We will again talk about DMARC and our monthly monitoring.
In this article (which you will find every month), we will share with you the DMARC monitoring we do on our domain Badsender.com.
Today, our security policy is "quarantine", which means that any email with failed SPF & DKIM authentication will be delivered as junk mail to ISPs/Webmails capable of interpreting DMARC.
We have two goals for 2021:
- Change our security policy from "quarantine" to "reject": we would then ask all ISPs/Webmails/Filters (interpreting DMARC) to reject emails with bad SPF & DKIM authentication.
- Apply a "strict" SPF & DKIM alignment instead of a "relaxed" one: We're plugging EVERYTHING into Badsender.com!
We are aware that it will take time and energy but it is not impossible! And if it allows us to reduce the risks of using our domain name, it's worth it.
Let's get to the heart of the matter... Hang on!
December 2020 compliance rate
To be DMARC compliant, the email must return a correctly authenticated and correctly aligned SPF or DKIM record. Here are our results for the month of December 2020 (I purposely kept the previous 2 months for comparison) :
| Badsender.com | Volumes | Compliant | Non-Compliant | Not Authenticated |
| October | 3 772 | 95,8% | 4,1% | 0,1% |
| November | 4 973 | 98,0% | 1,9% | 0,1% |
| December | 3 797 | 99,3% | 0,4% | 0,3% |
I voluntarily kept the months of October and November for comparison. And here, I must say that we are close to perfection in December! 99.3% of e-mails are DMARC compliant, i.e. only 14 e-mails are reported as non-compliant and 12 e-mails are reported as "non-authenticated".
To improve our DMARC compliance rate again in the "very near future", we will have to correct the problems related to non-compliant and especially non-authenticated emails!
Authentication & SPF & DKIM alignment
Authentication & SPF alignment
In order for an email to be properly authenticated with SPF, the IP used must be declared in the SPF record of the email envelope domain (understand here the MailFrom/Return-path domain).
We are still above 97% in December. To be confirmed in 2021!
And for an e-mail to be correctly aligned with SPF, the domain of the e-mail envelope (here the MailFrom/Return-path) must be identical to the domain of the FROM (here the domain of the sending address).
Our SPF alignment rate for the last 3 months of 2020
Cool, we line up better in December than the rest of the year! However, we can still do better on this side...
Authentication & DKIM alignment
For an email to be properly authenticated with DKIM, the email will need to have a valid DKIM signature (regardless of the domain used in the "d=" statement).
Our DKIM authentication rate over the last 3 months is 2020
No big loss in December, more than 99% of our e-mails sent via DMARC reports are signed with DKIM... Top!
As far as DKIM alignment is concerned, for an e-mail to be correctly aligned, the domain declared in the DKIM signature (contained in the "d=") must be identical to the domain of FROM (the domain of the sending address).
Our rate of'DKIM alignment on the last 3 months of 2020
We are improving on the DKIM alignment to pass the 99% mark... To be maintained in 2021!
Need help?
Reading content isn't everything. The best way is to talk to us.
The last DKIM-related rate is the rate of unsigned e-mails (and yes, there are still some). These are emails that have no DKIM signature.
Our rate of unsigned emails with DKIM over the last 3 months of 2020
We have a slight increase in December but we're still far from the 2020 average (0.9%), we're not going to be picky and work to improve that 🙂
Distribution of non-compliant & non-authenticated emails
Here is the list of "Sender rDNS" (understand here the domain name that is associated with an IP) brought up as "non-compliant" over the month of December 2020:
| Organization | Sender rDNS | Category | Volumes | Percentage | Source | Action |
| Sellsy | *.sellsy.com | Software | 7 | 50% | Known | Make it compliant |
| Outlook | *.outlook.com | Webmail | 4 | 29% | To be studied | No action |
| OVH | *.ovh.net | Hosting | 3 | 21% | Unknown | No action |
For Sellsy, the problem is on the SPF (mail.sellsy.com) & DKIM (sellsy.com) alignments. Some of the Outlook sources will have to be made compliant, the others will not require any action (as for OVH).
And the list of "Sender rDNS" reported as "unauthenticated":
| Organization | Sender rDNS | Category | Volumes | Percentage | Source | Action |
| Dreamhost | *.dreamhostps.com | Hosting | 11 | 92% | Known | Make it compliant |
| ? | *.jino.ru | ? | 1 | 8% | Unknown | No action |
Dreamhost is in the process of compliance, this line should disappear in January! On the other hand, the Russian domain is totally unknown to us... so we won't do any compliance action on it!
SPF & DKIM error trends
We have the possibility to know on each "Sender rDNS" what are the problems we have encountered and that will be corrected.
Below are the trends reported on SPF & DKIM errors for the month of December 2020:
The trend of the most frequent SPF errors
Trend of SPF failures for the month of December
And the trend of the most frequent DKIM errors
Trend of DKIM failures for the month of December
On the SPF error side, alignment problems are still in the majority (more than 6 out of 10 emails are not SPF aligned).
On the other hand, for DKIM, more than 5 out of 10 emails show an authentication problem... To be corrected as soon as possible, especially if the failed emails must be compliant.
Our roadmap for January 2021!
After a review of the various "non-compliant" and "non-authenticated" feedbacks with Jonathan, we defined the following roadmap:
Non-authenticated" sources
- Dreamhost (email from WordPress) : Add SMTP relay (done)
- SharpSpring: Open a support ticket (done)
Non-compliant" sources
- Sendgrid: Add SMTP relay (done)
- Sharpspring : Open a support ticket (done)
- Sellsy (electronic signature of contracts): Migrate email flows to Office 365 (to do)
For all other sources, no action is required for the moment. Some will have to be studied (to see if we need to make them compliant) and for the others... Osef since we have no interest behind it.
Conclusion for this DMARC monitoring.
Following the monitoring of October & November, we have not been idle... We have made several sources "compliant" with DMARC but we are not going to stop there, we have to take care of a big project called "Sellsy" which will take a little time... More in the next issue! And if you too have the ambition to make your email flows DMARC compliant but don't know where to start, what solution(s) to use... We're here to help you J
Feel free to share, like, comment... In short, make some noise !!!!!
Badsender, emailing expertise agitator! Badsender is a team of craftsmen specializing in the various disciplines surrounding email marketing! Our emailing agency intervenes on questions of strategy, design, d'orchestration and deliverability. We offer this expertise in the form of coaching, d'audits or intervention as an outsourced production force.
DMARC-related content:
- DMARC Monitoring Badsender.com October vs. November 2020
- Our White Paper on DMARC deployment
- All about SPF in 3 articles:
- All about DKIM (1 article only):
- Almost everything you need to know about ARC (1 article so far):
4 réponses
Hello,
What do you use to analyze the dmarc reports you receive?
Thank you.
Hello, I work at Sellsy. Can we call each other to make a point?
Hello Clément,
Currently, we use the DMARC module of the 250ok/Validity monitoring solution.
Kind regards,
Sebastien.
Hello Alain,
Thanks for your message, I'm talking to Jonathan about it and we'll get back to you soon to discuss the subject 🙂
Kind regards,
Sebastien.