What should I do about Threat/Unknown

Background: DMARC data helps *you* (a domain owner/administrator) to improve domain authentication and provide policy enforcement guidance at receivers, via guidance on getting to p=reject and generally via monitoring for legitimate environments where failing authentication needs to be remedied.  Dmarcian digests raw DMARC data and presents it back to you in a way that helps you make sense of it. In addition to sorting, aggregating, and prettying it up, we attempt to categorize the data via use of some proprietary sorting and insights of our own.

One of these categorizations is the "Threat/Unknown" view; if reported traffic 

• does not look like it came from a source that we have definitions for
• does not come from a location we recognize due to some of your SPF definitions
• does not pass DMARC at all

then we classify the traffic as "Threat/Unknown" - depending on how poorly some of your senders send messages for you, more of these may be Unknown than Threat. As you work with your vendors to improve their behaviour, this should change.
When you begin looking at data with dmarcian's tools, you'll want to review the entries in T/U frequently to assess whether there is legitimate traffic you need to work on with the sender.  As time goes on and you either implement p=reject or feel that all of your legitimate sources are working well, you may decide to review the T/U entries less often.

When you do review the entries shown under this category, your understanding of what the data represents will largely be due to your own understanding of traffic being sent for your organization; beyond what you see in the Detail Viewer, there is usually no further information that dmarcian can show to help you understand exactly what the traffic was.  In some instances you can find extra information via the Forensic data, but due to lack of data provider participation there is rarely related information via the RUF channel.
If you do not recognize the sender, some of the data shown may assist you in deciding that the traffic is truly illegitimate and not worth following up on:

• was dmarcian able to find PTR information for the IP address? (PTR is not sent with DMARC data, we attempt to resolve it from the IP address and add this to your view) If a PTR is not found or the lookup met with an error, it's very likely that the traffic is not from a reputable source
• which countries is the traffic from? This is another data point that is not in raw DMARC data, but we determine and show you so that you can attempt to understand the source
• is there a wide spread of IP addresses sending this traffic? This is usually a signal of botnet (illegitimate) activity

Now, what to actually do about the illegitimate senders? The best thing is to simply make sure that all the rest of your traffic passes DMARC, and get your domain(s) to p=reject, so that the illegitimate traffic is rejected by environments which participate in DMARC.  Secondary actions would require that you work with a company which will proactively investigate and work on "taking down" fraudulent senders. (dmarcian does not do this)

A secondary concern regarding traffic which is reported in Threat/Unknown: while DMARC does have wide and growing adoption, not all environments support it. If your own inbox provider does not, then your mailboxes are vulnerable to fraudulent messaging which would be identified in an environment which properly supports DMARC. Check here for our public list of all recent DMARC participants: https://us.dmarcian.com/dmarc-data-providers/