DMARC Monitoring Badsender.com - October vs. November 2020

We are going to talk about DMARC and more specifically about the data to be monitored. By the way, did you know that we published a white paper on DMARC deployment?

In this article (which you will find every month), we will share with you the DMARC monitoring that we do on our domain Badsender.com

Today, our security policy is "quarantine", which means that any email with failed SPF & DKIM authentication will be delivered as junk mail to ISPs/Webmails capable of interpreting DMARC.

We have two goals for 2021:

1. Change our security policy from "quarantine" to "reject": we would then ask all ISPs/Webmails/Filters (interpreting DMARC) to reject emails with bad SPF & DKIM authentication.
2. Apply a "strict" SPF & DKIM alignment instead of a "relaxed" one: We're plugging EVERYTHING into Badsender.com!

We are aware that it will take time and energy but it is not impossible! And then, if it allows us to reduce the risks of using our domain name, it's worth it.

Let's get to the heart of the matter... Hang on We're going to compare the monitoring between October and November 2020.

October / November 2020 compliance rate: DMARC monitoring comparison.

To be DMARC compliant, the email must return a properly authenticated and correctly aligned SPF or DKIM record.

These October & November compliance rates are pretty good, with our 2020 average at 94.8%.

In order to improve our compliance rate in the "very near future", we will have to correct the problems related to non-compliant and especially non-authenticated emails!

Authentication & SPF & DKIM alignment

Authentication & SPF alignment

In order for an email to be properly authenticated with SPF, the IP that is used must be declared in the SPF record of the email envelope domain (understand here the MailFrom/Return-path domain).

Our average between January and September is 95.6%... We're making progress, we're making progress 

And for an e-mail to be correctly aligned with SPF, the domain of the e-mail envelope (here the MailFrom/Return-path) must be identical to the domain of the FROM (here the domain of the sending address).

Our average between January and September is 86.6%... We are also progressing on this side even if this rate can still be improved!

Authentication & DKIM alignment

For an email to be properly authenticated with DKIM, the email will need to have a valid DKIM signature (regardless of the domain used in the "d=" statement).

By way of comparison, our average between January and September is 98.2%... We're approaching perfection! 

As far as DKIM alignment is concerned, for an e-mail to be correctly aligned, the domain declared in the DKIM signature (contained in the "d=") must be identical to the domain of FROM (the domain of the sending address).

For comparison, our average DKIM alignment rate between January and September is 92.8%... Better and better!

The last DKIM-related rate is the rate of unsigned e-mails (and yes, there are still some). These are emails that have no DKIM signature.

Between January and September, our average unsigned DKIM email is 0.9%. Less than 1% of unsigned DKIM emails is pretty cool!

Distribution of non-compliant & non-authenticated emails

Here is the list of "Sender rDNS "(understand here the domain name that is associated with an IP) reported as "non-compliant" over the month of October and November 2020:

We can see that some sources will be studied to see if we have to make them DMARC compliant (or not). On the other hand, some sources are totally unknown to us... Simple e-mail transfer or spam ??? The future will tell us!

And the list of "Sender rDNS" reported as "unauthenticated":

Here, we are lucky and have only two upwelling sources that we will have to make conform! Easy in principle...

SPF & DKIM error trends

We have the possibility to know on each "Sender rDNS" what are the problems we have encountered and that will be corrected. Here are the trends on SPF & DKIM errors for the months of October and November 2020:

The trend of the most frequent SPF errors

And the trend of the most frequent DKIM errors

Finally, we notice that the problems come mainly from SPF & DKIM alignments since more than 7 emails out of 10 report a domain alignment problem with SPF & DKIM.

Our roadmap for December 2020

After a review of the various "non-compliant" and "non-authenticated" feedbacks with Jonathan, we defined the following roadmap:

1. Non-authenticated" sources
   • Dreamhost (e-mail from WordPress) : Add SMTP relay (to do)
   • SharpSpring: Open a support ticket (to do)
2. Non-compliant" sources
   • Sendgrid: Add SMTP relay (done)
   • Sharpspring : Open a support ticket (to do)
   • Sellsy (electronic signature of contracts) : Migrate e-mail flows to Office 365 (to do)

For all other sources, no action is required for the moment. Some will have to be studied (to see if we need to make them compliant) and for the others... Osef since we have no interest behind it. 

Conclusion of this monitoring comparison.

I don't hide the fact that it is a daily gymnastics and that it will take time to make the flows compliant and to reach our 2021 objectives!

If you too have the ambition to make your e-mail flows DMARC-compliant, but don't know where to start, or which solution(s) to use... We're here to help you!  Feel free to share, like, comment... In short, make some noise !!!!!

DMARC-related content:

• Our White Paper on DMARC deployment
• All about SPF in 3 articles:
  • What is SPF? Configuration, verification and monitoring
  • 10 Tips to implement in your SPF configuration
  • How about passing your SPF record to the -all qualifier?
• All about DKIM (1 article only):
  • What is DKIM? Configuration, verification and monitoring
• Almost everything you need to know about ARC (1 article so far):
  • What is the CRA? Definition, operation and verification