Shame on you, stupid spammers.. Sh4meful  DMARC Spoof Detection

IP Address: 2a01:111:f403:c103::5 โš  IP Confounder

IP address 2a01:111:f403:c103::5 is registered to ORG-MA42-RIPE and geolocates to Toronto, Canada. It first appeared in sh4meful's dataset on February 14, 2025 and was most recently observed on June 24, 2026. Over the observation window, it has failed DMARC alignment 19 times across 4 distinct sender domains. Its reverse DNS resolves to mail-canadacentralazlp170110005.outbound.protection.outlook.com. Network context: this address sits within UK-MICROSOFT-20060601 (ORG-MA42-RIPE), a network sh4meful has observed producing 68 failures across 55 distinct IPs during the same window.

Failure Activity Over Time

Peak activity was observed in the week of June 22, 2026 with 3 failures recorded. Activity in the most recent 30-day window increased sharply compared with the prior period (3 vs 1 failures).

This page shows DMARC authentication failure data for this IP address. Learn more about this data.

Geolocation Information
Country:
CA Canada
Region:
Ontario
City:
Toronto
Coordinates:
43.6547, -79.3623
WHOIS Information
Network Name:
UK-MICROSOFT-20060601
Owner:
ORG-MA42-RIPE
Reverse DNS:
mail-canadacentralazlp170110005.outbound.protection.outlook.com
Last updated: 2/5/2026

Analysis

This IP is classified as a confounder: Microsoft 365 Exchange Online Protection (EOP). Failures observed from this source are expected artifacts of legitimate mail-handling behavior, typically email forwarding or mailing-list processing, and do not indicate spoofing attempts.

The host is operated by ORG-MA42-RIPE and geolocates to Toronto, Canada. Its presence in DMARC aggregate reports is an artifact of how forwarded mail interacts with SPF and DKIM authentication, not a sign of abuse originating from this address.

Administrators observing this IP in their DMARC aggregate reports should not block or treat it as hostile. Microsoft Exchange Online Protection (EOP) and Office 365 relay addresses appear in DMARC reports for mail routed through Microsoft's filtering infrastructure. Ensure your SPF record includes Microsoft's published mail server ranges.

Microsoft 365. Exchange Online Protection (EOP).

According to reverse-DNS, this is a host domain utilized by Microsoft 365 (formerly Office 365) to manage and secure outbound email traffic. It acts as a mail transfer agent (MTA) that filters outgoing messages to prevent spam and malicious content. Format: .outbound.protection.outlook.com. However, we've seen actual spoof attempts and SPAM from MS infrastructure so not classing this a confounder.

Last updated: 2/4/2026

IP Confounder: Microsoft 365 Exchange Online Protection (EOP)

Exchange Online Protection (EOP) is a cloud-based email filtering service included with all Microsoft 365 subscriptions to protect against spam, malware, and phishing attacks. It automatically secures mailboxes by filtering incoming and outgoing messages in real-time using anti-spam, anti-malware, and content filters. During periods of active campaign activity, these can largely be ignored (esp. when recipients are on Exchange). However, forged emails have been observed from Microsoft infrastructure that have this signature too.

Failures Detected from this IP
Showing 1-19 of 19 failures, affecting 25 messages
Date โ–ผ Messages
6/24/2026 3
6/18/2026 1
5/16/2026 1
2/28/2026 1
2/26/2026 1
1/31/2026 1
1/28/2026 1
1/17/2026 1
1/14/2026 1
1/10/2026 1
1/9/2026 1
12/13/2025 2
11/13/2025 1
10/2/2025 1
7/1/2025 1
6/4/2025 1
3/12/2025 1
2/26/2025 1
2/14/2025 4
External Reputation Lookups

Look up this IP in external threat intelligence and reputation databases (opens in new tab):

Recommended Action

If this IP appears in your own DMARC reports, treat it as an unauthorized sender unless you have specifically verified it as a legitimate service you use. Ensure your DMARC policy is at p=quarantine or p=reject to prevent delivery of messages this IP claims to send from your domain. If you're new to DMARC, our complete guide walks through the mechanics.