ICES (Integrated Cloud Email Security) solutions generate additional DMARC reports because of how they process and relay emails on behalf of the sender.
You can see these ICES solutions in your DMARC data even if you do not use that particular email security solution, because you are communicating with someone who does; therefore, the recipient's ICES solution will show up in your DMARC reporting data. And this is based on how the ICES solution handles the delivery of those emails.
Why ICES Solutions Trigger Extra DMARC Reports
When ICES solutions are used, here's what typically happens:
-
Mail Relay Behavior
Many ICES platforms receive the email first, scan or filter it, and then relay it to the recipient's mail server (e.g., Microsoft 365 or Google Workspace).
From the receiving server’s point of view, the ICES platform becomes the "sending" IP. -
SPF Alignment May Break
If the ICES solution relays the email without preserving the original sending server's IP, SPF checks might fail (or pass depending on config), but alignment may break, triggering a DMARC report. -
DKIM Signatures May Be Stripped or Altered
ICES platforms sometimes rewrite or re-sign the message headers (e.g., to insert footers or perform encryption), which can cause DKIM verification to fail at the final destination. -
Multiple DMARC Reports per Email
-
Original Recipient’s Mail Server (e.g., Microsoft 365) sends a DMARC report based on what it sees.
-
ICES Solution Itself may also perform DMARC evaluation and send its own aggregate report, even if it’s not the final recipient.
-
This results in multiple RUA reports for the same message from different sources.
-
As a result, when you're reviewing DMARC RUA (aggregate) data, you may see:
-
Duplicate-looking entries from both ICES and final mail servers
-
Different IPs (e.g., ICES IPs vs. original sending server IPs)
-
Seemingly inflated or fragmented message counts
ICES solutions generate additional DMARC reports because they act as intermediaries in the email delivery chain, and they may independently evaluate or affect SPF/DKIM outcomes. This behavior is expected and does not necessarily indicate a misconfiguration, but it does require thoughtful interpretation in your DMARC data analysis.
Typically, if you see an ICES solution in your DMARC data and you are sure that you or your customer does not use this infrastructure or security service provider, you can simply mark this sender as a forwarder in the Sendmarc platform.
Examples of ICES Solutions:
Check Point Harmony Email & Collaboration.
Perception-Point.
Vade Security (Hornet).
ForcePoint Security.
Area 1 Security.
Inky Phish.
PhishTitan (Spam Titan).
FireEye.
Proof Point Enterprise.
Need Help?
support@sendmarc.com is standing by to assist!