Why static rules miss behavioral anomalies

Traditional DMARC monitoring works on a pass/fail model. SPF passed or it did not. DKIM verified or it did not. This binary approach works well for catching unauthorized senders, but it completely misses a critical threat category: authorized senders whose accounts have been compromised.

When an attacker gains access to your Mailchimp, SendGrid, or HubSpot account, every email they send passes SPF and DKIM because they are sending through your legitimate infrastructure. DMARC sees a perfectly authenticated message. Your static monitoring rules see nothing wrong. Meanwhile, your domain is being used to send phishing emails to your own customer list.

How SpoofSentry fingerprints sending patterns

SpoofSentry builds a behavioral profile for every IP address that sends email as your domain. Over time, the system learns each sender's normal operating parameters: what hours they send, how much volume they produce, which days are active, and what their typical SPF/DKIM pass rates look like.

These patterns are captured in hourly heatmaps that visualize sending behavior across a 7-day rolling window. A marketing platform like Mailchimp typically shows tight clusters: weekday mornings, consistent volumes, near-perfect authentication rates. These baselines become the reference point for anomaly detection.

The four detectors

Four anomaly detectors run continuously against each sender profile:

Volume spikes — Sending volume exceeds 3 standard deviations from the rolling baseline. A sender that normally delivers 5,000 emails per day suddenly pushing 50,000 triggers an immediate alert.
Authentication degradation — SPF or DKIM pass rates decline over a rolling window. A sender that maintained 99.8% DKIM pass rate dropping to 94% suggests an infrastructure change or key compromise.
Hour shifts — Sending activity moves to hours outside the established pattern. Business email that suddenly starts flowing at 3 AM local time is a strong indicator of unauthorized access.
Day pattern changes — Weekend or holiday sending from a sender that historically only operates on weekdays. This catches automated abuse that does not respect business calendars.

Example: a compromised Mailchimp account

A SaaS company uses Mailchimp for product update emails. The behavioral profile shows consistent sending: Tuesday and Thursday mornings, 8,000-12,000 messages per batch, 99.9% DKIM pass rate, originating from Mailchimp's US East infrastructure.

An attacker gains access to the Mailchimp account through a compromised team member's credentials. At 2:47 AM on a Saturday, they begin sending phishing emails to the full subscriber list. Every email passes SPF and DKIM because Mailchimp's infrastructure is legitimately authorized.

SpoofSentry's behavioral profiling fires three detectors simultaneously: hour shift (2:47 AM vs. normal 9-11 AM window), day pattern change (Saturday vs. Tuesday/Thursday baseline), and volume spike (full list blast vs. segmented batches). A critical ThreatSignal is created automatically, and the security team is alerted before the campaign finishes sending.

Automatic ThreatSignal creation

When any detector fires, SpoofSentry creates a ThreatSignal with the anomaly type, severity, affected sender profile, and the specific metrics that triggered the alert. Multiple simultaneous detector firings increase the severity level automatically. These signals flow into the same Threat Signals dashboard used for IP reputation alerts and CT monitoring findings, giving security teams a single pane of glass for all email-related threats.

Start detecting behavioral anomalies

Sender behavioral profiling is available on SpoofSentry Pro and Enterprise plans. Profiles begin building automatically as DMARC reports are processed. After approximately two weeks of data collection, the anomaly detectors activate with sufficient baseline accuracy.

Start Free Trial View Plans