As I do every month now, I am sharing with you our data monitoring DMARC for the month of September 2021!
To summarize: Today, following our email migration, we have changed our DMARC security policy from "quarantine" to "none" to be sure that no email flow is impacted. Afterwards, we will switch back to the "quarantine" level to protect our domain name.
Ultimately, we have two goals for 2021:
- Change our security policy to "reject": we would then ask any organization interpreting DMARC to reject emails with bad SPF & DKIM authentication.
- Legitimize all our email flows (and yes, we use several distinct tools for each type of sending - understand, we don't have all our eggs in the same basket :p).
Apply a "strict" SPF & DKIM alignment instead of a "relaxed" one: We're plugging EVERYTHING into Badsender.com!
This 3rd point is too complicated to set up (cf. point n°2), we will remain in "relaxed" since all our legitimate flows will be branded with a sub-domain of Badsender.com. And if one day things change... We will study a passage towards a strict alignment!
We are aware that it will take time and energy but it is not impossible! And if it allows us to reduce the risks of using our domain name, it's worth it.
Let's get to the heart of the matter... Enjoy your reading 🙂
September 2021 compliance rate
To be DMARC compliant, the email must return a properly authenticated and properly aligned (soft or hard) SPF or DKIM record.
Here are our results since the beginning of the year 2021 and in particular for the month of September where the e-mail activity has picked up:
| Badsender.com | Volumes | Compliant | Non-Compliant | Not Authenticated |
| September 2021 | 4 912 | 99,8% | 0,2% | 0,0% |
| August 2021 | 1 711 | 99,8% | 0,1% | 0,1% |
| July 2021 | 2 124 | 82,6% | 5,6% | 11,8% |
| June 2021 | 4 717 | 99,6% | 0,2% | 0,2% |
| May 2021 | 3 900 | 99,7% | 0,1% | 0,2% |
| April 2021 | 4 214 | 99,4% | 0,1% | 0,5% |
| March 2021 | 3 549 | 99,1% | 0,9% | 0,0% |
| February 2021 | 5 221 | 99,8% | 0,2% | 0,0% |
| January 2021 | 4 843 | 98,0% | 1,9% | 0,1% |
With the highest volume since 2021, the DMARC compliance rate in September remains very good to very close to 100%. Only 11 emails are not compliant and/or have not been authenticated to DMARC in September!
Authentication & SPF & DKIM alignment
For an email to be properly authenticated with SPF, the IP used must be declared in the SPF record of the email envelope domain (understand here the MailFrom/Return-path domain - visible in the SMTP header of an email).
What to say about this month of September except that we have one of the best rates of the year, with more than 97% of emails having a valid SPF authentication ^^
And for an e-mail to be correctly aligned with SPF, the domain of the e-mail envelope (here the MailFrom/Return-path) must be identical or from a sub-domain of the FROM domain (cf. domain of the sending address).
Our SPF alignment rate for September is still quite good, with a rate of almost 93% but it can still be improved. We will have to study the sources reporting an SPF alignment problem and correct them if possible.
For an email to be properly authenticated with DKIM, the email will need to have a valid DKIM signature (regardless of the domain used in the "d=" statement).
CLEAR. What to say here except that we are close to the 100% of DKIM authentication on this month of September!
Need help?
Reading content isn't everything. The best way is to talk to us.
As far as DKIM alignment is concerned, for an e-mail to be correctly aligned, the domain declared in the DKIM signature (contained in the "d=") must be identical to or come from the sub-domain of the FROM domain (cf. domain of the sending address).
Concerning the DKIM alignment rate for September, it is not bad, with a rate of 97.3%. Like the previous rates, it can be improved but we are far from the score of July.
The last DKIM-related rate is the rate of unsigned e-mails (and yes, there are still some). These are emails that have no DKIM signature.
Clear for the rate of unsigned emails with DKIM. We find the rate that we have almost always had since the beginning of the year!
Distribution of non-compliant & non-authenticated emails
Here is the list of "Sender rDNS" (understand here the domain name that is associated with an IP) brought up as "non-compliant" over the month of September 2021:
| Organization | Sender rDNS | Category | Volumes | Percentage | Source | Action |
| Microsoft | *.outlook.com | Webmail | 4 | 44% | Unknown | No action |
| OVH | *.ovh.net | Hosting | 3 | 33% | Unknown | No action |
| *.google.com | Webmail | 2 | 22% | Unknown | No action |
Not much to say for this month of September, only 9 non-compliant emails and no compliance required.
And the list of "Sender rDNS" reported as "unauthenticated":
| Organization | Sender rDNS | Category | Volumes | Percentage | Source | Action |
| ? | *.nspu.ru | ? | 1 | 50% | Unknown | No action |
| Microsoft | *.outlook.com | Webmail | 1 | 50% | Unknown | No action |
The same goes for the "non-authenticated" flows, only 2 reports for the month of September and no action to be taken.
SPF & DKIM error trends
We have the possibility to know on each "Sender rDNS" what are the problems we have encountered and that will be corrected.
Below are the reported trends on SPF & DKIM errors for the month of September 2021:
Trend of the most frequent SPF errors
For the month of September, 242 emails report an SPF alignment problem, 68 emails report SPF failure, 9 emails report no SPF record and 2 emails report a temporary error with SPF.
Trend of the most frequent DKIM errors
On the DKIM error side for the month of September, 106 emails report a DKIM alignment problem, 25 emails report a DKIM authentication problem, 16 emails report a temporary DKIM problem, 2 emails report no DKIM record and 1 email with a permanent error.
Our roadmap for the end of the year!
As we have finally migrated (there are still some small adjustments to be made) our Outlook message to Infomaniak, I will be able to concentrate on our compliance DMARC over the end of the year, which leads to the following objectives:
- Correct flows that must be DMARC compliant: those with SPF non-compliant or DKIM non-compliant.
- Upgrade our DMARC security policy to "quarantine" and then "reject" before the end of the year.
Conclusion
As you could see in the September figures, we had no bad surprises on our infrastructure migration but also from malicious third parties (which is always reassuring :p). We will be able to analyze the email flows that still have a defect at the level of SPF or DKIM to be completely square. It's a work in progress that will take time 🙂
Our other content related to DMARC (from near or far) :
- DMARC monitoring from July-August 2021
- DMARC monitoring in June 2021
- DMARC monitoring in May 2021
- DMARC monitoring from April 2021
- DMARC monitoring from March 2021
- DMARC monitoring in February 2021
- DMARC monitoring from January 2021
- DMARC monitoring in December 2020
- DMARC Monitoring October vs. November 2020
- Tech 2021 #02 | What if you deploy DMARC in 2021 on your domain name?
- Our White Paper on DMARC deployment
- All about SPF in 3 articles:
- All about DKIM (1 article only):
- Almost everything you need to know about ARC (1 article so far):
