As at the beginning of each month now, we will share with you in this article, our DMARC compliance results for January 2021!
To summarize: Today, our security policy is at "quarantine", which means that any email with SPF & DKIM authentication failures will be delivered as junk mail to any organization (ISP, Webmails, companies, ...) able to interpret and apply the DMARC security rule.
Ultimately, we have two goals for 2021:
- Legitimize all our email flows (and yes, we use several distinct tools for each type of sending - understand, we don't have all our eggs in the same basket :p).
- Change our security policy from "quarantine" to "reject": we would then ask all ISPs/Webmails/Filters (interpreting DMARC) to reject emails with bad SPF & DKIM authentication (except in the case of an email transfer with ARC).
Apply a "strict" SPF & DKIM alignment instead of a "relaxed" one: We're plugging EVERYTHING into Badsender.com!This 3rd point is too complicated to set up (cf. point n°1), we will stay with a "relaxed" alignment since all our legitimate feeds will be branded with a sub-domain of Badsender.com. And if one day things change... We will study a passage towards a strict alignment!
We are aware that it will take time and energy but it is not impossible! And if it allows us to reduce the risks of using our domain name, it's worth it.
Let's get to the heart of the matter... Enjoy your reading 🙂
January 2020 compliance rate
To be DMARC compliant, the email must return a properly authenticated and properly aligned (soft or hard) SPF or DKIM record.
Here are our results for the month of January 2020 (I am voluntarily keeping the history since the first DMARC monitoring was published to compare the evolution of the data):
Badsender.com | Volumes | Compliant | Non-Compliant | Not Authenticated |
January 2021 | 4 843 | 98,0% | 1,9% | 0,1% |
December 2020 | 3 797 | 99,3% | 0,4% | 0,3% |
November 2020 | 4 973 | 98,0% | 1,9% | 0,1% |
October 2020 | 3 772 | 95,8% | 4,1% | 0,1% |
In January, we had a "non-compliant" activity on our domain name. I'll let you guess where it came from with a little hint =>.
Apart from this problem, the compliance rate for January remains good and the changes made on our web host "Dreamhost" have been corrected and therefore all the feeds have become "compliant", ditto with Sellsy - by the way we thank them for the time spent to improve DMARC compliance on our shipments via their platform 🙂
Authentication & SPF & DKIM alignment
For an email to be properly authenticated with SPF, the IP used must be declared in the SPF record of the email envelope domain (understand here the MailFrom/Return-path domain - visible in the SMTP header of an email).
Authentication & SPF alignment
Clear on this side, even if we can still improve on the SPF authentication, the rate remains above 97%
And for an e-mail to be correctly aligned with SPF, the domain of the e-mail envelope (here the MailFrom/Return-path) must be identical or from a sub-domain of the FROM domain (cf. domain of the sending address).
Clear on this side too, same observation, we could be much better... Let's work on it 😉
Authentication & DKIM alignment
For an email to be properly authenticated with DKIM, the email will need to have a valid DKIM signature (regardless of the domain used in the "d=" statement).
Our DKIM validity rate is still very good, above 99%.
As far as DKIM alignment is concerned, for an e-mail to be correctly aligned, the domain declared in the DKIM signature (contained in the "d=") must be identical to or come from the sub-domain of the FROM domain (cf. domain of the sending address).
Even if it is down compared to December 2020, the DKIM alignment rate is still excellent... 98%!
The last DKIM-related rate is the rate of unsigned e-mails (and yes, there are still some). These are emails that have no DKIM signature.
Even though it says 0.0%, we only had 3 unauthenticated emails over January 2021 coming from Outlook. To be investigated to see if the feeds should be made compliant.
Distribution of non-compliant & non-authenticated emails
Here is the list of "Sender rDNS" (understand here the domain name that is associated with an IP) reported as "non-compliant" on the month of January 2021:
Organization | Sender rDNS | Category | Volumes | Percentage | Source | Action |
Sellsy | *.sellsy.com | Software | 8 | 9% | Known | Make it compliant |
Outlook | *.outlook.com | Webmail | 4 | 4% | To be studied | No action |
? | *alpha-on3lol.ru | ? | 4 | 4% | Unknown | No action |
? | *.youcu.ru | ? | 3 | 3% | Unknown | No action |
? | *.autoptica.ru | ? | 3 | 3% | Unknown | No action |
? | *.zhannab.ru | ? | 3 | 3% | Unknown | No action |
? | *.vsdshnik.ru | ? | 2 | 2% | Unknown | No action |
? | *.kvantoforum.ru | ? | 2 | 2% | Unknown | No action |
? | *.trevelpayouts.ru | ? | 2 | 2% | Unknown | No action |
? | *.nosjevsky.ru | ? | 2 | 2% | Unknown | No action |
I have only posted the TOP10 - there were 55 entries in total.
As you can see, a lot of Russian domains (all these entries were made by the Mail.ru provider). The "From" domain was indeed "badsender.com", SPF/DKIM signatures on ".com/.ru" domains and Russian IPs...
For Sellsy, the problem was solved on 15/01 (thanks to them). All feeds are DMARC compliant today.
And now let's move on to the list of "Sender rDNS" that are reported as "unauthenticated":
Organization | Sender rDNS | Category | Volumes | Percentage | Source | Action |
Outlook | *.outlook.com | Webmail | 3 | 100% | To be studied | No action |
These "Outlook" feeds are worth investigating, in this case there was a temporary authentication error - which is why it went "unauthenticated".
SPF & DKIM error trends
We have the possibility to know on each "Sender rDNS" what are the problems we have encountered and that will be corrected.
Need help?
Reading content isn't everything. The best way is to talk to us.
Below are the reported trends on SPF & DKIM errors for the month of January 2021:
Trend of the most frequent SPF errors
On the side of SPF errors, alignment problems are still in the majority. More than 7 out of 10 emails are not SPF aligned so the domain used in the Mailfrom is different from Badsender.com or its subdomains.
Trend of the most frequent DKIM errors
Same for DKIM, more than 8 out of 10 emails show an alignment problem... The domain signed in the DKIM key is different from Badsender.com or its sub-domains.
Our roadmap for February 2021!
Unfortunately, we will only be meeting with Jonathan on February 11th so the information below may change between now and then. :
Non-authenticated" sources
- Dreamhost (email from WordPress): Add an SMTP relay (done)
- SharpSpring: Open a support ticket (done)
- Outlook: Study the sources and see if we should make them DMARC compliant or not (to do)
Non-compliant" sources
- Sendgrid: Add SMTP relay (done)
- Sharpspring : Open a support ticket (done)
- Sellsy (electronic signature of contracts): Migrate email flows to Office 365 (done)
For all the other sources, no action will be to realize for the moment... Osef because we have no interest behind to legitimize them 😉
Conclusion
Well, as you have seen, the roadmap is almost finished... I think that we will soon be able to change our DMARC security policy from "quarantine" to "reject"... Verdict on February 11th... And the continuation in the next issue !
– – – – –
If you too have the ambition to make your email flows DMARC compliant but you don't know where to start, which solution(s) to use... We're here to help you 🙂
– – – – –
Feel free to share, like, comment... In short, make some noise !!!!!
– – – – –
Badsender, emailing expertise agitator! Badsender is a team of craftsmen specialized in the various disciplines surrounding email marketing! Our emailing agency intervenes on questions of strategy, design, orchestration and deliverability. We offer this expertise in the form of coachingWe can also provide services such as audits, or act as an outsourced production force.
– – – – –
Content related to DMARC in any way:
— DMARC monitoring in December 2020
— DMARC Monitoring October vs. November 2020
— Our White Paper on DMARC deployment
- All about SPF in 3 articles:
What is SPF? Configuration, verification and monitoring
10 Tips to implement in your SPF configuration
How about passing your SPF record to the -all qualifier?
- All about DKIM (1 article only):
What is DKIM? Configuration, verification and monitoring
- Almost everything you need to know about ARC (1 article so far):What is the CRA? Definition, operation and verification
– – – – –
Photo by Randy Tarampi on Unsplash