The URIs submitted to the Threat Feed are sent on these criteria:
- The message containing the URI must have failed DMARC.
- The message is not from an IP in the customer Sender Inventory.
- The URI domain is not in a domain or a subdomain registered to the customer in the Agari portal.
- The URI sans parameters has not been sent to this Threat Feed within the configurable resubmission timeframe.
- Some other parameters as configurable in the Threat Feed area.
All URIs matching the set parameters are sent. Whether the domain is already set to DMARC-reject or Not is irrelevant.
The Threat Feed email containing new URIs seen to match the above parameters is sent every 10 minutes, OR as soon as 100 URIs are accumulated.
Threat Feed data is sent from hosts within the IP address range shown in the Threat Feed configuration, with the From address which will be either email@example.com or firstname.lastname@example.org