By: Nicola

Nicola — Sat, 16 Dec 2023 13:04:22 +0000

Great article.
At one occasion, after implementing DMARC for our domains (we completed the clean-up in a few months, using MxToolBox professional services), we were pretty much sure that our outgoing emails were well delivered and we could redirect complaining external receivers to their own IT teams and (far more important) we gained visibility on shadow IT developments.
After a few months, i suggested to block/quarantine incoming emails from external correspondants failing DMARC checks.
The conversation went like:
IT: “By intercepting DMRC non compliant message, we will decrease the surface attack for mail-vector attacks”
Buisness:”We cannot miss emails”,
IT: “We should invite pur correspondents to make sure their mail traffic is well formatted”
Business: “We cannot oblige our correspondents to change anything.”

Of course we had other armors availble to protect our mailboxes from nasty emails, but at the time I was not able to push for that.

Basically ww were armoring outgoing traffic, but still leaving room to suspect incoming traffic.

The digital world is not an ideal place.

It would be better if basic IT features were enabled, adopted and promoted by as many organization.

Thanks!

Nicola Guarino

By: Manuel Pereira

Manuel Pereira — Wed, 09 Aug 2023 21:17:52 +0000

Yes, by default DMARC policy is relaxed, only if you use the tags to require stric on SPF, DKIM or both they have to comply. Otherwise SPF or DKIM it’s enough. Also some values are implicit, e.g. no need to use pct=100, etc. It you want to use the default values.

By: Greg Thomson

Greg Thomson — Wed, 05 Jul 2023 10:08:55 +0000

Nice article.
I think a DMARC pass only requires domain alignment with SPF or DKIM not “and”. Part of the rational for DKIM was to authenticate email passing through intermediary mail servers that were not the original senders and so not in their SPF.

Comments on: Microsoft Brings Improvements to DMARC

By: Nicola

By: Manuel Pereira

By: Greg Thomson