DMARC: Handling unknown sources

Our latest push for DMARC support has been a huge success. Once we get through I’ll publish the results. So far I’ve been handling some of the more in depth questions about DMARC in support.

The number one question I get is:

What should I do with unknown/threats in reports?

First, let me explain exactly what these records are in the DMARC reports. The unknown/threats section shows a list of source IPs that have sent email for you domain, but lack an SPF record or DKIM signature for your domain. These sources could be email providers (google, etc), third party apps (campaign monitor, etc), or outright spammers spoofing your domain.

The main goal when reading these reports is to convert as many legitimate sources to be in your SPF record or have a DKIM signature. This can be a slow process since identifying each source can take a while. This is exactly why we recommend just monitoring your DMARC reports for a long period before setting a reject policy.

DMARC is AND / OR #

The most confusing part of these reports is that seemingly legitimate sources (google.com) can show up under unknown threats, even when you use SPF. How is that possible!?

A small but significant catch with SPF is that sometimes email forwarding in old or poorly written mail servers will rewrite the headers and invalidate your SPF record. In this case, the messages will no longer be aligned with DMARC.

There’s good news though: #

What most people don’t know is that for a message to be aligned with DMARC, it only needs DKIM or SPF to be valid against the FROM domain, not both. This is the solution to the SPF problem.

By making sure your messages are covered by both SPF and DKIM, you will still be aligned even if the SPF record gets changed in transit. So while the SPF is invalidated, DKIM will still hold up.

Short story: Make sure you cover your sources with both SPF and DKIM when possible.