A basic DMARC report contains a list of IP address and whether those IPs passed or failed DMARC based on SPF and DKIM. Not all of the IP address belongs in a domain's SPF record; there are other reasons for an IP to be listed on a domain's DMARC report.When analyzing DMARC data, It can get confusing trying to figure out which IP addresses are senders that need to be included in the SPF record, which have forwarded the email, and which might be spoofing the domain. How do you tell which of those IP addresses belong in your SPF record?
Senders, Forwarders, Reporters, and Receivers
It helps to know the players: transmitters, receivers, and reporters. Transmitters (senders and forwards) transmit the email from a source, Receivers (including reporters) process and deliver email to inboxes. Reporters send DMARC data back to the domain owner. Here's a little more detail:
