Skip to main content
Sender geolocation — shown in your reports as Sender Locations — adds geographic context to your DMARC data. For each sending source, DMARCeye enriches the sending IP addresses with country and location data and plots them on a world map, so you can see where mail claiming to be from your domain is actually being sent.

Where to find it

Sender Locations appears at the sender level of your reports, below the Source Summary:
1

Open a domain's reports

Go to Reports, or open a domain and select its Reports tab.
2

Choose a sending source

Scroll to Sender Details and click a sender (for example, your ESP or a mail provider).
3

Scroll to Sender Locations

Below the Source Summary and the Email Volume chart, the Sender Locations map shows where that sender’s IP addresses are located.

Reading the map

The map plots the geographic location of every IP address sending email on behalf of the selected source.
  • Clustering — nearby locations are grouped into numbered markers so a large number of sources stays readable. The number on a marker is how many IP locations it represents.
  • Zoom — use the + / − controls (or scroll) to zoom in; as you zoom, clusters split into more specific locations.
  • Drill down — open an individual IP address to see its details, including its location, alongside its authentication metrics.

Interpreting the locations

Seeing IP addresses in many countries is normal, not a reason to panic. The location shown for an IP comes from IP geolocation — it reflects where that sending infrastructure is registered or hosted, not where a person clicked “send.” Your legitimate email providers (your newsletter platform, your CRM, Google, Microsoft, and so on) run sending servers in data centers around the world, so their IPs naturally appear in several regions. So a sender showing IPs across multiple countries is usually just a reflection of that provider’s global infrastructure — on its own, it does not mean someone is spoofing your domain. The real signal is not geography, it is authentication. What warrants a closer look is an unfamiliar source that is also failing DMARC — an IP you can’t tie to any provider you use, sending mail that doesn’t pass SPF or DKIM alignment. If something looks off, keep an eye on your DMARC compliance in the reports: a genuine spoofing attempt shows up as failing authentication from a source you don’t recognise, not simply as an unexpected point on the map. For the rest of the sender drill-down, see Source Summary. For the full reports walkthrough, see Understanding your reports.