Monito 2021 #05 | Monitoring DMARC Badsender.com - April 2021

As at the beginning of each month now, we will share with you in this article, our DMARC compliance results!

To summarize: Today, our security policy is at "quarantine", which means that any email with SPF & DKIM authentication failures will be delivered as junk mail to any organization (ISP, Webmails, companies, ...) able to interpret and apply the DMARC security rule.

Ultimately, we have two goals for 2021:

  1. Change our security policy from "quarantine" to "reject": we would then ask all ISPs/Webmails/Filters (interpreting DMARC) to reject emails with bad SPF & DKIM authentication.
  2. Legitimize all our email flows (and yes, we use several distinct tools for each type of sending - understand, we don't have all our eggs in the same basket :p).
  3. Apply a "strict" SPF & DKIM alignment instead of a "relaxed" one: We're plugging EVERYTHING into Badsender.com!

This 3rd point is too complicated to set up (cf. point n°2), we will remain in "relaxed" since all our legitimate flows will be branded with a sub-domain of Badsender.com. And if one day things change... We will study a passage towards a strict alignment!

We are aware that it will take time and energy but it is not impossible! And if it allows us to reduce the risks of using our domain name, it's worth it.

Let's get to the heart of the matter... Enjoy your reading 🙂

Compliance rate of April 2021

To be DMARC compliant, the email must return a properly authenticated and properly aligned (soft or hard) SPF or DKIM record.

Here are our results for the month of April 2021 (I voluntarily keep the history since the first DMARC monitoring was published to compare the evolution of the data):

Badsender.comVolumesCompliantNon-CompliantNot Authenticated
April 20214 21499,4%0,1%0,5%
March 20213 54999,1%0,9%0,0%
February 20215 22199,8%0,2%0,0%
January 20214 84398,0%1,9%0,1%
December 20203 79799,3%0,4%0,3%
November 20204 97398,0%1,9%0,1%
October 20203 77295,8%4,1%0,1%
Compliance rate on our domain Badsender.com

Another good month! More volumes, more compliance! The only downside is that we had a little bit of unauthenticated traffic (23 in total over the month), but our compliance rate remains above 99%.

Our DMARC security policy remains at "none" for the moment since we changed host. No change in sight before at least this summer.

Authentication & SPF & DKIM alignment

For an email to be properly authenticated with SPF, the IP used must be declared in the SPF record of the email envelope domain (understand here the MailFrom/Return-path domain - visible in the SMTP header of an email).

SPF authentication rate between October 2020 and April 2021
SPF authentication rate between October 2020 and April 2021

Our SPF validity rate is back above 95% this month. When we are further along in our DMARC policy, we will see if there are any optimizations to be made on the 3% failures.

And for an e-mail to be correctly aligned with SPF, the domain of the e-mail envelope (here the MailFrom/Return-path) must be identical or from a sub-domain of the FROM domain (cf. domain of the sending address).

SPF alignment rate between October 2020 and April 2021
SPF alignment rate between October 2020 and April 2021

And it's going back up! After some corrections, we are back with an alignment rate above 90%. Just like the SPF validity rate, we will see later if we can improve this alignment rate to have a more DMARC compliant configuration.

For an email to be properly authenticated with DKIM, the email will need to have a valid DKIM signature (regardless of the domain used in the "d=" statement).

DKIM authentication rate between October 2020 and April 2021
DKIM authentication rate between October 2020 and April 2021

The DKIM authentication rate is clear, the validity rate is almost 99%!

As far as DKIM alignment is concerned, for an e-mail to be correctly aligned, the domain declared in the DKIM signature (contained in the "d=") must be identical to or come from the sub-domain of the FROM domain (cf. domain of the sending address).

DKIM alignment rate between October 2020 and April 2021
DKIM alignment rate between October 2020 and April 2021

DKIM alignment is better than Mars (+96%) but still perfectible. We will see later if we can improve the DKIM alignment.

The last DKIM-related rate is the rate of unsigned e-mails (and yes, there are still some). These are emails that have no DKIM signature.

Rate of unsigned emails with DKIM between October 2020 and April 2021
Rate of unsigned emails with DKIM between October 2020 and April 2021

In this month of April, we have had the biggest increase of "non-authenticated" traffic with 23 reports... And we know where it comes from too... Oops!

Distribution of non-compliant & non-authenticated emails

Here is the list of "Sender rDNS" (understand here the domain name which is associated with an IP) that have been reported as "non-compliant" for the month of April 2021:

OrganizationSender rDNSCategoryVolumesPercentageSourceAction
Microsoft*.outlook.comWebmail3100,00%KnownNo action

Only 3 returns for this month of April 2021. No action should be done on this flow.

And the list of "Sender rDNS" reported as "unauthenticated":

OrganizationSender rDNSCategoryVolumesPercentageSourceAction
Infomaniak*.infomaniak.chHosting1878%KnownMake it compliant
?UnknownSpammer ?313%UnknownNo action
?*.squirrelcanvas.ruSpammer ?14%UnknownNo action
Microsoft*.outlook.comWebmail14%UnknownNo action

There has been some activity this month. The "infomaniak.ch" feed must be brought into conformity because it is legitimate. For the rest, no action is required.

SPF & DKIM error trends

We have the possibility to know on each "Sender rDNS" what are the problems we have encountered and that will be corrected.

Below are the reported trends on SPF & DKIM errors for the month of April 2021:

Trend of the most frequent SPF errors

SPF failure trend for April 2021

On the SPF error side, 289 emails come back with an SPF alignment problem, 87 come back with a failed SPF, 26 come back with an SPF authentication problem and only 1 comes back with a temporary error!

Trend of the most frequent DKIM errors

DKIM failure trend for April 2021

For DKIM, 86 emails come back with a DKIM alignment problem, 32 come back with a DKIM failure, 22 come back with a DKIM authentication problem, 17 with a permanent error and only 1 comes back with a temporary error.

Our roadmap for May 2021!

There will be a big optimization to do this month:

Need help?

Reading content isn't everything. The best way is to talk to us.


  1. Non-authenticated" sources
  • Infomaniak: Make the flow compliant

2. Non-compliant" sources

  • CLEAR.

Conclusion

This month of April has been rather quiet, only one flow finally has to comply, the other flows remain as they are!

Our migration is almost complete, we will be able during the summer to be more aggressive on our DMARC policy... I'm preparing for a hot summer 🙂

—–

If you too have the ambition to make your email flows DMARC compliant but you don't know where to start, which solution(s) to use... We're here to help you 🙂

—–

Feel free to share, like, comment... In short, make some noise !!!!!

—–

Badsender, emailing expertise agitator! Badsender is a team of craftsmen specialized in the various disciplines surrounding email marketing! Our emailing agency intervenes on questions of strategy, design, orchestration and deliverability. We offer this expertise in the form of coachingWe can also provide services such as audits, or act as an outsourced production force. 

—–

Content related to DMARC in any way:

DMARC monitoring from March 2021

DMARC monitoring in February 2021

DMARC monitoring from January 2021

DMARC monitoring in December 2020

DMARC Monitoring October vs. November 2020

Tech 2021 #02 | What if you deploy DMARC in 2021 on your domain name?

Our White Paper on DMARC deployment

- All about SPF in 3 articles:

         What is SPF? Configuration, verification and monitoring

         10 Tips to implement in your SPF configuration

         How about passing your SPF record to the -all qualifier?

- All about DKIM (1 article only):

         What is DKIM? Configuration, verification and monitoring

- Almost everything you need to know about ARC (1 article so far):

         What is the CRA? Definition, operation and verification

—–

Photo by Randy Tarampi on Unsplash

—–

Support the "Email Expiration Date" initiative

Brevo and Cofidis financially support the project. Join the movement and together, let's make the email industry take responsibility for the climate emergency.

Share
The author

Laisser un commentaire

Your email address will not be published. Les champs obligatoires sont indiqués avec *