Submit a ticket My Tickets
Welcome
Login  Sign up
  1. PowerDMARC
  2. Solution home
  3. PowerDMARC AI Agent
  4. PowerDMARC AI Agent

Understanding Anomaly Detection in the AI Agent

PowerDMARC Support
Modified on: Tue, 19 May, 2026 at 2:41 PM

Overview

The Anomaly Detection feature of the PowerDMARC AI Agent continuously monitors your domain's email authentication data and surfaces unusual activity before it becomes a problem. Once you enable AI processing for a domain and the first 30-day report is generated, the AI analyses your data and flags deviations — such as compliance drops, volume spikes, new sending sources, or DNS record changes — each with a severity level, confidence score, and plain-language explanation.

Why this matters: Most authentication issues go unnoticed until they affect deliverability. Anomaly Detection gives you early warning of misconfigurations, spoofing activity, and infrastructure changes, so you can act before your DMARC compliance or sender reputation is impacted.

Anomaly Detection

Once a domain report has been fetched, the AI analyses the last 30 days of data and surfaces anything that looks unusual. Each anomaly comes with a severity level, a confidence score, and a plain-language description of what changed, so you know at a glance whether something needs your attention.

What the AI looks for

Anomaly type

What it means

DMARC compliance drop

A significant fall in the percentage of emails passing DMARC — often the first sign of a misconfiguration or new unauthorised sender

SPF or DKIM alignment shift

SPF or DKIM results have moved in a way that affects DMARC pass rates — often caused by forwarding or a new sending service

Volume spike or drop

Email volume has risen or fallen sharply compared to the established 30-day baseline

New sending source

A previously unseen IP address or sending service has started sending on behalf of your domain

Header / Envelope mismatch spike

More emails than usual have a From header that does not match the envelope sender — common with forwarding or third-party senders

P=None active spoofing risk

Your domain is receiving non-compliant traffic while still on a monitoring-only policy, leaving it open to spoofing

Weekly pattern volume deviation

Email volume on a specific day of the week has deviated significantly from what is normal for that day

DNS record change or degradation

A DNS record (such as a DKIM selector) has been modified or has resulted in an invalid configuration


Severity levels

Every anomaly is assigned one of three severity levels so you can prioritise what to look at first:


Level

What it means

Critical

Requires immediate attention — for example, a broken DKIM configuration or an active spoofing risk

Warning

A notable deviation worth investigating — may not need immediate action but should be reviewed

OK

Informational only — no action required


The screenshot below shows all three severity levels in a live anomaly feed, including one anomaly that has already been acknowledged:


How to act on an anomaly

  1. Open the Insights tab in the AI Agent to see your anomaly feed.

  2. Each entry shows the anomaly type, a plain-language description of what changed, the date detected, and a confidence score.

  3. Click Acknowledge once you have reviewed and addressed the anomaly. It will be marked as resolved in the feed.

  4. Click Explain on any entry to open a full AI-generated breakdown in the Chat tab (see below for details).

Here is a close-up of a single anomaly card, showing the key information at a glance:


Once acknowledged, the anomaly is visually marked in the feed so you can distinguish reviewed items from ones still requiring attention:



Getting a full explanation in chat

Clicking Explain on any anomaly opens the Chat tab with the full context already loaded. The AI provides a structured breakdown covering what happened, key figures, historical context, likely causes, and recommended actions. You do not need to type anything:




NOTE

New sending sources are only flagged when they account for 10% or more of total traffic, to avoid false positives from minor forwarding activity.

P
PowerDMARC is the author of this solution article.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.

Related Articles