badsender logo

Monito 2021 #01 | Monitoring DMARC Badsender.com - December 2020

08/01/2021

We will again talk about DMARC and our monthly monitoring.

In this article (which you will find every month), we will share with you the DMARC monitoring we do on our domain Badsender.com.

Today, our security policy is "quarantine", which means that any email with failed SPF & DKIM authentication will be delivered as junk mail to ISPs/Webmails capable of interpreting DMARC.

We have two goals for 2021:

  1. Change our security policy from "quarantine" to "reject": we would then ask all ISPs/Webmails/Filters (interpreting DMARC) to reject emails with bad SPF & DKIM authentication.
  2. Apply a "strict" SPF & DKIM alignment instead of a "relaxed" one: We're plugging EVERYTHING into Badsender.com!

We are aware that it will take time and energy but it is not impossible! And if it allows us to reduce the risks of using our domain name, it's worth it.

Let's get to the heart of the matter... Hang on ????

December 2020 compliance rate

To be DMARC compliant, the email must return a correctly authenticated and correctly aligned SPF or DKIM record. Here are our results for the month of December 2020 (I purposely kept the previous 2 months for comparison) :

Badsender.comVolumesCompliantNon-CompliantNot Authenticated
October3 77295,8%4,1%0,1%
November4 97398,0%1,9%0,1%
December3 79799,3%0,4%0,3%

I voluntarily kept the months of October and November for comparison. And here, I must say that we are close to perfection in December! 99.3% of e-mails are DMARC compliant, i.e. only 14 e-mails are reported as non-compliant and 12 e-mails are reported as "non-authenticated".

To improve our DMARC compliance rate again in the "very near future", we will have to correct the problems related to non-compliant and especially non-authenticated emails!

Authentication & SPF & DKIM alignment

Authentication & SPF alignment

In order for an email to be properly authenticated with SPF, the IP used must be declared in the SPF record of the email envelope domain (understand here the MailFrom/Return-path domain).

SPF authentication rate over the last 3 months of 2020 in our monthly DMARC monitoring
Our SPF authentication rate over the last 3 months of 2020

We are still above 97% in December. To be confirmed in 2021!

And for an e-mail to be correctly aligned with SPF, the domain of the e-mail envelope (here the MailFrom/Return-path) must be identical to the domain of the FROM (here the domain of the sending address).

SPF alignment rate over the last 3 months of 2020 in our monthly DMARC monitoring

Our SPF alignment rate for the last 3 months of 2020

Cool, we line up better in December than the rest of the year! However, we can still do better on this side...

Authentication & DKIM alignment

For an email to be properly authenticated with DKIM, the email will need to have a valid DKIM signature (regardless of the domain used in the "d=" statement).

DKIM authentication rate over the last 3 months of 2020 in our monthly DMARC monitoring

Our DKIM authentication rate over the last 3 months is 2020

No big loss in December, more than 99% of our e-mails sent via DMARC reports are signed with DKIM... Top!

As far as DKIM alignment is concerned, for an e-mail to be correctly aligned, the domain declared in the DKIM signature (contained in the "d=") must be identical to the domain of FROM (the domain of the sending address).

DKIM alignment rate for the last 3 months of 2020 in our monthly DMARC monitoring

Our rate of'DKIM alignment on the last 3 months of 2020

We are improving on the DKIM alignment to pass the 99% mark... To be maintained in 2021!

The last DKIM-related rate is the rate of unsigned e-mails (and yes, there are still some). These are emails that have no DKIM signature.

Unsigned email rate with DKIM over the last 3 months of 2020 in our monthly DMARC monitoring

Our rate of unsigned emails with DKIM over the last 3 months of 2020

We have a slight increase in December but we're still far from the 2020 average (0.9%), we're not going to be picky and work to improve that 🙂

Distribution of non-compliant & non-authenticated emails

Here is the list of "Sender rDNS" (understand here the domain name that is associated with an IP) brought up as "non-compliant" over the month of December 2020:

OrganizationSender rDNSCategoryVolumesPercentageSourceAction
Sellsy*.sellsy.comSoftware750%KnownMake it compliant
Outlook*.outlook.comWebmail429%To be studiedNo action
OVH*.ovh.netHosting321%UnknownNo action

For Sellsy, the problem is on the SPF (mail.sellsy.com) & DKIM (sellsy.com) alignments. Some of the Outlook sources will have to be made compliant, the others will not require any action (as for OVH).

And the list of "Sender rDNS" reported as "unauthenticated":

OrganizationSender rDNSCategoryVolumesPercentageSourceAction
Dreamhost*.dreamhostps.comHosting1192%KnownMake it compliant
?*.jino.ru?18%UnknownNo action

Dreamhost is in the process of compliance, this line should disappear in January! On the other hand, the Russian domain is totally unknown to us... so we won't do any compliance action on it!

SPF & DKIM error trends

We have the possibility to know on each "Sender rDNS" what are the problems we have encountered and that will be corrected.

Below are the trends reported on SPF & DKIM errors for the month of December 2020:

The trend of the most frequent SPF errors

SPF failure trend for December 2020 in our monthly DMARC monitoring

Trend of SPF failures for the month of December

And the trend of the most frequent DKIM errors

DKIM failure trend for December 2020 in our monthly DMARC monitoring

Trend of DKIM failures for the month of December

On the SPF error side, alignment problems are still in the majority (more than 6 out of 10 emails are not SPF aligned).

On the other hand, for DKIM, more than 5 out of 10 emails show an authentication problem... To be corrected as soon as possible, especially if the failed emails must be compliant.

Our roadmap for January 2021!

After a review of the various "non-compliant" and "non-authenticated" feedbacks with Jonathan, we defined the following roadmap:

Non-authenticated" sources

  • Dreamhost (email from WordPress) : Add SMTP relay (done)
  • SharpSpring: Open a support ticket (done)

Non-compliant" sources

  • Sendgrid: Add SMTP relay (done)
  • Sharpspring : Open a support ticket (done)
  • Sellsy (electronic signature of contracts): Migrate email flows to Office 365 (to do)

For all other sources, no action will be needed for the moment. Some will have to be studied (to see if we have to make them compliant) and for the others... Osef since we have no interest behind ????

Conclusion for this DMARC monitoring.

Following the monitoring of October & November, we have not been idle... We have made several sources "compliant" with DMARC but we are not going to stop there, we have to take care of a big project called "Sellsy" which will take a little time... More in the next issue! And if you too have the ambition to make your email flows DMARC compliant but don't know where to start, what solution(s) to use... We're here to help you J

Feel free to share, like, comment... In short, make some noise !!!!!

Badsender, emailing expertise agitator! Badsender is a team of craftsmen specializing in the various disciplines surrounding email marketing! Our emailing agency intervenes on questions of strategyof design, d'orchestration and deliverability. We offer this expertise in the form of coaching, d'audits or intervention as an outsourced production force. 

DMARC-related content:

Need a deliverability audit ? Or a monitoring ? We can also offer you :

Badsender also animates training on the subject of email deliverability !

4 Responses

  1. Hello,
    What do you use to analyze the dmarc reports you receive?
    Thank you.

  2. Hello, I work at Sellsy. Can we call each other to make a point?

  3. Hello Clément,
    Currently, we use the DMARC module of the 250ok/Validity monitoring solution.
    Kind regards,
    Sebastien.

  4. Hello Alain,
    Thanks for your message, I'm talking to Jonathan about it and we'll get back to you soon to discuss the subject 🙂
    Kind regards,
    Sebastien.

Leave a Reply

Your email address will not be published.