badsender logo

Monito 2021 #03 | Monitoring DMARC Badsender.com - February 2021

05/03/2021

As at the beginning of each month now, we will share with you in this article, our DMARC compliance results for February 2021!

To summarize: Today, our security policy is at "quarantine", which means that any email with SPF & DKIM authentication failures will be delivered as junk mail to any organization (ISP, Webmails, companies, ...) able to interpret and apply the DMARC security rule.

Ultimately, we have two goals for 2021:

  1. Change our security policy from "quarantine" to "reject": we would then ask all ISPs/Webmails/Filters (interpreting DMARC) to reject emails with bad SPF & DKIM authentication.
  2. Legitimize all our email flows (and yes, we use several distinct tools for each type of sending - understand, we don't have all our eggs in the same basket :p).

Apply a "strict" SPF & DKIM alignment instead of a "relaxed" one: We're plugging EVERYTHING into Badsender.com! This 3rd point is too complicated to set up (cf. point n°2), we will remain in "relaxed" since all our legitimate flows will be branded with a sub-domain of Badsender.com. And if one day things change... We will study a passage towards a strict alignment!

We are aware that it will take time and energy but it is not impossible! And if it allows us to reduce the risks of using our domain name, it's worth it.

Let's get to the heart of the matter... Enjoy your reading 🙂

February 2021 compliance rate

To be DMARC compliant, the email must return a properly authenticated and properly aligned (soft or hard) SPF or DKIM record.

Here are our results for the month of February 2021 (I am voluntarily keeping the history since the first DMARC monitoring was published to compare the evolution of the data):

Badsender.comVolumesCompliantNon-CompliantNot Authenticated
February 20215 22199,8%0,2%0,0%
January 20214 84398,0%1,9%0,1%
December 20203 79799,3%0,4%0,3%
November 20204 97398,0%1,9%0,1%
October 20203 77295,8%4,1%0,1%
Our DMARC compliance rate since October 2020! Who says better 🙂

Almost perfect! This February was pretty quiet, we've never had such a high DMARC compliance rate! No Russian bad guys this month on the agenda 🙂

Our flows via Sellsy are now all DMARC compliant. A last minute project has to be managed, the change of host and yes we are migrating to a "green" host for several weeks (Jonathan should tell you everything in the next weeks so I do not tease more :p).

This change of host caused us to temporarily postpone the upgrade of our DMARC security policy from "quarantine" to "reject" but it's only a temporary fix 🙂

Authentication & SPF & DKIM alignment

For an email to be properly authenticated with SPF, the IP used must be declared in the SPF record of the email envelope domain (understand here the MailFrom/Return-path domain - visible in the SMTP header of an email).

Our SPF authentication rate between October 2020 and February 2021

Following the migration of the domain name to the new host, we had a small glitch with the SPF registration, which resulted in it failing systematically hence this slightly low rate (which shouldn't be). We fixed the problem, rates will be even better in March 🙂

And for an e-mail to be correctly aligned with SPF, the domain of the e-mail envelope (here the MailFrom/Return-path) must be identical or from a sub-domain of the FROM domain (cf. domain of the sending address).

Our SPF alignment rate between October 2020 and February 2021

Same problem as SPF authentication rate... If authentication fails, so does alignment 😉

For an email to be properly authenticated with DKIM, the email will need to have a valid DKIM signature (regardless of the domain used in the "d=" statement).

Our DKIM authentication rate between October 2020 and February 2021

The DKIM authentication rate is still almost strong, with 99.8% in February!

As far as DKIM alignment is concerned, for an e-mail to be correctly aligned, the domain declared in the DKIM signature (contained in the "d=") must be identical to or come from the sub-domain of the FROM domain (cf. domain of the sending address).

Our DKIM alignment rate between October 2020 and February 2021

DKIM alignment is clear, we are close to perfection in February with an indecent rate of 99.8%!

The last DKIM-related rate is the rate of unsigned e-mails (and yes, there are still some). These are emails that have no DKIM signature.

Our rate of unsigned emails with DKIM between October 2020 and February 2021

For the record, we had no non-authentication reports this February, which is a big first for us! Champagne Jonathan ? 🙂

Distribution of non-compliant & non-authenticated emails

Here is the list of "Sender rDNS" (understand here the domain name that is associated with an IP) brought up as "non-compliant" over the month of February 2021:

OrganizationSender rDNSCategoryVolumesPercentageSourceAction
Outlook*.outlook.comWebmail655%KnownNo action
Google*.google.comWebmail327%KnownNo action
OVH*.ovh.netHost218%KnownNo action
E-mails sent back to DMARC not compliant on February 2021

Only three entries come up: Outlook, Google & OVH.

No compliance action will be required since these flows are due to email transfers.

And the list of "Sender rDNS" reported as "unauthenticated":

OrganizationSender rDNSCategoryVolumesPercentageSourceAction
No unauthenticated emails sent to DMARC over February 2021

Clear and good 🙂

SPF & DKIM error trends

We have the possibility to know on each "Sender rDNS" what are the problems we have encountered and that will be corrected.

Below are the reported trends on SPF & DKIM errors for the month of February 2020:

Trend of the most frequent SPF errors

SPF failure trend for the month of February 2021

On the SPF error side, 171 emails come up with an SPF alignment problem, 153 come up with a problem with SPF, 86 come up with an SPF authentication problem and only 6 come up with no SPF record! It'll get better in March, no worries there 🙂

Trend of the most frequent DKIM errors

DKIM failure trend for the month of February 2021

For DKIM, 17 out of 19 emails reported a DKIM authentication problem (which is still low) and therefore 2 out of 19 reported a DKIM alignment problem.

Our roadmap for March 2021!

During the February 11 meeting with Jonathan, we concluded that the migration of our entire infrastructure was a priority over the development of our DMARC security policy and so we will wait a few more months before tackling this project:

Non-authenticated" sources

CLEAR.

Non-compliant" sources

Not all uploaded sources need to be DMARC compliant

Conclusion

Finally this month of February has been quite good, except for the little problem with SPF. The roadmap has finally been completed and is on standby until the end of the migration. See you at the beginning of April to see if there was a little more noise on our domain "badsender.com".

—–

If you too have the ambition to make your email flows DMARC compliant but you don't know where to start, which solution(s) to use... We are here to help you J

—–

Feel free to share, like, comment... In short, make some noise !!!!!

—–

Badsender, emailing expertise agitator! Badsender is a team of craftsmen specialized in the various disciplines surrounding email marketing! Our emailing agency intervenes on questions of strategy, design, orchestration and deliverability. We offer this expertise in the form of coachingWe can also provide services such as audits, or act as an outsourced production force. 

—–

Content related to DMARC in any way:

DMARC monitoring from January 2021

DMARC monitoring in December 2020

DMARC Monitoring October vs. November 2020

Tech 2021 #01 | What if you deploy DMARC in 2021 on your domain name?

Our White Paper on DMARC deployment

- All about SPF in 3 articles:

         What is SPF? Configuration, verification and monitoring

         10 Tips to implement in your SPF configuration

         How about passing your SPF record to the -all qualifier?

- All about DKIM (1 article only):

         What is DKIM? Configuration, verification and monitoring

- Almost everything you need to know about ARC (1 article so far):What is the CRA? Definition, operation and verification

- - - - -

Photo by Randy Tarampi on Unsplash

Need a deliverability audit ? Or a monitoring ? We can also offer you :

Badsender also animates training on the subject of email deliverability !

Leave a Reply

Your email address will not be published.