Close this search box.

Monitoring DMARC - October 2021

Like every month now, I share with you our data DMARC for the month of October 2021!

To summarize: Today, following our email migration, we have changed our DMARC security policy from "quarantine" to "none" to be sure that no email flow is impacted. Afterwards, we will go back to the "quarantine" level to protect our domain name.

We have, in time, three two objectives for 2021:

  1. Change our security policy to "reject": we would then ask any organization interpreting DMARC to reject emails with poor SPF & DKIM authentication/alignment.
  2. Legitimize all our email flows (and yes, we use several distinct tools for each type of sending - understand, we don't have all our eggs in the same basket :p).
  3. Apply a "strict" SPF & DKIM alignment instead of a "relaxed" one: We're plugging EVERYTHING into!

This 3rd point is too complicated to set up (cf. point n°2), we will remain in "relaxed" since all our legitimate flows will be branded with a sub-domain of And if one day things change... We will study a passage towards a strict alignment!

We are aware that it will take time and energy but it is not impossible! And if it allows us to reduce the risks of using our domain name, it's worth it.

Let's get to the heart of the matter... Enjoy your reading 🙂

October 2021 compliance rate

To be DMARC compliant, the email must return a properly authenticated and properly aligned (soft or hard) SPF or DKIM record.

Here are our results since the beginning of the year 2021:

Badsender.comVolumesCompliantNon-CompliantNot Authenticated
October 20214 92999,8%0,1%0,1%
September 20214 91299,8%0,2%0,0%
August 20211 71199,8%0,1%0,1%
July 20212 12482,6%5,6%11,8%
June 20214 71799,6%0,2%0,2%
May 20213 90099,7%0,1%0,2%
April 20214 21499,4%0,1%0,5%
March 20213 54999,1%0,9%0,0%
February 20215 22199,8%0,2%0,0%
January 20214 84398,0%1,9%0,1%
Compliance rate for our domain in 2021

Following on from September, the compliance rate for the month of October reached 99.8%. Only 7 e-mails were found to be non-compliant and 7 e-mails were not authenticated.

Authentication & SPF & DKIM alignment

For an email to be properly authenticated with SPF, the IP used must be declared in the SPF record of the email envelope domain (understand here the MailFrom/Return-path domain - visible in the SMTP header of an email).

Our SPF authentication rate for the year 2021

After a very good result in September, we do it again in October with an SPF authentication rate of 98.5%!

And for an e-mail to be correctly aligned with SPF, the domain of the e-mail envelope (here the MailFrom/Return-path) must be identical or from a sub-domain of the FROM domain (cf. domain of the sending address).

Our SPF alignment rate for the year 2021

Our SPF alignment rate for October is down significantly. We've identified the cause - a Mailjet feed with an uncustomized MailFrom - and we'll fix it asap.

For an email to be properly authenticated with DKIM, the email will need to have a valid DKIM signature (regardless of the domain used in the "d=" statement).

Our DKIM authentication rate for the year 2021

CLEAR. The month of October shows a very good DKIM authentication rate, we are at 99.5%!

As far as DKIM alignment is concerned, for an e-mail to be correctly aligned, the domain declared in the DKIM signature (contained in the "d=") must be identical to or come from the sub-domain of the FROM domain (cf. domain of the sending address).

Our DKIM alignment rate for the year 2021

CLEAR. The DKIM alignment rate for the month of October remains very good, with a rate of 98%!

The last DKIM-related rate is the rate of unsigned e-mails (and yes, there are still some). These are emails that have no DKIM signature.

Our unsigned email rate with DKIM for the year 2021

CLEAR. The rate of unsigned emails with DKIM remains very low and we won't complain about it!

Distribution of non-compliant & non-authenticated emails

Here is the list of "Sender rDNS" (understand here the domain name that is associated with an IP) brought up as "non-compliant" over the month of October 2021:

OrganizationSender rDNSCategoryVolumesPercentageSourceAction
Sharpspring*.marketingautomation.servicesESP342%KnownTo be studied
Microsoft*.outlook.comWebmail229%UnknownNo action
OVH*.ovh.netHosting229%UnknownNo action
October 2021 Non-Compliant Flows

Only the Sharpspring stream needs to be studied to see if it needs to be brought into compliance! For the rest, osef!

And the list of "Sender rDNS" reported as "unauthenticated":

OrganizationSender rDNSCategoryVolumesPercentageSourceAction
Microsoft*.outlook.comWebmail686%KnownNo action
?* action
Unauthenticated flows from October 2021

For the "non-authenticated" flows, the "Outlook" flow is a residual from our old email system so there is no need to make these flows compliant.

SPF & DKIM error trends

We have the possibility to know on each "Sender rDNS" what are the problems we have encountered and that will be corrected.

Below are the reported trends on SPF & DKIM errors for the month of October 2021:

Trend of the most frequent SPF errors

SPF failure trend for the month of October 2021

For the month of October, 1,068 emails report an SPF alignment problem, 52 emails report SPF failure, 5 emails report no SPF record and 5 emails report a temporary error with SPF.

Trend of the most frequent DKIM errors

DKIM failure trend for the month of October 2021

On the DKIM error side for the month of October, 75 emails reported a DKIM alignment problem, 18 emails reported a DKIM authentication problem, 12 emails reported a temporary DKIM problem, 6 emails reported a permanent error and 3 emails reported no DKIM record.

Our roadmap for the end of the year!

As we have finally completed our email migration from Outlook to Infomaniak, I will be able to concentrate on our compliance DMARC over the end of the year, which leads to the following objectives:

  1. Check with Jonathan to see if the Sharpspring feed that came up as "non-compliant" needs to be brought into compliance.
  2. Correct flows that must be DMARC compliant: those with SPF non-compliant or DKIM non-compliant.
  3. Upgrade our DMARC security policy from "none" to "quarantine" by the end of the year.


The month of September was rather good, this month of October does not bring back very bad surprises. Only the flow via Mailjet needs to be optimized to significantly improve our SPF alignment rate.

Our other content related to DMARC (from near or far) :

The author

Laisser un commentaire

Your email address will not be published. Les champs obligatoires sont indiqués avec *