Login

r/DMARC

▲ 23 r/DMARC+1 crossposts

The company I work for (DMARCeye) just released a Q1 report focusing on DMARC-engaged domains. Title of the post was the main key finding. I think the charts are fun to look at so I thought it would be worth sharing the link (no gating or other business tricks, just info).

Other key findings are that 1) Compliance rises sharply with sending volume (domains sending under 100 emails per month average 62% compliance; domains sending over 10M average 99.8%), probably because bigger senders are forced into compliance. 2) 94% of domains at p=reject enforce at 100% from day one - i.e. the pct mechanism was rarely used in practice, which is probably why DMARCbis plans to remove it.

research.dmarceye.com
u/Jack_Mana — 2 days ago
▲ 96 r/DMARC+2 crossposts

I’ve been looking at phishing resistance around UK government domains, especially in the context of HMRC impersonation, and found something I thought this sub might find interesting.

When querying TXT records for undelegated / non-existent gov.uk domains, the namespace appears to return email authentication records anyway.

For example:
dig TXT randomstring.gov.uk

returns:

randomstring.gov.uk. 1800 IN TXT "v=DMARC1;p=reject;rua=mailto:govuk-rua@dmarc.service.gov.uk"
randomstring.gov.uk. 1800 IN TXT "v=spf1 ?all"

If this is intentional, it’s a pretty powerful defensive pattern.

The usual anti-spoofing controls protect domains you own and operate. But attackers often abuse names that do not exist yet, for example:

hmrc-tax-refund.gov.uk
secure-hmrc-payment.gov.uk
randomstring.gov.uk

If those domains are undelegated and return no DNS, there’s normally no SPF or DMARC policy for receivers to evaluate. In this case, gov.uk seems to be closing that gap by making undelegated direct subdomains signal “don’t trust mail from here”.

I haven’t found public documentation from GDS, NCSC, or others describing this as a namespace-level anti-phishing control, so I’m curious whether anyone has seen it documented or knows more about the implementation.

A few observations:

  • This seems to apply to direct *.gov.uk names.
  • I didn’t see the same behaviour for nhs.uk or gov.scot

The broader point is that most organisations protect the domains they use. This looks like an attempt to protect the surrounding namespace too, which is a much more ambitious phishing defence.

I wrote up the full notes here, including background on HMRC phishing and why this matters:

https://cybaa.io/blog/2026-04-27/gov-uk-namespace-spoofing-protection

I would be interested to hear whether others have seen similar namespace-level SPF/DMARC handling elsewhere or any public information about gov.uk implementing this

u/JoeTiedeman — 12 days ago
▲ 5 r/DMARC

I work for a company that sent ten of thousand of mails every month, they reported that they have received Spam and so we contacted our web hosting to modify our DMARC from Quarantine to Reject.

The thing is, the week after such change an user reported that their mail to some companies in Asia was rejected, bounced of or never arrived. Did some basic tests, Telnet, Test-NetConnection and that server was down or with problems, reported such case.

Next day server is up, but they report same problem with another company from Europe. Sames test, server is ip, so I got the email resent to me to see the internet header:

DKIM=none
SPF=pass

In MxToolBox when I check the subdomain IP addresses, both hostnames says it doesn't support TLS, Icheck our web hosting, we do have TLS at certain ports and lastly, one says Reverse DNS doesn't match SMTP Banner and doesn't contain hostname.

Tldr; I'm fucking lost, I got this job as TI due to being programmer and wanting to get experience, but networking I haven't seen such a thing in years.

reddit.com
u/No-Hotel1162 — 6 days ago
▲ 19 r/DMARC

Spent some time analyzing DMARC report emails from the last 3 days across nearly 3,500 reporting organizations and the results surprised me enough that I figured this subreddit would appreciate it.

When looking at organizations that sent a substantial volume of reports, only 9 were fully RFC compliant. Most major senders had at least one issue.

The most common problems were pretty basic: missing required fields like version, envelope_from, and SPF scope, invalid attachment filenames/media types, empty <sp/> tags, and invalid values like sampled_out, unknown, hardfail, and even Pass with a capital P.

Some big providers came close. Comcast, Microsoft, and Fastmail were nearly compliant but still had edge case issues.

Others were much worse. Yahoo, Google, Amazon SES, and Mimecast generated large volumes of non-compliant reports.

At scale, these “small” XML issues become real interoperability problems. They break parsers, create data loss, and force DMARC platforms to build endless parser workarounds.

What surprised me most is how something as clearly documented as an RFC can still be implemented so inconsistently, even by some of the organizations that helped shape the standard. Looking at you, Google, Microsoft, and Yahoo 😄

And for anyone thinking “how hard can parsing DMARC aggregate reports be?”, expect the unexpected. Real-world DMARC data is full of edge cases, missing fields, invalid values, and creative interpretations of the spec that you won’t find in the RFC examples.

More details here: https://www.uriports.com/blog/dmarc-reports-ietf-rfc-compliance/

u/freddieleeman — 7 days ago
▲ 3 r/DMARC

I tried searching and I think it will be fine, but I'm hoping to leverage the collective mind of r/DMARC for a question.

I would like to configure two e-mail addresses for use as DMARC rua and ruf targets in our DMARC policies. Then configure our mail system to forward the messages to our DMARC aggregation service.

My plan would be to use Amazon SES and a Mail Manger rule or Lambda function to handle the forwarding while also storing the aggregate reports in S3.

Question:
Is forwarding the reports in this way allowed within the DMARC spec?

Why:

We have a bunch of companies in Europe who are overly sensitive about the data in forensic reports (possibly rightly so) and this will allow us to explicitly control those reports. It will be less scary for compliance and audit people if they see an e-mail address on a domain we control rather than a 3rd party. Not a great technical reason, but sometimes this is the easy button.

For the aggregate reports, this will allow us to easily add or change services without having to update hundreds of DMARC records (we have something like 200+ domains globally, plus sub-domains with separate DMARC records/policies). We would just need to update the message forwarding rules. It would also allow us to keep the reports longer or analyze them elsewhere if we so desired. With S3 storage being fairly cheap and the glacier storage tiers make it even cheaper (assuming minimum object sizes are met) we could keep the data around as long as we want.

reddit.com
u/vppencilsharpening — 7 days ago
▲ 9 r/DMARC

Staff from mailbox provider GMX/WEB.DE/mail.com (1&1 Mail & Media GmbH) have just announced on the Mailop list that they'll begin enforcement of DMARC checks in a phased rollout over the coming weeks.

What does this mean? It means that if you publish a DMARC policy of p=reject for your email domain, they will now reject email from that domain, during the SMTP transaction, if that mail does not pass email authentication checks and lacks DMARC alignment.

Messages that fail those email authentication checks will be rejected with an error stating "554 Transaction failed Reject due to domain's DMARC policy." Learn more about that here: https://postmaster.mail.com/en/case?c=r2001

If you're wondering how big this mailbox provider is, they say that they have 42 million active users.

reddit.com
u/aliversonchicago — 8 days ago