I finally got my google reports for the past 2 days and I was able to run them through dmarcian.com.
I would say it takes about a week for a newly dmarc’ed domain to be pulled from the spambots to drop a domain. Since configuring dmarc started out with 4260 forwarders threat/unknown’s on 1/21 to a high of 10,025 on 1/27 moving to 181 for 1/30. I like that trend. Thanks, Ben > On Jan 27, 2016, at 7:45 PM, John Corey Miller via dmarc-discuss > <dmarc-discuss@dmarc.org> wrote: > > Thanks Tim! > > I currently don’t have a dmarcian account, I just use the site as a resource > for your tools and information. I could join up tomorrow when I get into > work if it would help you solve this problem. Our DKIM records had to be > changed just a couple of days prior to going to full reject if that might > have caused this… but drastic measures had to be taken as our dmarc reports > were showing something like 80-95% was straight up junk. > > Thanks, > John Miller > >> On Jan 27, 2016, at 6:51 PM, Tim Draegen via dmarc-discuss >> <dmarc-discuss@dmarc.org> wrote: >> >>> On Jan 26, 2016, at 10:36 AM, John Corey Miller via dmarc-discuss >>> <dmarc-discuss@dmarc.org> wrote: >>> >>> We have Google Apps for Business set-up with our domain name for our >>> business. >>> >>> Since making the change to fully reject mail that fails dmarc, the number >>> of messages counted as coming through "Forwarders" on our dmarc reports >>> when run through this tool https://dmarcian.com/dmarc-xml/ has drastically >>> increased. In many cases these new "Forwarders" are the same IPs that >>> previously were coming through as "Threat/Unknown" (clearly fishers.) >>> >>> Does this mean that after seeing that google started rejecting their >>> e-mails they changed something about how they're sending them to attempt to >>> circumvent these rejections? If so, does any action have to be taken to >>> prevent this circumvention? >> >> >> Hi John, >> >> FWIW, you can email supp...@dmarcian.com with any dmarcian-related >> questions. I spend a lot of time there answering questions.. which is a bit >> easier as then I can look & comment about your data! >> >> That said, some replies to this thread are likely true. If you're seeing >> the "forwarded" flag explicitly set, then this means the receiver in >> question accepted the email regardless of your published policy, as they >> understand the email to..well, be forwarded. >> >> It is not exactly common, but over the past few years certain >> spammers/phishers have figured out how to exploit servers that are being >> recognized as "forwarders" by the big players. Once these servers are >> identified, they try to deliver as much crap as they can before being >> stopped. And... the cycle continues. >> >> A different idea is that "reject" happened after putting in place DKIM >> signatures. The dmarcian site does a better job identifying "Forwarders" >> (as a category, and not as a flag in XML) when DKIM is in place. So if you >> did DKIM and reject at ~same time, this might be a factor. However, if >> you're seeing junk from all over the world, it's worth dropping a note to >> supp...@dmarcian.com and we'll package up your data along with a note to the >> bigger players to plug their holes. >> >> =- Tim >> >> _______________________________________________ >> dmarc-discuss mailing list >> dmarc-discuss@dmarc.org >> http://www.dmarc.org/mailman/listinfo/dmarc-discuss >> >> NOTE: Participating in this list means you agree to the DMARC Note Well >> terms (http://www.dmarc.org/note_well.html) > > > _______________________________________________ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well terms > (http://www.dmarc.org/note_well.html) _______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
