Sh4mefulThe geography of DMARC failures is shifting, and the data says it's not random
A note on scope: Every data point in this analysis represents an IP address that failed both SPF and DKIM authentication checks for domains I monitor. In most cases, that means someone (or something) used the domain name without permission: a signature pattern of email spoofing, phishing, spam, and other abusive mail activity. The dataset is drawn from DMARC aggregate reports and represents a fraction of a larger corpus spanning millions of messages. Determining intent, whether a failure is hostile or incidental, requires context beyond what DMARC provides. But at volume, the patterns speak clearly enough.
Since January 2025, Sh4meful has been tracking every email that fails DMARC authentication across these domains, not just whether it failed, but where it came from. Country-of-origin data for failed authentication is one of the most underused signals in email security. Most DMARC dashboards show you pass/fail rates. I wanted to see if the geography of failure tells a different story.
It does.
The big picture: volume is falling, but the map is getting more interesting
Overall DMARC failure volume has dropped substantially since the start of 2025, from 4,349 failures in H1 2025 down to 942 in the first 102 days of 2026. That's good news at the aggregate level. But the decline isn't uniform. While US-sourced failures have collapsed by 85% (from 18.6/day in Q1 2025 to 2.2/day in 2026), other regions tell a very different story.
The US line dominates the early data but fades steadily through the year. What's worth watching is happening underneath it: the Iran and former Soviet state lines are doing something unusual in 2026, and the most dramatic shift is compressed into the final two weeks of data.
Iran is going quiet
Through all of 2025, Iran was the second-most-common source of DMARC failures after the United States, averaging just under 1 failure per day consistently across both halves of the year (H1: 0.98/day, H2: 0.98/day). That baseline was remarkably stable. Not spiky, not seasonal, just a persistent drumbeat of failed authentication from Iranian IP space.
In 2026, it dropped to 0.60/day. That doesn't sound dramatic, but the statistical test tells a clearer story: the Mann-Whitney U test comparing Iran's 2025 daily distribution to its 2026 distribution returns p = 0.005, well below the conventional significance threshold of 0.05. This isn't noise; the decline is real.
More telling than the average is the pattern: Iran had a burst in January 2026 (46 failures, its single highest month in the dataset), then went almost completely silent. February had zero (preceeding the internet blackout). March had 11. April so far has 4. Something changed around the end of January.
And the former Soviet states are waking up
While Iran has been going quiet, the former Soviet Union bloc has been moving in the opposite direction. FSU countries collectively averaged 0.49/day through 2025, a low, steady baseline with Russia accounting for most of it. In 2026, the daily average has jumped to 1.07/day, and the acceleration is almost entirely concentrated in a single April week.
This is where it gets interesting. Here's the quarterly breakdown of Iran vs. former Soviet states as a share of their combined total:
Through 2025, Iran held 52โ78% of the combined Iran+FSU total. In Q2 2026, it flipped to 4% Iran / 96% FSU. The combined volume is roughly flat, hovering between 79 and 154 per quarter, but the composition inverted completely.
Iran's share of the Iran+FSU bloc: 66.9% in 2025 โ 35.9% in 2026. That's a structural change, not a fluctuation.
The combined Iran + FSU failure volume has remained stable (Mann-Whitney p = 0.087, not significant), but the composition has flipped from Iran-dominated to FSU-dominated. This is consistent with infrastructure migration: the same activity, routed through different exit nodes.
The Central Asia surge: five countries in ten days
The most dramatic signal in the dataset is the sudden emergence of Central Asian countries as major sources of DMARC failures. Not a gradual increase, but a near-instantaneous appearance.
| Country | First seen | Prior total | Apr 1โ12 total | Significance |
|---|---|---|---|---|
| Kazakhstan | 2025-02-27 | 8 | 31 | p = 0.038 |
| Uzbekistan | 2026-04-02 | 0 | 24 | p < 0.001 |
| Kyrgyzstan | 2026-04-02 | 0 | 7 | p = 0.017 |
| Tajikistan | 2026-04-03 | 0 | 2 | n/s |
| Azerbaijan | 2025-07-08 | 1 | 1 | n/s |
Uzbekistan and Kyrgyzstan had zero failures in the entire dataset before April 2, 2026. Then both appeared on the same day. Tajikistan followed the next day. Kazakhstan, which had produced only 8 scattered failures over 14 months, suddenly generated 31 in 12 days.
The Central Asia subset as a whole: p < 0.00000001 when comparing pre-April daily volumes to April. The pre-April baseline was 0.018 failures/day. In April, it's 5.33/day. That's a 30,200% increase.
Other emerging sources: Brazil and Vietnam
Two non-FSU countries also show statistically notable shifts in 2026.
Vietnam went from 0.18 failures/day in 2025 to 0.43/day in 2026 p < 0.001. The increase is real and significant. Much of Vietnam's volume appeared in the final weeks of the dataset.
Brazil has been a consistent presence throughout the dataset (268 total failures, third overall), though its 2025-to-2026 change isn't statistically significant (p = 0.55). Brazil's April spike of 31 failures in 12 days is notable in absolute terms, but its baseline was noisy enough that the test doesn't flag it as anomalous yet.
What this might mean
I'm not in a position to attribute specific actors or campaigns from DMARC failure data alone. But the patterns suggest a few hypotheses worth considering:
The Iran โ Central Asia shift looks like infrastructure migration. The combined volume held roughly constant while composition flipped. The timing is tight: Iran drops off in late January, Central Asian countries appear in April. If the same operators moved their sending infrastructure from Iranian IP space to VPS or cloud providers in Kazakhstan, Uzbekistan, and Kyrgyzstan, this is exactly what the data would look like.
The simultaneous appearance of multiple "-stan" countries is unlikely to be organic. Three countries going from zero to active on the same day (April 2) doesn't happen through normal spoofing or misconfiguration patterns. It suggests either a single actor provisioning infrastructure across multiple jurisdictions, or a shared toolset being deployed.
The US decline is likely a DMARC ecosystem success story. The 85% drop from Q1 2025 to 2026 probably reflects improving email authentication adoption among US-based senders and stricter enforcement by major mailbox providers. This is what healthy DMARC adoption looks like at the aggregate level.
The overall pattern is a shift from high-volume/few-countries to lower-volume/more-distributed. Early 2025 was dominated by a small number of high-volume sources (US, Iran). Late 2025 and into 2026 shows more countries contributing smaller volumes. The attack surface is diversifying geographically even as total volume drops.
The Central Asia surge is less than two weeks old at time of publication. It could be a transient burst or the beginning of a sustained shift. I'll follow up with updated analysis once there are 30+ days of data from these new sources. In the meantime, if you're seeing similar patterns in your own DMARC data, I'd like to hear about it.
Methodology
Data covers January 1, 2025 through April 12, 2026 (466 days). Failed DMARC authentication events are geocoded by source IP to country of origin. Statistical comparisons use the Mann-Whitney U test (two-sided), which doesn't assume normal distribution and is appropriate for count data with many zero-days. All p-values are unadjusted; given the multiple comparisons involved, apply appropriate skepticism to borderline results (p > 0.01). "Former Soviet states" includes RU, UA, BY, KZ, UZ, TM, TJ, KG, GE, AM, AZ, MD, LV, LT, EE. "Central Asia" is the subset KZ, UZ, KG, TJ, TM. Volume figures are absolute counts, not rates; the observation window is consistent across all countries. Q2 2026 figures are partial (April 1โ12 only).