To summarize: Today, our security policy is at "quarantine", which means that any email with SPF & DKIM authentication failures will be delivered as junk mail to any organization (ISP, Webmails, companies, ...) able to interpret and apply the DMARC security rule.
Ultimately, we have three goals for 2021:
- Change our security policy from "quarantine" to "reject": we would then ask all ISPs/Webmails/Filters (interpreting DMARC) to reject emails with bad SPF & DKIM authentication.
- Legitimize all our email flows (and yes, we use several distinct tools for each type of sending - understand, we don't have all our eggs in the same basket :p).
Apply a "strict" SPF & DKIM alignment instead of a "relaxed" one: We're plugging EVERYTHING into Badsender.com!
This 3rd point is too complicated to set up (cf. point n°2), we will remain in "relaxed" since all our legitimate flows will be branded with a sub-domain of Badsender.com. And if one day things change... We will study a passage towards a strict alignment!
We are aware that it will take time and energy but it is not impossible! And if it allows us to reduce the risks of using our domain name, it's worth it.
Let's get to the heart of the matter... Enjoy your reading 🙂
March 2021 compliance rate
To be DMARC compliant, the email must return a properly authenticated and properly aligned (soft or hard) SPF or DKIM record.
Here are our results for the month of March 2021 (I am voluntarily keeping the history since the first DMARC monitoring was published to compare the evolution of the data):
| Badsender.com | Volumes | Compliant | Non-Compliant | Not Authenticated |
| March 2021 | 3 549 | 99,1% | 0,9% | 0,0% |
| February 2021 | 5 221 | 99,8% | 0,2% | 0,0% |
| January 2021 | 4 843 | 98,0% | 1,9% | 0,1% |
| December 2020 | 3 797 | 99,3% | 0,4% | 0,3% |
| November 2020 | 4 973 | 98,0% | 1,9% | 0,1% |
| October 2020 | 3 772 | 95,8% | 4,1% | 0,1% |
Almost perfect! Our compliance rate remains above 99% for this month of March despite a problem with SPF during the migration of our infrastructure.
Since this change of host, we have changed our DMARC security policy to "none" to ensure a smooth migration. We should be back to a restrictive security policy in the next few weeks or months.
Authentication & SPF & DKIM alignment
Despite our little hiccup with our SPF registration during the domain name migration, we still have an SPF validity rate above 93%! It should go back up past 97% starting in April 🙂
And for an e-mail to be correctly aligned with SPF, the domain of the e-mail envelope (here the MailFrom/Return-path) must be identical or from a sub-domain of the FROM domain (cf. domain of the sending address).
This is a month of transition, which explains this rate a little lower than usual but don't worry, it will go back up!
For an email to be properly authenticated with DKIM, the email will need to have a valid DKIM signature (regardless of the domain used in the "d=" statement).
The DKIM authentication rate is clear, with an exceptional rate in March of 99.99%!
As far as DKIM alignment is concerned, for an e-mail to be correctly aligned, the domain declared in the DKIM signature (contained in the "d=") must be identical to or come from the sub-domain of the FROM domain (cf. domain of the sending address).
Clear on the DKIM alignment side, a noticeable drop - due to forwarded emails - compared to February 2021 but with an alignment rate at 94% all the same!
The last DKIM-related rate is the rate of unsigned e-mails (and yes, there are still some). These are emails that have no DKIM signature.
Same as for February 2021, no authentication failure reports came up this month! Let's hope it lasts 🙂
Distribution of non-compliant & non-authenticated emails
Here is the list of "Sender rDNS" (understand here the domain name that is associated with an IP) reported as "non-compliant" on the month of March 2021:
| Organization | Sender rDNS | Category | Volumes | Percentage | Source | Action |
| Sharpspring | *.marketingautomation.services | ESP | 19 | 61,31% | Known | Make Compliant |
| Microsoft | *.outlook.com | Webmail | 2 | 6,45% | Known | To be studied |
| ? | *.lintapps.com | ? | 2 | 6,45% | Unknown | No action |
| ? | *.guestsread.com | ? | 2 | 6,45% | Unknown | No action |
| OVH | *.ovh.net | Host | 2 | 6,45% | Known | No action |
| ? | *.treatedrent.net | ? | 2 | 6,45% | Unknown | No action |
| ? | *.sapphireamp.com | ? | 1 | 3,22% | Unknown | No action |
| ? | *.supplyword.net | ? | 1 | 3,22% | Unknown | No action |
31 ascents this month of March 2021 of which one flow should be compliant.
We will need to analyze and correct the "Sharpspring" stream to make it DMARC compliant. The "Microsoft" stream will have to be studied to see if it should be made DMARC compliant or not.
And the list of "Sender rDNS" reported as "unauthenticated":
| Organization | Sender rDNS | Category | Volumes | Percentage | Source | Action |
Clear and good 🙂
SPF & DKIM error trends
We have the possibility to know on each "Sender rDNS" what are the problems we have encountered and that will be corrected.
Below are the reported trends on SPF & DKIM errors for the month of March 2021:
Trend of the most frequent SPF errors
Trend of the most frequent DKIM errors
On the SPF error side, 309 emails report an SPF alignment problem, 149 report a problem with SPF, 52 report an SPF authentication problem and only 5 report no SPF record at all!
For DKIM, 210 emails reported a DKIM alignment issue versus 18 that reported an authentication issue.
Need help?
Reading content isn't everything. The best way is to talk to us.
Our roadmap for April 2021!
During the February 11th meeting with Jonathan, we concluded that the migration of our entire infrastructure was a priority over the increase of our DMARC security policy and therefore, we will wait a few more months before tackling this project. We will mainly correct in April the few flows that need to be made compliant and continue our monitoring quietly before switching back to a restrictive DMARC policy:
Non-authenticated" sources
CLEAR.
Non-compliant" sources
- Sharpspring : Making it Real
- Microsoft: Study the flows to see if any need to be made compliant.
Conclusion
This month of March is not that bad. We would not have had this problem with the SPF record, the data would have been much better.
Once this migration is complete, we will be able to resume more aggressive DMARC compliance, until then, be patient!
—–
If you too have the ambition to make your email flows DMARC compliant but you don't know where to start, which solution(s) to use... We're here to help you 🙂
—–
Feel free to share, like, comment... In short, make some noise !!!!!
—–
Badsender, emailing expertise agitator! Badsender is a team of craftsmen specialized in the various disciplines surrounding email marketing! Our emailing agency intervenes on questions of strategy, design, orchestration and deliverability. We offer this expertise in the form of coachingWe can also provide services such as audits, or act as an outsourced production force.
—–
Content related to DMARC in any way:
— DMARC monitoring in February 2021
— DMARC monitoring from January 2021
— DMARC monitoring in December 2020
— DMARC Monitoring October vs. November 2020
— Tech 2021 #02 | What if you deploy DMARC in 2021 on your domain name?
— Our White Paper on DMARC deployment
- All about SPF in 3 articles:
What is SPF? Configuration, verification and monitoring
10 Tips to implement in your SPF configuration
How about passing your SPF record to the -all qualifier?
- All about DKIM (1 article only):
What is DKIM? Configuration, verification and monitoring
- Almost everything you need to know about ARC (1 article so far):
What is the CRA? Definition, operation and verification
—–
Photo by Randy Tarampi on Unsplash
—–
