DKIM and DMARC: first results

To improve delivery of our outgoing email DKIM and DMARC were enabled for the domain on Thursday 16th November, as a proof-of-concept that these technologies are beneficial and don’t create new message delivery issues. Generally it’s SPF records that are the ones that cause issues, since a list of authorised servers is always going to flag up any unofficial ones that might be present…

Naturally for the first few days I’m keeping a close eye on message reporting and identifying anything which can be fine-tuned or improved. Here’s how the first three days with active DKIM and DMARC have gone so far. The University’s weekend email traffic is always significantly down on weekday usage, so there’s only one full working day with useful data to analyse so far:

  • Fully trusted
    SPF and DKIM are both successful; DMARC checks pass.
  • Partially trusted
    Either the SPF or the DKIM check succeeds; DMARC checks pass. These messages will still be delivered for all three DMARC policy settings. This is also the group to concentrate on to strengthen SPF or DKIM.

    The next three categories all comprise DMARC failures, because SPF and DKIM checks have both failed. The exact outcome will depend upon your selected DMARC policy. In all three cases these will help identify if the failures relate to a system under your domain’s remit which requires reconfiguration, or if it is due to email being spoofed. Or both…

  • Untrusted
  • Quarantined – These emails are sent to the spam folder.
  • Rejected – These emails are not delivered to the user.


Initial observations

There were 254 messages flagged as ‘untrusted’, which is 17.6% of the total sent.

158 of those were from the LISTSERV mailing list platform.
100% of messages failed DMARC from the LISTSERV platform, likely because the current DMARC policy is ‘none’. Jiscmail’s handler automatically detects a DMARC policy of ‘reject’ or ‘quarantine’ and ensures successful delivery.

28 of those were untrusted but were still successfully delivered due to ARC being able to assert that DKIM was valid up to the last intermediate provider in the email delivery chain.

The proposed plan is therefore, as a next step, to move to a DMARC policy of ‘quarantine’ but with a percentage value of zero (pct=0). This has an effective outcome identical to the ‘none’ policy, but LISTSERV will cease spoofing our domain.

Posted in Uncategorized | Comments Off on DKIM and DMARC: first results

Comments are closed.