I'd suggest a few things: - You're looking a little too closely at daily changes, particularly around implementation time. Allow the thing some time to settle, perhaps a month, before considering next steps. Bear in mind that there are multiple, independent good and evil actors here, each reacting to the others all the time. This will take time to settle, a single day's (or week's) change is unlikely to be actionable. Note in particular that the larger receivers are almost certainly comparing their user feedback ("This is [not] Spam") with your DMARC policy ([un]authenticated messages that get reported as [not-]spam) as an input to their decision making. On the fairly small numbers that you're talking about, this calculation could take weeks to converge. - The Forwarder and Threat/Unknown categories in Dmarcian are a mix of probabilistic assessments by email-receivers and by Dmarcian, not a reliable indication of what the email messages in question contain. They're interesting, but don't get hypnotised by them. - How much is on-domain (vs. cousin-domain) impersonation costing you in fraud/support/churn losses? If it's costing you thousands of dollars a month, then by all means bring in the professionals. If you can't price it, or you haven't done so yet, or it's a trivial amount, then you're probably done.
- Roland Roland Turner Labs Director Mobile: +65 9670 0022 3 Phillip Street, #13-03 Royal Group Building, Singapore 048693 ________________________________ www.trustsphere.com ________________________________________ From: dmarc-discuss <dmarc-discuss-boun...@dmarc.org> on behalf of Ben Greenfield via dmarc-discuss <dmarc-discuss@dmarc.org> Sent: Sunday, 7 February 2016 18:42 To: dmarc-discuss Subject: [dmarc-discuss] Experience 16 days with DMARC First off I think DMARC is great and I’m happy with and want to try to use the information to protect my domain name. I have been using dmarcian.com to analyze the reports and any terminology I use should be considered in the context of their tools. Their tools are all I know… so far. Since I started receiving DMARC reports and tracked down a few specific domain names from DMARC reports to actual emails, I’m comfortable with most of the traffic I see in Forwarders categories and it’s great to see some with 100% DKIM survival. I’m assuming that most of the servers in the category of forwarder are just moving mail around the world. Threat/Unknown I take this to mean emails that have my domain in the from field and our trying to delivery the forged email. This had fluctuated from around 4200 when I started on jan. 22nd to a low of 1900 email on jan. 30th this had a steady climb of up to 5985 on feb. 4th before spiking to 15,516 on feb. 5th. I see these fluctuations reflected in spam cop’s spam volume. Almost all the heavy traffic is coming from in order: Vietnam India Brazil UA Russia Is there anything I should be doing to try to clean up this problem? Is DMARC the best I can do right now? Thanks, Ben _______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html) _______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)