We have recently set up DMARC to be p=quarantine and we have been getting similar percentages of failures as when it was set for none, around 97%. I am trying to understand what this means, does the failure mean that those items are now being sent to quarantine versus nothing happening? Also, is there a way for me to check that the dmarc record has been set up correctly?
What steps have you taken to resolve the issue?
I have sent several test emails to various domains and have confirmed receipt from each.
Changing your DMARC policy will not change the results, if the flow of email messages (that are pretending to be) from your domain remain the same as before.
From your text, it sounds like your failure percentage is at 97%?
That makes me wonder, if you’re eventually misinterpreting it?
Did you mean:
97% is failing, with 3% passing, OR
97% is passing, with 3% failing
Can you eventually share a screenshot?
The policy will apply to the messages that are failing, so if 3% if your email flow is failing, those 3% should be quarantined (which quite often means being sent to the “Spam” folder).
Your DMARC record seems syntactically correct as it is right now, but that doesn’t mean that it’s the best one, … yet.
If you want to do whatever you can, to protect your brand, then the best you can do, is to move it to “reject”, assuming that your email flow is running perfectly fine for that.
Looking at, and digging in to the DMARC reports can help you identify whether it’s running perfectly fine, so you can do that, … or whether it’s not.
→
One example would be, if you’re running all your outbound messages through Microsoft Office 365 alone (e.g. one single provider), but you’re seeing the (let’s say 3%) failures that you have according to the DMARC reports, that these failures are all messages originating from other email providers, and that you are not using any of these other email providers, for any email messages for your brand, then you can ignore these failing percentages, as it is (likely) not legitimate messages from your organisation.
In a such example, I would move it straight to “reject”.
On the other hand, if you do see failures, and that any of these failures seem to be from an email provider, that you do actually recognize, then it will be wise to look in to the email flow, that is originating from that email provider, before touching the policy any further.
Thank you for your response and fixing some of my issues.
Correct, we are at a 97% success rate and a 3% failure rate.
I am glad it seems correct and I agree, we will be moving to reject in about 1 month as we want to go through the process with some cation. But it appears me concerns maybe alleviated because, if I am understanding you correctly, only the failed emails will go to the quarantine.
In regards to digging into the reports, is there anyway I can see the emails being rejected? There are some services listed on the reports that we do not recognize, for example we had 19 emails going out from BAE Systems, Inc today, and I am curious how we would be able to back track these emails to see if they are legitimate emails being sent from an approved vendor or if these are part of something nefarious.
Finally, what is a trusted resource to see if we are on any blocked or black lists or potentially any similar resource.
Attached the last several days of our report numbers, we turned p from none to quarantine on the 22nd. Let me know if there is any other information which maybe helpful with my above questions.
The policy will only be applied to the messages that aren’t satisfying EITHER the “SPF aligned” or “DKIM aligned” field.
Aggregate reports (“ruf=” tag) isn’t going to provide you with the email at all, but will give you aggregate information, about how many messages you have, that is passing, as well as how many that failing the various checks, and where the originate from, - in other words, statistical information about your email flow.
Forensic reports (“ruf=” tag) can give much more information about the individual message, that is failing both “SPF aligned” or “DKIM aligned” (by default), or any of them individually, depending on how it has been configured (“fo=” tag).
Unfortunately, some DMARC senders won’t send RUF reports, apparently due to privacy reasons.
I would dig deeper in to these.
What were the results of “SPF aligned” and “DKIM aligned” for these?
I’m afraid a definitive “trusted resource” for that doesn’t exist.
There are some tools out there, that claim to checking multiple block lists.
However, since the major email providers have their own block lists, that aren’t public, but operate as one big black box, one single source won’t necessarily give the full overview you’re looking for.
Looking at these numbers, I would personally suggest digging way deeper in to your email flows, before setting “p=reject”.
To give a “DMARC pass”, you will require EITHER the “SPF aligned” or “DKIM aligned” to succeed.
“DKIM” can survive message forwarding, depending on how sender’s mail server is set up to sign it’s messages (e.g. signing too many email headers, would likely make the signature fragile).
But “SPF” will either fail, or fail it’s alignment, in which case, both of them wouldn’t satisfy for the “DMARC pass”, if your recipients are forwarding their messages.
If your recipients are forwarding from the former email address, and to the latter, then your messages will fail under “SPF aligned”, and they will then be rejected, if you use “p=reject”, if they are not satisfying the requirement for “DKIM aligned”.
It seems like the majority of your customers (or perhaps more correctly, the recipients) aren’t utilizing message forwarding, given that the “SPF aligned” percentage is so high.
But I would still work together with your email providers, with the goal of raising the percentage of the “DKIM aligned” field.
