts
2 unique source IPs

HINET-NET

16 spoofing attempts
3 unique source IPs

VIETTEL-VN

14 spoofing attempts
5 unique source IPs

spaceshipnetworks

11 spoofing attempts
2 unique source IPs

RIPE

11 spoofing attempts
8 unique source IPs

KORNET-KR

10 spoofing attempts
3 unique source IPs

GPON_FTTH_SERVICES

9 spoofing attempts
5 unique source IPs

IP2000-ADSL-BAS

9 spoofing attempts
1 unique source IP

Claro NXT Telecomunicacoes Ltda

8 spoofing attempts
2 unique source IPs

Most Active IPs by Spoof Volume (30 days)

Top IP addresses by failed message volume over the last 30 days.

IP Intelligence Report for 35.174.145.124

United States
600 failed messages
Last seen: 4/14/2026

IP Intelligence Report for 2a01:111:f403:c107::3

United States
23 failed messages
Last seen: 4/10/2026

IP Intelligence Report for 2a01:111:f403:c10c::1

United States
23 failed messages
Last seen: 4/10/2026

IP Intelligence Report for 2a01:111:f403:c000::1

United States
22 failed messages
Last seen: 4/10/2026

IP Intelligence Report for 54.227.64.76

United States
22 failed messages
Last seen: 4/10/2026

IP Intelligence Report for 2a01:111:f403:c10d::1

United States
22 failed messages
Last seen: 4/10/2026

IP Intelligence Report for 2a01:111:f403:c112::5

United States
20 failed messages
Last seen: 4/10/2026

IP Intelligence Report for 2a01:111:f403:c110::3

United States
19 failed messages
Last seen: 4/10/2026

IP Intelligence Report for 2a01:111:f403:c001::2

United States
18 failed messages
Last seen: 4/10/2026

IP Intelligence Report for 100.21.157.149

United States
17 failed messages
Last seen: 4/10/2026

IP Intelligence Report for 2a01:111:f403:c111::9

United States
17 failed messages
Last seen: 4/10/2026

IP Intelligence Report for 34.210.15.192

United States
17 failed messages
Last seen: 4/10/2026

IP Intelligence Report for 3.132.222.232

United States
16 failed messages
Last seen: 4/10/2026

IP Intelligence Report for 3.132.108.44

United States
16 failed messages
Last seen: 4/10/2026

IP Intelligence Report for 2a01:111:f403:c112::7

United States
16 failed messages
Last seen: 4/10/2026

IP Intelligence Report for 2a01:111:f403:c105::7

United States
16 failed messages
Last seen: 4/10/2026

IP Intelligence Report for 209.85.220.69

United States
15 failed messages
Last seen: 4/10/2026

IP Intelligence Report for 3.231.237.226

United States
15 failed messages
Last seen: 4/9/2026

IP Intelligence Report for 2a01:111:f403:c107::1

United States
15 failed messages
Last seen: 4/10/2026

IP Intelligence Report for 52.212.19.177

Ireland
15 failed messages
Last seen: 4/10/2026
Recent Writing

The geography of DMARC failures is shifting, and the data says it's not random

April 13, 2026

7,528 failed DMARC authentications across 115 countries over 16 months. The source countries are changing in ways that suggest coordinated infrastructure migration, not organic drift.

Read more → All posts →
Monitoring your own domains? Try Viewleaf Signal — free DMARC monitoring by the makers of sh4meful.