We will again talk about DMARC and our monthly monitoring.
In this article (which you will find every month), we will share with you the DMARC monitoring we do on our domain Badsender.com.
Today, our security policy is "quarantine", which means that any email with failed SPF & DKIM authentication will be delivered as junk mail to ISPs/Webmails capable of interpreting DMARC.
We have two goals for 2021:
- Change our security policy from "quarantine" to "reject": we would then ask all ISPs/Webmails/Filters (interpreting DMARC) to reject emails with bad SPF & DKIM authentication.
- Apply a "strict" SPF & DKIM alignment instead of a "relaxed" one: We're plugging EVERYTHING into Badsender.com!
We are aware that it will take time and energy but it is not impossible! And if it allows us to reduce the risks of using our domain name, it's worth it.
Let's get to the heart of the matter... Hang on ????
December 2020 compliance rate
To be DMARC compliant, the email must return a correctly authenticated and correctly aligned SPF or DKIM record. Here are our results for the month of December 2020 (I purposely kept the previous 2 months for comparison) :
I voluntarily kept the months of October and November for comparison. And here, I must say that we are close to perfection in December! 99.3% of e-mails are DMARC compliant, i.e. only 14 e-mails are reported as non-compliant and 12 e-mails are reported as "non-authenticated".
To improve our DMARC compliance rate again in the "very near future", we will have to correct the problems related to non-compliant and especially non-authenticated emails!
Authentication & SPF & DKIM alignment
Authentication & SPF alignment
In order for an email to be properly authenticated with SPF, the IP used must be declared in the SPF record of the email envelope domain (understand here the MailFrom/Return-path domain).
We are still above 97% in December. To be confirmed in 2021!
And for an e-mail to be correctly aligned with SPF, the domain of the e-mail envelope (here the MailFrom/Return-path) must be identical to the domain of the FROM (here the domain of the sending address).
Cool, we line up better in December than the rest of the year! However, we can still do better on this side...
Authentication & DKIM alignment
For an email to be properly authenticated with DKIM, the email will need to have a valid DKIM signature (regardless of the domain used in the "d=" statement).
No big loss in December, more than 99% of our e-mails sent via DMARC reports are signed with DKIM... Top!
As far as DKIM alignment is concerned, for an e-mail to be correctly aligned, the domain declared in the DKIM signature (contained in the "d=") must be identical to the domain of FROM (the domain of the sending address).
We are improving on the DKIM alignment to pass the 99% mark... To be maintained in 2021!
The last DKIM-related rate is the rate of unsigned e-mails (and yes, there are still some). These are emails that have no DKIM signature.
We have a slight increase in December but we are still far from the average of 2020 (0.9%), we will not be difficult and work to improve that :)
Distribution of non-compliant & non-authenticated emails
Here is the list of "Sender rDNS" (understand here the domain name that is associated with an IP) brought up as "non-compliant" over the month of December 2020:
|Sellsy||*.sellsy.com||Software||7||50%||Known||Make it compliant|
|Outlook||*.outlook.com||Webmail||4||29%||To be studied||No action|
For Sellsy, the problem is on the SPF (mail.sellsy.com) & DKIM (sellsy.com) alignments. Some of the Outlook sources will have to be made compliant, the others will not require any action (as for OVH).
And the list of "Sender rDNS" reported as "unauthenticated":
|Dreamhost||*.dreamhostps.com||Hosting||11||92%||Known||Make it compliant|
Dreamhost is in the process of compliance, this line should disappear in January! On the other hand, the Russian domain is totally unknown to us... so we won't do any compliance action on it!
SPF & DKIM error trends
We have the possibility to know on each "Sender rDNS" what are the problems we have encountered and that will be corrected.
Below are the trends reported on SPF & DKIM errors for the month of December 2020:
The trend of the most frequent SPF errors
And the trend of the most frequent DKIM errors
On the SPF error side, alignment problems are still in the majority (more than 6 out of 10 emails are not SPF aligned).
On the other hand, for DKIM, more than 5 out of 10 emails show an authentication problem... To be corrected as soon as possible, especially if the failed emails must be compliant.
Our roadmap for January 2021!
After a review of the various "non-compliant" and "non-authenticated" feedbacks with Jonathan, we defined the following roadmap:
- Dreamhost (email from WordPress) : Add SMTP relay (done)
- SharpSpring: Open a support ticket (done)
- Sendgrid: Add SMTP relay (done)
- Sharpspring : Open a support ticket (done)
- Sellsy (electronic signature of contracts): Migrate email flows to Office 365 (to do)
For all other sources, no action will be needed for the moment. Some will have to be studied (to see if we have to make them compliant) and for the others... Osef since we have no interest behind ????
Conclusion for this DMARC monitoring.
Following the monitoring of October & November, we have not been idle... We have made several sources "compliant" with DMARC but we are not going to stop there, we have to take care of a big project called "Sellsy" which will take a little time... More in the next issue! And if you too have the ambition to make your email flows DMARC compliant but don't know where to start, what solution(s) to use... We're here to help you J
Feel free to share, like, comment... In short, make some noise !!!!!
Badsender, emailing expertise agitator! Badsender is a team of craftsmen specializing in the various disciplines surrounding email marketing! Our emailing agency intervenes on questions of strategy, design, d'orchestration and deliverability. We offer this expertise in the form of coaching, d'audits or intervention as an outsourced production force.
- DMARC Monitoring Badsender.com October vs. November 2020
- Our White Paper on DMARC deployment
- All about SPF in 3 articles:
- All about DKIM (1 article only):
- Almost everything you need to know about ARC (1 article so far):
What do you use to analyze the dmarc reports you receive?
Hello, I work at Sellsy. Can we call each other to make a point?
Currently, we use the DMARC module of the 250ok/Validity monitoring solution.
Thanks for your message, I'm talking about it with Jonathan and we'll come back to you soon to discuss the subject :)