Recently 250ok released a study, that I wrote, on the adoption of DMARC in the online retail space, titled “DMARC Adoptions Among e-Retailers“, that reviewed the minimum standards of authentication that a domain owner should be able to adopt without any significant investment in server or network configuration. This report focused on the implementation of Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting & Conformance (DMARC). Both are authentication solutions that require an understanding of your network configuration and a DNS record to implement, no additional servers to buy or software to install.

There are several noteworthy items in the report but here are a few that I think really stand out:

  • Set and forget policies on SPF – We found several domains with records that went beyond the maximum of 10 DNS look-ups, one as high as 97 look-ups due to include:domain policies that were improperly configured. As people continue to outsource services they should look to use subdomains instead of their root domain as this can cause excessive look-ups in your SPF records and impact your root domains authentication. Review your SPF records regularly to make sure you remove old vendors from the records and that don’t exceed the maximum number of look-ups.
  • Brands are not protecting all their domains – Many brands utilize a small number of the domains that they own for actual communications across many different web properties however they fail to authenticate all of their domains the same, even domains not sending mail will benefit from a “no mail” record.
  • Using services blindly – Many records I looked at for DMARC are configured, but reports are not being sent anywhere. The most powerful part of DMARC is the daily feedback on your domains and knowing what emails are being sent on your behalf, especially if you didn’t send them.

Take a few minutes are read the report, I promise it wont take long, as you might find that your business is also breaking some of these rules when it comes to DMARC and SPF configurations.

Tools to review:

  • SPF Analyzer – Identify your current records and are they working properly?
  • DMARC Wizard – Build a simply DMARC policy and start to understand how your domain is being used, and possibly abused.
  • DMARC Reporting – If you need a tool to help interpret the DMARC reports you receive.
* Note: I work at 250ok, and and posting this without and expectation or financial incentives… I’m just really proud of the report.