I'd suggest a few things:
- You're looking a little too closely at daily changes, particularly around
implementation time. Allow the thing some time to settle, perhaps a month,
before considering next steps. Bear in mind that there are multiple,
independent good and evil actors here, each reacting to the others all the
time. This will take time to settle, a single day's (or week's) change is
unlikely to be actionable. Note in particular that the larger receivers are
almost certainly comparing their user feedback ("This is [not] Spam") with your
DMARC policy ([un]authenticated messages that get reported as [not-]spam) as an
input to their decision making. On the fairly small numbers that you're talking
about, this calculation could take weeks to converge.
- The Forwarder and Threat/Unknown categories in Dmarcian are a mix of
probabilistic assessments by email-receivers and by Dmarcian, not a reliable
indication of what the email messages in question contain. They're interesting,
but don't get hypnotised by them.
- How much is on-domain (vs. cousin-domain) impersonation costing you in
fraud/support/churn losses? If it's costing you thousands of dollars a month,
then by all means bring in the professionals. If you can't price it, or you
haven't done so yet, or it's a trivial amount, then you're probably done.
- Roland
Roland Turner
Labs Director
Mobile: +65 9670 0022
3 Phillip Street, #13-03 Royal Group Building, Singapore 048693
________________________________
www.trustsphere.com
________________________________________
From: dmarc-discuss <[email protected]> on behalf of Ben
Greenfield via dmarc-discuss <[email protected]>
Sent: Sunday, 7 February 2016 18:42
To: dmarc-discuss
Subject: [dmarc-discuss] Experience 16 days with DMARC
First off I think DMARC is great and I’m happy with and want to try to use the
information to protect my domain name.
I have been using dmarcian.com to analyze the reports and any terminology I use
should be considered in the context of their tools. Their tools are all I know…
so far.
Since I started receiving DMARC reports and tracked down a few specific domain
names from DMARC reports to actual emails, I’m comfortable with most of the
traffic I see in Forwarders categories and it’s great to see some with 100%
DKIM survival.
I’m assuming that most of the servers in the category of forwarder are just
moving mail around the world.
Threat/Unknown I take this to mean emails that have my domain in the from field
and our trying to delivery the forged email.
This had fluctuated from around 4200 when I started on jan. 22nd to a low of
1900 email on jan. 30th this had a steady climb of up to 5985 on feb. 4th
before spiking to 15,516 on feb. 5th.
I see these fluctuations reflected in spam cop’s spam volume. Almost all the
heavy traffic is coming from in order:
Vietnam
India
Brazil
UA
Russia
Is there anything I should be doing to try to clean up this problem?
Is DMARC the best I can do right now?
Thanks,
Ben
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
