← All posts

The geography of DMARC failures is shifting, and the data says it's not random

A note on scope: Every data point in this analysis represents an IP address that failed both SPF and DKIM authentication checks for domains I monitor. In most cases, that means someone (or something) used the domain name without permission: a signature pattern of email spoofing, phishing, spam, and other abusive mail activity. The dataset is drawn from DMARC aggregate reports and represents a fraction of a larger corpus spanning millions of messages. Determining intent, whether a failure is hostile or incidental, requires context beyond what DMARC provides. But at volume, the patterns speak clearly enough.

Since 2024, Sh4meful has been tracking every email that fails DMARC authentication across these domains, not just whether it failed, but where it came from. Country-of-origin data for failed authentication is one of the most underused signals in email security. Most DMARC dashboards show you pass/fail rates. I wanted to see if the geography of failure tells a different story.

It does.

The big picture: volume is falling, but the map is getting more interesting

Overall DMARC failure volume has dropped substantially since the start of 2025, from 4,349 failures in H1 2025 down to 942 in the first 102 days of 2026. That's good news at the aggregate level. But the decline isn't uniform. While US-sourced failures have collapsed by 85% (from 18.6/day in Q1 2025 to 2.2/day in 2026), other regions tell a very different story.

The US line dominates the early data but fades steadily through the year. What's worth watching is happening underneath it: the Iran and former Soviet state lines are doing something unusual in 2026, and the most dramatic shift is compressed into the final two weeks of data.

Iran is going quiet

Through all of 2025, Iran was the second-most-common source of DMARC failures after the United States, averaging just under 1 failure per day consistently across both halves of the year (H1: 0.98/day, H2: 0.98/day). That baseline was remarkably stable. Not spiky, not seasonal, just a persistent drumbeat of failed authentication from Iranian IP space.

In 2026, it dropped to 0.60/day. That doesn't sound dramatic, but the statistical test tells a clearer story: the Mann-Whitney U test comparing Iran's 2025 daily distribution to its 2026 distribution returns p = 0.005, well below the conventional significance threshold of 0.05. This isn't noise; the decline is real.

More telling than the average is the pattern: Iran had a burst in January 2026 (46 failures, its single highest month in the dataset), then went almost completely silent. February had zero (preceeding the internet blackout). March had 11. April so far has 4. Something changed around the end of January.

And the former Soviet states are waking up

While Iran has been going quiet, the former Soviet Union bloc has been moving in the opposite direction. FSU countries collectively averaged 0.49/day through 2025, a low, steady baseline with Russia accounting for most of it. In 2026, the daily average has jumped to 1.07/day, and the acceleration is almost entirely concentrated in a single April week.

This is where it gets interesting. Here's the quarterly breakdown of Iran vs. former Soviet states as a share of their combined total:

Through 2025, Iran held 52–78% of the combined Iran+FSU total. In Q2 2026, it flipped to 4% Iran / 96% FSU. The combined volume is roughly flat, hovering between 79 and 154 per quarter, but the composition inverted completely.

Iran's share of the Iran+FSU bloc: 66.9% in 2025 → 35.9% in 2026. That's a structural change, not a fluctuation.

The Central Asia surge: five countries in ten days

The most dramatic signal in the dataset is the sudden emergence of Central Asian countries as major sources of DMARC failures. Not a gradual increase, but a near-instantaneous appearance.

Uzbekistan and Kyrgyzstan had zero failures in the entire dataset before April 2, 2026. Then both appeared on the same day. Tajikistan followed the next day. Kazakhstan, which had produced only 8 scattered failures over 14 months, suddenly generated 31 in 12 days.

The Central Asia subset as a whole: p < 0.00000001 when comparing pre-April daily volumes to April. The pre-April baseline was 0.018 failures/day. In April, it's 5.33/day. That's a 30,200% increase.

Other emerging sources: Brazil and Vietnam

Two non-FSU countries also show statistically notable shifts in 2026.

Vietnam went from 0.18 failures/day in 2025 to 0.43/day in 2026 p < 0.001. The increase is real and significant. Much of Vietnam's volume appeared in the final weeks of the dataset.

Brazil has been a consistent presence throughout the dataset (268 total failures, third overall), though its 2025-to-2026 change isn't statistically significant (p = 0.55). Brazil's April spike of 31 failures in 12 days is notable in absolute terms, but its baseline was noisy enough that the test doesn't flag it as anomalous yet.

What this might mean

I'm not in a position to attribute specific actors or campaigns from DMARC failure data alone. But the patterns suggest a few hypotheses worth considering:

The Iran → Central Asia shift looks like infrastructure migration. The combined volume held roughly constant while composition flipped. The timing is tight: Iran drops off in late January, Central Asian countries appear in April. If the same operators moved their sending infrastructure from Iranian IP space to VPS or cloud providers in Kazakhstan, Uzbekistan, and Kyrgyzstan, this is exactly what the data would look like.

The simultaneous appearance of multiple "-stan" countries is unlikely to be organic. Three countries going from zero to active on the same day (April 2) doesn't happen through normal spoofing or misconfiguration patterns. It suggests either a single actor provisioning infrastructure across multiple jurisdictions, or a shared toolset being deployed.

The US decline is likely a DMARC ecosystem success story. The 85% drop from Q1 2025 to 2026 probably reflects improving email authentication adoption among US-based senders and stricter enforcement by major mailbox providers. This is what healthy DMARC adoption looks like at the aggregate level.

The overall pattern is a shift from high-volume/few-countries to lower-volume/more-distributed. Early 2025 was dominated by a small number of high-volume sources (US, Iran). Late 2025 and into 2026 shows more countries contributing smaller volumes. The attack surface is diversifying geographically even as total volume drops.

Amendment: the blackout changes the story

Added April 14, 2026.

After publishing the original analysis, several readers pointed to an obvious variable I hadn't accounted for: Iran has been largely offline since late January 2026.

Iran experienced two major internet shutdowns this year. The first began January 8 during nationwide protests, when connectivity dropped to roughly 12% of normal levels. A partial restoration followed in late January, but on February 28, following US-Israel military strikes, authorities imposed a near-total blackout. As of publication, Iranian internet connectivity remains at approximately 1% of pre-war levels, making it the longest nationwide shutdown on record.

This reframes the central finding of this analysis. The original post identified a compositional shift from Iran to Central Asian former Soviet states and suggested infrastructure migration as a hypothesis. The blackout provides a much more concrete mechanism: Iranian operators didn't choose to move. They lost access.

The timing aligns precisely. Iran's share of weekly DMARC failures held at 20–35% through late December and early January, dropped during the protest blackout, briefly recovered when connectivity was partially restored, then went to near zero after February 28 and has stayed there. The Central Asian surge appeared five weeks later. The chart below shows both series as a percentage of total weekly failures, with 95% Wilson score confidence intervals and both blackout dates marked.

The confidence intervals matter here. In low-volume weeks, Iran's share has wide error bars (the dataset has many weeks under 50 total failures). But the post-blackout pattern is unambiguous: Iran's upper confidence bound hasn't exceeded 17% since February 8, and has been below 5% for the last six weeks. Meanwhile, Central Asia's lower bound cleared 10% in both April weeks, confirming that its share is statistically distinguishable from zero even after accounting for small-sample uncertainty.

What remains unanswered is whether the Central Asian activity represents the same operators who previously sent from Iranian IP space, or unrelated actors filling a vacuum. The five-week gap between the blackout and the Central Asian emergence is consistent with the time it would take to provision new infrastructure, but it's also consistent with coincidence. I'll continue monitoring as this develops.