DMARCPulse
Get started — free
All posts Sender Inventory as Production Infrastructure: Why Companies Must Register Every Email Sender

Sender Inventory as Production Infrastructure: Why Companies Must Register Every Email Sender

DMARCPulse Team

Email sending is production infrastructure — and it’s still treated like a side project

Imagine a developer deploying a new microservice without a ticket, without monitoring, without telling anyone. That would raise alarms immediately in most organizations. Yet the exact same thing happens with email senders every day: marketing signs up for a new tool, sales connects a third-party platform, someone in IT sets up a new cron job — and nobody writes it down anywhere.

The result: DMARC reports full of unknown sources, SPF records on the verge of hitting the DNS lookup limit, and an enforcement mode that never quite becomes reachable.

What a sender inventory actually is

A sender inventory is a structured list of every system and service that sends email on behalf of your domain. Each entry should include at minimum these four fields:

  • From-Domain: The visible sender domain (e.g. [email protected])
  • Return-Path / Bounce Address: The technical envelope-from address, which is what SPF actually checks
  • DKIM Selector: The selector under which the public key is published in DNS
  • Purpose / Owner: Who is responsible, and what is this sender used for?

That might sound like bureaucracy. It is the opposite: without this list, every DMARC report is a guessing game.

Why it breaks down without an inventory

DMARC aggregate reports give you IP addresses and DKIM selectors. If you don’t know which selector belongs to which service, you can’t attribute a failing report to anything — and you can’t decide whether to fix a sender or block it.

A concrete example: a marketing tool sends via a subdomain using the DKIM selector mk1. In the DMARC report, that selector shows up with 12% DMARC failures. Without an inventory, you have no idea — is this a legitimate sender with a configuration problem? Or someone spoofing your domain? With an inventory, the answer takes seconds.

The same applies to SPF. Many domains have SPF records that have grown organically over the years, full of include: entries for tools that are no longer in use. Without an inventory, you don’t know what you can safely remove.

Sender registration as a process, not a one-time task

The key shift is treating sender registration as a fixed part of your onboarding process — the same way you’d open a ticket or add an entry to a CMDB.

In practice, that means:

  • Before go-live: Every new email sender — internal system, SaaS tool, agency — must be registered before it goes into production.
  • DNS changes are mandatory: Extend the SPF record, publish the DKIM selector, check the subdomain DMARC policy if applicable.
  • Owner assignment: Every sender needs a named technical contact who can be reached when something breaks.
  • Regular review: Quarterly check to confirm every entry in the inventory is still active.

This process doesn’t need to be complex. A simple spreadsheet or a ticket template is enough to start. What matters is that the process exists and is followed.

DMARC enforcement is impossible without an inventory

Many organizations have been stuck at p=none for months or years. The most common reason: they don’t know which senders are not yet properly configured, so they don’t dare move to p=quarantine or p=reject.

That is not a technical problem. It is an inventory problem.

Once you know which senders exist, you can work through it systematically:

  1. Check every known sender for DMARC compliance (SPF alignment, DKIM alignment)
  2. Identify unknown sources in DMARC reports and either add them to the inventory or classify them as spoofing attempts
  3. Enable enforcement once all legitimate senders are compliant

Step 2 is the critical one: DMARC reports show you what is actually happening — but only if you can read and attribute the data.

What happens if you skip this

Spoofing attacks against domains with p=none are trivial. Attackers don’t need to compromise any infrastructure — they simply set an arbitrary From address and send. Recipients see your domain. You might notice it in the reports, if you’re looking.

But even without active attacks, the damage accumulates: deliverability problems from broken SPF records, DKIM key rotations that nobody tracks, bounce addresses pointing to mailboxes that no longer exist.

Sender inventory and DMARCPulse

DMARCPulse automatically parses your DMARC aggregate reports and surfaces every source sending email under your domain — including IP addresses, DKIM selectors, and alignment status. That is the fastest way to build an initial inventory: from the reports you are already receiving.

If you don’t yet know how your domain is currently configured, start with a free domain check: dmarcpulse.io/en/free-domain-check