Like every month now, I share with you our data DMARC for the month of October 2021!
To summarize: Today, following our email migration, we have changed our DMARC security policy from "quarantine" to "none" to be sure that no email flow is impacted. Afterwards, we will go back to the "quarantine" level to protect our domain name.
We have, in time, three two objectives for 2021:
- Change our security policy to "reject": we would then ask any organization interpreting DMARC to reject emails with poor SPF & DKIM authentication/alignment.
- Legitimize all our email flows (and yes, we use several distinct tools for each type of sending - understand, we don't have all our eggs in the same basket :p).
Apply a "strict" SPF & DKIM alignment instead of a "relaxed" one: We're plugging EVERYTHING into Badsender.com!
This 3rd point is too complicated to set up (cf. point n°2), we will remain in "relaxed" since all our legitimate flows will be branded with a sub-domain of Badsender.com. And if one day things change... We will study a passage towards a strict alignment!
We are aware that it will take time and energy but it is not impossible! And if it allows us to reduce the risks of using our domain name, it's worth it.
Let's get to the heart of the matter... Enjoy your reading 🙂
October 2021 compliance rate
To be DMARC compliant, the email must return a properly authenticated and properly aligned (soft or hard) SPF or DKIM record.
Here are our results since the beginning of the year 2021:
| Badsender.com | Volumes | Compliant | Non-Compliant | Not Authenticated |
| October 2021 | 4 929 | 99,8% | 0,1% | 0,1% |
| September 2021 | 4 912 | 99,8% | 0,2% | 0,0% |
| August 2021 | 1 711 | 99,8% | 0,1% | 0,1% |
| July 2021 | 2 124 | 82,6% | 5,6% | 11,8% |
| June 2021 | 4 717 | 99,6% | 0,2% | 0,2% |
| May 2021 | 3 900 | 99,7% | 0,1% | 0,2% |
| April 2021 | 4 214 | 99,4% | 0,1% | 0,5% |
| March 2021 | 3 549 | 99,1% | 0,9% | 0,0% |
| February 2021 | 5 221 | 99,8% | 0,2% | 0,0% |
| January 2021 | 4 843 | 98,0% | 1,9% | 0,1% |
Following on from September, the compliance rate for the month of October reached 99.8%. Only 7 e-mails were found to be non-compliant and 7 e-mails were not authenticated.
Authentication & SPF & DKIM alignment
For an email to be properly authenticated with SPF, the IP used must be declared in the SPF record of the email envelope domain (understand here the MailFrom/Return-path domain - visible in the SMTP header of an email).
After a very good result in September, we do it again in October with an SPF authentication rate of 98.5%!
And for an e-mail to be correctly aligned with SPF, the domain of the e-mail envelope (here the MailFrom/Return-path) must be identical or from a sub-domain of the FROM domain (cf. domain of the sending address).
Our SPF alignment rate for October is down significantly. We've identified the cause - a Mailjet feed with an uncustomized MailFrom - and we'll fix it asap.
For an email to be properly authenticated with DKIM, the email will need to have a valid DKIM signature (regardless of the domain used in the "d=" statement).
CLEAR. The month of October shows a very good DKIM authentication rate, we are at 99.5%!
Need help?
Reading content isn't everything. The best way is to talk to us.
As far as DKIM alignment is concerned, for an e-mail to be correctly aligned, the domain declared in the DKIM signature (contained in the "d=") must be identical to or come from the sub-domain of the FROM domain (cf. domain of the sending address).
CLEAR. The DKIM alignment rate for the month of October remains very good, with a rate of 98%!
The last DKIM-related rate is the rate of unsigned e-mails (and yes, there are still some). These are emails that have no DKIM signature.
CLEAR. The rate of unsigned emails with DKIM remains very low and we won't complain about it!
Distribution of non-compliant & non-authenticated emails
Here is the list of "Sender rDNS" (understand here the domain name that is associated with an IP) brought up as "non-compliant" over the month of October 2021:
| Organization | Sender rDNS | Category | Volumes | Percentage | Source | Action |
| Sharpspring | *.marketingautomation.services | ESP | 3 | 42% | Known | To be studied |
| Microsoft | *.outlook.com | Webmail | 2 | 29% | Unknown | No action |
| OVH | *.ovh.net | Hosting | 2 | 29% | Unknown | No action |
Only the Sharpspring stream needs to be studied to see if it needs to be brought into compliance! For the rest, osef!
And the list of "Sender rDNS" reported as "unauthenticated":
| Organization | Sender rDNS | Category | Volumes | Percentage | Source | Action |
| Microsoft | *.outlook.com | Webmail | 6 | 86% | Known | No action |
| ? | *.kolesa.ru | ? | 1 | 14% | Unknown | No action |
For the "non-authenticated" flows, the "Outlook" flow is a residual from our old email system so there is no need to make these flows compliant.
SPF & DKIM error trends
We have the possibility to know on each "Sender rDNS" what are the problems we have encountered and that will be corrected.
Below are the reported trends on SPF & DKIM errors for the month of October 2021:
Trend of the most frequent SPF errors
For the month of October, 1,068 emails report an SPF alignment problem, 52 emails report SPF failure, 5 emails report no SPF record and 5 emails report a temporary error with SPF.
Trend of the most frequent DKIM errors
On the DKIM error side for the month of October, 75 emails reported a DKIM alignment problem, 18 emails reported a DKIM authentication problem, 12 emails reported a temporary DKIM problem, 6 emails reported a permanent error and 3 emails reported no DKIM record.
Our roadmap for the end of the year!
As we have finally completed our email migration from Outlook to Infomaniak, I will be able to concentrate on our compliance DMARC over the end of the year, which leads to the following objectives:
- Check with Jonathan to see if the Sharpspring feed that came up as "non-compliant" needs to be brought into compliance.
- Correct flows that must be DMARC compliant: those with SPF non-compliant or DKIM non-compliant.
- Upgrade our DMARC security policy from "none" to "quarantine" by the end of the year.
Conclusion
The month of September was rather good, this month of October does not bring back very bad surprises. Only the flow via Mailjet needs to be optimized to significantly improve our SPF alignment rate.
Our other content related to DMARC (from near or far) :
- DMARC monitoring in September 2021
- DMARC monitoring from July-August 2021
- DMARC monitoring in June 2021
- DMARC monitoring in May 2021
- DMARC monitoring from April 2021
- DMARC monitoring from March 2021
- DMARC monitoring in February 2021
- DMARC monitoring from January 2021
- DMARC monitoring in December 2020
- DMARC Monitoring October vs. November 2020
- Tech 2021 #02 | What if you deploy DMARC in 2021 on your domain name?
- Our White Paper on DMARC deployment
- All about SPF in 3 articles:
- All about DKIM (1 article only):
- Almost everything you need to know about ARC (1 article so far):
