Monitoring DMARC Badsender.com - May 2021

As at the beginning of each month now, we will share with you, in this article, our DMARC compliance results!

To summarize: Today, our security policy is at "quarantine", which means that any email with SPF & DKIM authentication failures will be delivered as junk mail to any organization (ISP, Webmails, companies, ...) able to interpret and apply the DMARC security rule.

Ultimately, we have two goals for 2021:

1. Change our security policy from "quarantine" to "reject": we would then ask all ISPs/Webmails/Filters (interpreting DMARC) to reject emails with bad SPF & DKIM authentication.
2. Legitimize all our email flows (and yes, we use several distinct tools for each type of sending - understand, we don't have all our eggs in the same basket :p).
3. Apply a "strict" SPF & DKIM alignment instead of a "relaxed" one: We're plugging EVERYTHING into Badsender.com!

This 3rd point is too complicated to set up (cf. point n°2), we will remain in "relaxed" since all our legitimate flows will be branded with a sub-domain of Badsender.com. And if one day things change... We will study a passage towards a strict alignment!

We are aware that it will take time and energy but it is not impossible! And if it allows us to reduce the risks of using our domain name, it's worth it.

Let's get to the heart of the matter... Enjoy your reading 🙂

Compliance rate of May 2021

To be DMARC compliant, the email must return a properly authenticated and properly aligned (soft or hard) SPF or DKIM record.

Here are our results for the month of May 2021 (I am voluntarily keeping the history since the first DMARC monitoring was published to compare the evolution of the data):

Badsender.com	Volumes	Compliant	Non-Compliant	Not Authenticated
May 2021	3 900	99,7%	0,1%	0,2%
April 2021	4 214	99,4%	0,1%	0,5%
March 2021	3 549	99,1%	0,9%	0,0%
February 2021	5 221	99,8%	0,2%	0,0%
January 2021	4 843	98,0%	1,9%	0,1%
December 2020	3 797	99,3%	0,4%	0,3%
November 2020	4 973	98,0%	1,9%	0,1%
October 2020	3 772	95,8%	4,1%	0,1%

Even though we have fallen below 4,000 reports, our compliance rate is still very good, since we have exceeded 99%! Note that 5 reports are reported as "non-compliant" to DMARC and only 6 as "non-authenticated".

Authentication & SPF & DKIM alignment

Authentication & SPF alignment

For an email to be properly authenticated with SPF, the IP used must be declared in the SPF record of the email envelope domain (understand here the MailFrom/Return-path domain - visible in the SMTP header of an email).

For this month of May, we are keeping our SPF validity rate above 95%. When we are further along in our DMARC policy and our infrastructure migration is complete, we will optimize - as much as possible - the 3% of failure.

And for an e-mail to be correctly aligned with SPF, the domain of the e-mail envelope (here the MailFrom/Return-path) must be identical or from a sub-domain of the FROM domain (cf. domain of the sending address).

Some subflows are showing an alignment problem. We will analyze them and decide if we should make them DMARC compliant or not.

Authentication & DKIM alignment

For an email to be properly authenticated with DKIM, the email will need to have a valid DKIM signature (regardless of the domain used in the "d=" statement).

Just like April, our DKIM validity rate for the month of May remains very good, above 99%!

As far as DKIM alignment is concerned, for an e-mail to be correctly aligned, the domain declared in the DKIM signature (contained in the "d=") must be identical to or come from the sub-domain of the FROM domain (cf. domain of the sending address).

Like SPF alignment, some secondary flows are coming up with DKIM alignment issues. We'll study them and decide if we should and can make them DMARC compliant. We'll give you more information about these treatments when we make a decision 🙂

The last DKIM-related rate is the rate of unsigned e-mails (and yes, there are still some). These are emails that have no DKIM signature.

We've had a few unauthenticated reports this month from eastern domains - you can see where that's coming from, right? Without that, we wouldn't have had any reports from that side.

Distribution of non-compliant & non-authenticated emails

Here is the list of "Sender rDNS" (understand here the domain name that is associated with an IP) reported as "non-compliant" for the month of May 2021:

Organization	Sender rDNS	Category	Volumes	Percentage	Source	Action
Microsoft	*.outlook.com	Webmail	3	60%	Known	No action
Sharpspring	*.marketingautomation.services	ESP	1	20%	Known	Make it compliant
Google	*.google.com	Webmail	1	20%	Unknown	No action

Only 5 uploads for this month of May 2021. No action should be done on these feeds to make them DMARC compliant.

And the list of "Sender rDNS" reported as "unauthenticated":

Organization	Sender rDNS	Category	Volumes	Percentage	Source	Action
?	*.beru.ru	Spammer ?	2	33%	Unknown	No action
?	*.duiko.guru	Spammer ?	1	17%	Unknown	No action
?	*.webtrening.ru	Spammer ?	1	17%	Unknown	No action
?	*.telmex.net.ar	Spammer ?	1	17%	Unknown	No action
?	Unknown	Spammer ?	1	17%	Unknown	No action

For this month, as you can see, all the "non-authenticated" domains are totally unknown to us and therefore will not have to be DMARC compliant!

SPF & DKIM error trends

We have the possibility to know on each "Sender rDNS" what are the problems we have encountered and that will be corrected.

Below are the reported SPF & DKIM error trends for the month of May 2021:

Trend of the most frequent SPF errors

On the SPF error side, 372 emails report an SPF alignment problem (+83 compared to April), 98 report SPF failure (+11 compared to April), 9 report an SPF authentication problem (-17 compared to April).

Trend of the most frequent DKIM errors

On the DKIM error side, 80 emails report a DKIM alignment problem (-6 compared to April), 42 report DKIM failure (+10 compared to April), 6 report a DKIM authentication problem (-16 compared to April).

Our roadmap for June 2021!

Finally, for this month of June, there will be only one compliance to be achieved on the "non-compliant" and "non-authenticated" flows:

Non-compliant" sources

• (To Do) Sharpspring: Make it Conform.

Non-authenticated" sources

• CLEAR.

Conclusion

Just like April, this month of May has been very quiet. Even if there is only one source to make compliant, I will still look at the compliant feeds to see if there are not optimizations to be done to optimize SPF and/or DKIM configurations to make them DMARC compliant. See you next month to find out 🙂

—–

If you too have the ambition to make your email flows DMARC compliant but you don't know where to start, which solution(s) to use... We're here to help you 🙂

—–

Feel free to share, like, comment... In short, make some noise !!!!!

—–

Badsender, emailing expertise agitator! Badsender is a team of craftsmen specialized in the various disciplines surrounding email marketing! Our emailing agency intervenes on questions of strategy, design, orchestration and deliverability. We offer this expertise in the form of coachingWe can also provide services such as audits, or act as an outsourced production force. 

—–

Our other content related to DMARC (from near or far) :

— DMARC monitoring from April 2021

— DMARC monitoring from March 2021

— DMARC monitoring in February 2021

— DMARC monitoring from January 2021

— DMARC monitoring in December 2020

— DMARC Monitoring October vs. November 2020

— Tech 2021 #02 | What if you deploy DMARC in 2021 on your domain name?

— Our White Paper on DMARC deployment

- All about SPF in 3 articles:

         What is SPF? Configuration, verification and monitoring

         10 Tips to implement in your SPF configuration

         How about passing your SPF record to the -all qualifier?

- All about DKIM (1 article only):

         What is DKIM? Configuration, verification and monitoring

- Almost everything you need to know about ARC (1 article so far):

         What is the CRA? Definition, operation and verification

—–

Photo by Randy Tarampi on Unsplash

—–