DMARC Labs
All articles
IP IntelligenceDMARCWHOIS

IP Enrichment in DMARC Analysis: Why WHOIS Data Changes Everything

Raw IP addresses in DMARC reports are nearly meaningless. Learn how WHOIS enrichment maps IPs to sending services, exposes unauthorized senders, and prioritizes authentication fixes.

July 6, 202510 min read

A DMARC aggregate report showing source_ip: 167.89.123.45with a DMARC failure tells you almost nothing actionable. The same record, enriched with WHOIS data, tells you: “This is a Twilio SendGrid IP — your transactional email service is sending without proper DKIM alignment.” That is the difference between a mystery and a fix.

What Is IP Enrichment?

IP enrichment is the process of augmenting a raw IP address with contextual metadata from WHOIS and RIR (Regional Internet Registry) databases. The WHOIS protocol, defined in RFC 3912, provides registration information about IP address allocations — including the organization that owns the block, the ASN (Autonomous System Number), the country of registration, and abuse contact information.

For DMARC analysis, IP enrichment turns a list of cryptic IP addresses into a readable inventory of sending services.

How WHOIS IP Lookup Works

When you query a WHOIS database for an IP address, the response includes:

  • Organization name:The company or entity that registered the IP block (e.g., “Google LLC”, “Amazon.com, Inc.”, “Twilio SendGrid”)
  • ASN: The Autonomous System Number — a unique identifier for a network (e.g., AS15169 = Google, AS16509 = Amazon)
  • IP range (CIDR): The full IP block the address belongs to (e.g., 209.85.128.0/17)
  • Country: The country where the IP block is registered
  • Abuse contact: Where to report abuse from this IP range

IP enrichment in DMARC analysis queries these databases for every source_ip in the report and joins the metadata back to the record.

What Enriched DMARC Data Reveals

Known email service providers

Well-known email service providers maintain large, stable IP blocks with consistent WHOIS registrations. When you see a record from an IP belonging to “Mailchimp Inc.” or “Salesforce.com”, you immediately know which platform is responsible for those messages — and whether it has authentication configured correctly.

Forgotten third-party services

Many organizations discover sending sources in DMARC reports that they had forgotten about: a CRM integration set up by a former employee, a marketing automation tool from a previous campaign, or a legacy application that still sends transactional email. Without WHOIS enrichment, these show up as anonymous IP addresses. With enrichment, they are immediately identifiable.

Unauthorized senders and spoofing

IPs from anonymous hosting providers, residential ISPs, or foreign data centers that have no business sending email as your domain are a red flag. Enrichment helps distinguish:

  • Hosting provider IPs (DigitalOcean, Vultr, Hetzner) — often malicious bots or compromised servers
  • VPN/proxy exit nodes — spoofing attempts using anonymization infrastructure
  • Residential ISP IPs — infected home computers in botnets trying to send spam as your domain
  • Geographically unexpected IPs — traffic from regions where you have no legitimate operations

Forwarding infrastructure

Universities, corporate email gateways, and mailing list servers that re-deliver messages have their own IP ranges. Enrichment helps you identify MIT.EDU or LISTSERV.ACME.COM as the source of forwarding-related SPF failures, rather than treating them as potential threats.

DMARC IP Enrichment in Practice

Building your sender inventory

The first step in any DMARC project is building a complete inventory of authorized sending sources. IP enrichment automates this:

  1. Analyze 2–4 weeks of DMARC reports to capture all sending sources
  2. Enrich each unique source IP with WHOIS organization data
  3. Group records by organization name (all Google IPs, all SendGrid IPs, etc.)
  4. Mark each group as authorized, unauthorized, or unknown
  5. For unauthorized/unknown groups, investigate and either authorize or block

Prioritizing authentication fixes

Not all DMARC failures are equally important. A record showing 50,000 DMARC failures from a Salesforce Marketing Cloud IP range is a higher priority fix than 10 failures from an obscure IP. Enriched data lets you sort by volume and organization to identify the highest-impact fixes first.

OrganizationFailed messagesIssueFix
Salesforce.com Inc.48,210DKIM not configuredAdd custom DKIM domain in Salesforce
Twilio SendGrid12,450SPF alignment failureAdd Return-Path domain alignment
DigitalOcean LLC380Unauthorized senderMove to p=reject to block
Residential ISP45Spoofing attemptAlready blocked at p=reject

The ASN Shortcut

Autonomous System Numbers (ASNs) are a useful shortcut for grouping IPs. Rather than enriching each IP individually, DMARC Labs groups records by ASN and looks up the ASN owner once — dramatically reducing the number of WHOIS queries needed for large reports.

Major email providers have well-known ASNs:

  • AS15169 — Google LLC (Gmail, Google Workspace)
  • AS8075 — Microsoft Corporation (Outlook.com, Office 365)
  • AS16509 — Amazon.com, Inc. (AWS, Amazon SES)
  • AS11377 — Twilio SendGrid
  • AS26801 — Mailchimp (Rocketscience Group LLC)
  • AS14061 — DigitalOcean LLC
NoteASN ownership is stable but not permanent. Large providers occasionally transfer IP blocks between ASNs. For the most accurate enrichment, use the full WHOIS lookup rather than a static ASN map.

Suspicious IP Classification

Beyond basic WHOIS enrichment, DMARC Labs flags IPs as suspicious when they meet certain criteria:

  • 100% DMARC failure rate with meaningful volume — no legitimate sender has zero passing messages
  • IP ranges belonging to anonymous hosting providers with no plausible email sending use case
  • Residential IP blocks (ISP consumer address space) — legitimate bulk email is never sent from residential IPs
  • IP blocks with recent abuse reports in threat intelligence databases
IP enrichment does not catch every threat. A sophisticated attacker using legitimate cloud provider IPs for spoofing looks identical to a legitimate SaaS sender — until you notice the 100% DMARC failure rate. Context always matters.

IP Enrichment and GDPR

IP addresses can be personal data under GDPR when they are associated with identified or identifiable individuals. In the context of DMARC reports:

  • IPs from large commercial email providers are corporate infrastructure — not personal data
  • IPs from residential ISPs could theoretically identify an individual — but in the context of DMARC reports, these are almost always attack traffic or compromised devices

When DMARC Labs performs IP enrichment, WHOIS queries are made for the IP addresses in your report. The IPs are sent to a WHOIS API. If GDPR compliance is a concern, use a DMARC analyzer that processes reports locally and limits external data sharing to non-PII IP lookups — exactly what DMARC Labs does.

TipAfter enriching your DMARC report, export the data and build a simple spreadsheet: one row per unique organization, with columns for total message count, pass rate, and action needed. This becomes your authentication remediation backlog — a concrete to-do list for achieving DMARC enforcement.

Ready to analyze your DMARC reports?

DMARC Labs processes large XML files entirely in your browser — no upload, no signup, no data retention. Supports files up to 100MB+.

Analyze for Free