Email Authentication
“SPF Flattening” was invented by dmarcian as part of the initial release of the SPF Surveyor. For many years the functionality was flagged as “experimental.” Today, we’re concluding the experiment and sharing what we’ve learned. Sender Policy Framework (SPF) Background Email operators use SPF to identify themselves and their infrastructure when sending email across the internet. SPF was originally created by email operators around 2000 in response to Joe Job Attacks. At that time, spammers were making victims out of legitimate email operators by pretending to be them while sending spam. Legitimate operators were blamed for sending spam simply because there was no easy way to identify email operators and their infrastructure. Email operators publish SPF records to describe their email infrastructure. These records are specially formatted strings of text that live in the DNS. When receiving email, an email server looks at the domain of the sending operator’s email
On January 1, 2022, dmarcian launched its official MSP program. While we’ve worked with MSPs for many years, the formalized program was born out of a desire to reach more domain owners in an effort to spread DMARC even further into the ecosystem. More specifically, we recognized that SMBs, owning a healthy percentage of commercial domains, were quickly pushed through a digital transformation due to COVID-19 and were looking to MSPs for assistance through those changes. Now that we have come a full year since the program launch, we are taking this opportunity to reflect on what we’ve learned from MSPs and envision where we will take the program in the future. Our MSP program philosophy aligns with dmarcian’s mission of increasing accessibility to DMARC technology to make email and the internet safer. MSP Program Manager Joe Garner says, “We realized there was a huge group of email users that
Why Is SPF Flattening Relevant? SPF has a limit of 10 DNS Lookups; any mechanism (entry) requiring a lookup after the lookup limit will not be evaluated and will fail authentication. In some cases, people turn to SPF flattening tools to work around the 10 DNS lookup limit. When you add a new mechanism in your record, you require a new DNS lookup. The more services and third-parties that send on your behalf, the more complicated and bloated your record can become. SPF record flattening can be an easy answer, but is not the safest route. How Does SPF Flattening Work? In SPF Flattening, hostnames are converted to IP addresses, which don’t count in the DNS lookup tally. Then you create your SPF records using the IP addresses instead of the hostnames. dmarcian developed SPF flattening as an experiment to work around the DNS lookup limit. In IETF’s RFC 7208
In this article, we present a guide on deploying DMARC on Cisco’s Email Security Appliance(ESA). If you believe that you already have your system’s DMARC authentication and reporting set up correctly, please take the time to read through the information and compare it to your current settings. These settings are industry best practices, and we encourage you to not diverge from them. Your ESA’s AsyncOS version should be 13+. If 14, it should be 14.0.2 or greater due to a bug in lower versions of 14. NOTES: If you don’t set this up correctly, please don’t set it up at all. If it isn’t configured correctly, you’ll pollute valid data being sent from other sources, and your DMARC data may be blacklisted by aggregators. Varying settings from the recommendations in how or whether your environment performs SPF or DKIM verification will affect the ability of the system to perform adequate
In June 2021 we published research on DMARC adoption among the top 100 companies in Canada. Twenty months later, we evaluated the DMARC adoption rate and are excited to share those rosy results. Here’s the DMARC adoption rate comparison for Canada’s top 100 countries, measured in percentage increase or decrease, from June 2021 to February 2023: 154% increase of DMARC policies set to p=reject 114% increase of DMARC policies set to p=quarantine 18% decrease of DMARC policies set to p=none 57% decrease of companies lacking a DMARC policy Above all, a fifth of the top Canadian companies advanced their DMARC policies to the ultimate goal of a p=reject DMARC policy. With a p=reject policy in place, emails failing DMARC authentication aren’t delivered to the destined inbox. Another fifth took the initial step in securing their domains by establishing DMARC records. People typically begin their road to DMARC compliance by employing
This guide describes the process for configuring Sendinblue to send DMARC compliant messages. You will need to configure this source, and others you authorize, before advancing your DMARC policies to a more restrictive state, e.g., quarantine and/or reject. To bring this source into DMARC compliance, you will need access to Sendinblue’s administrative account and the domain’s DNS management console. From time to time, these instructions change with very little advance notice. Please always refer to documentation hosted by Sendinblue for the most complete and accurate information. General informationSendinblue provides a platform to send transactional and marketing emails. It is often used to send B2C (business-to-consumer) and B2B (business-to-business) emails. Many areas in your organization may use this service, including marketing, sales, and finance. Sendinblue supports DMARC compliance through DKIM and SPF alignment. DKIMTo configure DKIM, you will need to access the domain’s settings. There are two ways to do this:
This guide describes the process for configuring Mailgun to send DMARC-compliant messages. You will need to configure this source, and others that send on your behalf, before advancing your DMARC policies to a more restrictive state, e.g., quarantine and/or reject. To bring this source into DMARC compliance, you will need access to the Mailgun administrative account and the domain’s DNS management console. From time to time, these instructions change with very little advance notice. Please always refer to documentation hosted by Mailgun for the most complete and accurate information. General informationMailgun provides an email delivery service that allows developers to integrate email into applications through APIs and SMTP. Many departments may use this service in your organization, but it is often managed by an application development team. Mailgun supports DMARC compliance through SPF and DKIM alignment. SPF & DKIMTo configure SPF and DKIM: In the Mailgun console, navigate to Sending>Overview
This guide describes the process for configuring Mailchimp Transactional to send DMARC-compliant messages. You will need to configure this source, and others that send on your behalf, before advancing your DMARC policies to a more restrictive state, e.g., quarantine and/or reject. To bring this source into DMARC compliance, you will need access to the Mailchimp Transactional administrative account and the domain’s DNS management console. From time to time, these instructions change with very little advance notice. Please always refer to documentation hosted by Mailchimp Transactional for the most complete and accurate information. General informationMailchimp Transactional is a paid Mailchimp add-on that allows clients to send one-to-one transactional emails triggered by user actions, such as purchases or account activity. Sales and marketing as well as development teams may use this service in your organization. Mailchimp Transactional supports DMARC compliance through DKIM and SPF alignment. DKIMTo configure DKIM: Navigate to Settings in
Reports generated from our DMARC Management Platform give you insight into what is happening with a particular aspect of your domains. A useful resource to keep decision makers and stakeholders informed and updated relative to DMARC deployment and maintenance, reports help to bridge this gap. For dmarcian’s MSP and MSSP Partners, reports can be utilized to provide information to their client base. Since MSP clients can’t view their domain details on the dmarcian platform, reports are a way MSPs can keep their clients informed of their DMARC project. The following reports can be generated from our platform: Domain Status Reports: contains domain status information including email authentication deployment state and volume statistics. This report is based on the past seven days of data from the time it was generated. Issue Summary Reports: lists outstanding issues related to email authentication deployment. Account Progress Reports: provides an overview of all domains in
A year ago we surveyed DMARC adoption among the 100 global retailers based on revenue. With the 2022 holiday shopping season ramping up, we’re taking a look to see how retailers are progressing with DMARC adoption. Here’s the comparison, measured in percentage increase or decrease, from last year’s DMARC adoption numbers: 30% increase of DMARC policies set to p=reject 80% increase of DMARC policies set to p=quarantine 10% decrease of DMARC policies set to p=none 16% decrease of companies lacking a DMARC policy The trend illustrates a progression of DMARC compliance in the growth of p=quarantine and p=reject policies from 2021. That’s nothing but good news for retailers and their customers. For the retail, hospitality, and travel community, the holiday season is the most intense time of year for consumers and cybersecurity professionals facing persistent threats. From the beginning of October through the end of December, cyber threats to organizations
