How-to

How to find failing senders with the Offenders page

Use the Offenders page to identify the sending sources failing DMARC, recognise legitimate vendors, and decide what to fix.

2 min readLast updated 14 June 2026
Jump to section

The Offenders page lists every sending source that is failing DMARC for your domains, drawn from your ingested aggregate reports. It is where you turn raw report data into a to-do list: which senders are legitimate and need aligning, and which are not yours at all.

What an "offender" is

An offender is a sending source (identified by IP address and the From: domain it is using) whose mail is failing DMARC — meaning it has neither aligned SPF nor aligned DKIM with your domain. Important: an offender is not necessarily an attacker. The most common offenders are legitimate services you simply haven't aligned yet.

Vendor attribution

For each source, Blankitt tries to identify the vendor behind it — SendGrid, Mailgun, AWS SES, Microsoft 365, Google, and many more — by matching the source IP and header-from against a built-in catalogue plus any custom patterns you have added. This is the most valuable part of the page: instead of staring at a bare IP address, you see "this is SendGrid" and immediately know whether it's a service you use.

If a source is mislabelled or unknown, you can add your own mappings under Settings → Vendor pattern overrides (custom CIDR or domain → vendor name, with CSV import/export and reset-to-defaults). Your patterns always win over the built-in catalogue.

Working the page

  1. Sort by volume to see the biggest contributors to your failure rate first — fixing these moves your numbers the most.
  2. Use search and filters to narrow to a specific vendor, domain, or IP.
  3. Triage each source into one of three buckets:
  • Legitimate and yours (e.g. your marketing platform) → align it. Add the vendor to your SPF include list and/or enable DKIM signing for your domain on that platform.
  • Legitimate but not under your control / shouldn't use your domain → reconfigure or retire that sending path.
  • Unknown or suspicious → investigate; this is exactly the spoofing DMARC exists to stop, and moving to quarantine/reject will block it.
  1. Re-check after changes. Alignment fixes show up in the next day's reports, so re-visit Offenders a few days after editing DNS to confirm a source has dropped off the list.

How this feeds the rest of the workflow

Offenders shows you what is failing. For grouped, actionable remediation steps, head to Fix Groups, which clusters related issues and suggests the specific changes to make. The goal is always the same: align every legitimate sender so you can safely advance your policy from none to quarantine to reject without blocking real mail.

Tip: don't chase tiny tails

There will almost always be a long tail of low-volume sources (forwarders, the odd stray server). Focus on the high-volume, recognisable vendors first — that is where alignment effort pays off fastest.

Still stuck? Email support or open the support widget in the bottom-right.