DMARC Monitoring Badsender.com - October vs. November 2020

We are going to talk about DMARC and more specifically about the data to be monitored. By the way, did you know that we published a white paper on DMARC deployment?

In this article (which you will find every month), we will share with you the DMARC monitoring that we do on our domain Badsender.com

Today, our security policy is "quarantine", which means that any email with failed SPF & DKIM authentication will be delivered as junk mail to ISPs/Webmails capable of interpreting DMARC.

We have two goals for 2021:

  1. Change our security policy from "quarantine" to "reject": we would then ask all ISPs/Webmails/Filters (interpreting DMARC) to reject emails with bad SPF & DKIM authentication.
  2. Apply a "strict" SPF & DKIM alignment instead of a "relaxed" one: We're plugging EVERYTHING into Badsender.com!

We are aware that it will take time and energy but it is not impossible! And then, if it allows us to reduce the risks of using our domain name, it's worth it.

Let's get to the heart of the matter... Hang on We're going to compare the monitoring between October and November 2020.

October / November 2020 compliance rate: DMARC monitoring comparison.

To be DMARC compliant, the email must return a properly authenticated and correctly aligned SPF or DKIM record.

Badsender.comVolumesCompliantNon-CompliantNot Authenticated
October3 77295,8%4,1%0,1%
November4 97398,0%1,9%0,1%
Here are our DMARC monitoring comparison results for the months of October and November 2020

These October & November compliance rates are pretty good, with our 2020 average at 94.8%.

In order to improve our compliance rate in the "very near future", we will have to correct the problems related to non-compliant and especially non-authenticated emails!

Authentication & SPF & DKIM alignment

Authentication & SPF alignment

In order for an email to be properly authenticated with SPF, the IP that is used must be declared in the SPF record of the email envelope domain (understand here the MailFrom/Return-path domain).

Our SPF authentication rate for the months of October and November

Our average between January and September is 95.6%... We're making progress, we're making progress 

And for an e-mail to be correctly aligned with SPF, the domain of the e-mail envelope (here the MailFrom/Return-path) must be identical to the domain of the FROM (here the domain of the sending address).

Our SPF alignment rate for the months of October and November 2020.

Our average between January and September is 86.6%... We are also progressing on this side even if this rate can still be improved!

Authentication & DKIM alignment

For an email to be properly authenticated with DKIM, the email will need to have a valid DKIM signature (regardless of the domain used in the "d=" statement).

Our DKIM authentication rate for the months of October and November 2020

By way of comparison, our average between January and September is 98.2%... We're approaching perfection! 

Need help?

Reading content isn't everything. The best way is to talk to us.


As far as DKIM alignment is concerned, for an e-mail to be correctly aligned, the domain declared in the DKIM signature (contained in the "d=") must be identical to the domain of FROM (the domain of the sending address).

dmarc monitoring comparison
Our DKIM alignment rate for October and November 2020

For comparison, our average DKIM alignment rate between January and September is 92.8%... Better and better!

The last DKIM-related rate is the rate of unsigned e-mails (and yes, there are still some). These are emails that have no DKIM signature.

dmarc monitoring comparison
Our rate of unsigned emails with DKIM over the months of October and November 2020

Between January and September, our average unsigned DKIM email is 0.9%. Less than 1% of unsigned DKIM emails is pretty cool!

Distribution of non-compliant & non-authenticated emails

Here is the list of "Sender rDNS "(understand here the domain name that is associated with an IP) reported as "non-compliant" over the month of October and November 2020:

We can see that some sources will be studied to see if we have to make them DMARC compliant (or not). On the other hand, some sources are totally unknown to us... Simple e-mail transfer or spam ??? The future will tell us!

And the list of "Sender rDNS" reported as "unauthenticated":

Here, we are lucky and have only two upwelling sources that we will have to make conform! Easy in principle...

SPF & DKIM error trends

We have the possibility to know on each "Sender rDNS" what are the problems we have encountered and that will be corrected. Here are the trends on SPF & DKIM errors for the months of October and November 2020:

The trend of the most frequent SPF errors

Trend of SPF failures for the months of October and November

And the trend of the most frequent DKIM errors

Trend of DKIM failures for the months of October and November

Finally, we notice that the problems come mainly from SPF & DKIM alignments since more than 7 emails out of 10 report a domain alignment problem with SPF & DKIM.

Our roadmap for December 2020

After a review of the various "non-compliant" and "non-authenticated" feedbacks with Jonathan, we defined the following roadmap:

  1. Non-authenticated" sources
    • Dreamhost (e-mail from WordPress) : Add SMTP relay (to do)
    • SharpSpring: Open a support ticket (to do)
  2. Non-compliant" sources
    • Sendgrid: Add SMTP relay (done)
    • Sharpspring : Open a support ticket (to do)
    • Sellsy (electronic signature of contracts) : Migrate e-mail flows to Office 365 (to do)

For all other sources, no action is required for the moment. Some will have to be studied (to see if we need to make them compliant) and for the others... Osef since we have no interest behind it. 

Conclusion of this monitoring comparison.

I don't hide the fact that it is a daily gymnastics and that it will take time to make the flows compliant and to reach our 2021 objectives!

If you too have the ambition to make your e-mail flows DMARC-compliant, but don't know where to start, or which solution(s) to use... We're here to help you!  Feel free to share, like, comment... In short, make some noise !!!!!

DMARC-related content:

Support the "Email Expiration Date" initiative

Brevo and Cofidis financially support the project. Join the movement and together, let's make the email industry take responsibility for the climate emergency.

Share
The author

Laisser un commentaire

Your email address will not be published. Les champs obligatoires sont indiqués avec *