There are multiple services, such as Valimail or Dmarcian or whatever which can help you make that decision, though perhaps they're all a bit biased towards actually making the transition to quarantine/reject.
It may be possible to switch to quarantine until the blast is contained. You do have multiple months of data to see what would be affected. That's also what I imagine these companies spend a lot of effort on is helping you identify what sending services will be affected when you make the switch. Brandon On Sat, Dec 9, 2017 at 2:10 PM The Venus Project Postmaster < postmas...@thevenusproject.com> wrote: > Thanks for the information and suggestions. It was helpful. > > I've been monitoring https://postmaster.google.com for the last two > months and, surprisingly, DMARC authentication was consistently at 100% > that entire time, right since after I posted my message to this list. But a > few days ago, about December 5th, it dropped to almost 0%. See attached > image. > > I then cross-checked with the feedback reports (we get those in > dmarcian.com) and it looks like right at December 5th there was a big > spike in fraudulent emails pretending to be sent from our domain. See > attached screenshot from dmarcian.com's interface. > > So the DMARC authentication percentage in the Google Postmaster Tool would > indeed appear to be separate/independent from the SPF and DKIM > authentication. That does seem counterintuitive to me. > > Would you have any recommendation on DMARC policy to use in this > situation? I don't know if p=quarantine would be justified with such an > amount of fraudulent senders. I imagine if we make our policy p=quarantine, > some genuine emails might end up in recipients' Spam folders due to > whatever temporary technical glitches with authentication, so I am not too > sure how to weigh the positives and negatives of such policy change. I also > don't know what damage these fraudulent senders might be causing to our > domain reputation or anything else. > > Thanks, > Borislav > The Venus Project Postmaster Team > www.thevenusproject.com > > On 10/5/2017 9:18 PM, Brandon Long wrote: > > That graph is awful, especially how it's conflating those three things. > > My guess (I don't know much about the postmaster tools), is that SPF is > only judging what has an envelope sender for your domain, DKIM is only > judging what has a DKIM signature, and DMARC is judging what is "From" your > domain. > > Given that is has "dmarc" on it, you'd think the graph would be about > dmarc and alignment, and the three lines would all be judged on the same > messages, but I'm guessing it's not. Ie, you'd think it was all messages > From your domain, and then the dmarc output would match where spf and dkim > failed. > > My guess is what you're seeing is because you're p=none, and so some of > your messages which have your From domain are being sent through GSuite > mailing lists (which are used for most GSuite aliases like > sa...@gsuitecustomer.com, so quite common), and because you're p=none, we > don't rewrite the From, and we do remove the DKIM signature (since it would > be broken) and the envelope sender will be the list (so not affecting your > SPF). This will likely be what you find in your dmarc aggregate report. > If you were to go p=quarantine or reject, GSuite Groups would start > rewriting the from and the dmarc failures would likely go down or away for > you. > > Brandon > > On Thu, Oct 5, 2017 at 4:24 AM, Roland Turner via dmarc-discuss < > dmarc-discuss@dmarc.org> wrote: > >> Is the information in this graph consistent with what's in Google's >> aggregate feedback? (This is to determine whether Google's DMARC >> implementation is broken, or just the postmaster tool.) >> >> - Roland >> >> >> >> On 05/10/17 18:51, The Venus Project Postmaster via dmarc-discuss wrote: >> >> Hi everyone, >> >> For the past several months we have been experiencing ups and downs in >> our DMARC authentication with Gmail, as seen from Google's postmaster tool >> (see attached screenshot). DKIM and SPF authentication are consistently at >> 100%, but DMARC authentication varies wildly, although there have been no >> configuration changes on our side. >> >> Our DMARC DNS record seems to be set up properly. >> >> Some time ago I contacted the Google postmaster team through their >> feedback form, but nothing followed. >> >> Does anyone have any suggestions on what could be causing this (could it >> be anything on our end?) and what we could do to resolve it? >> >> Thanks in advance, >> Borislav >> The Venus Project Postmaster Team >> www.thevenusproject.com >> >> >> _______________________________________________ >> dmarc-discuss mailing >> listdmarc-discuss@dmarc.orghttp://www.dmarc.org/mailman/listinfo/dmarc-discuss >> >> NOTE: Participating in this list means you agree to the DMARC Note Well >> terms (http://www.dmarc.org/note_well.html) >> >> >> >> _______________________________________________ >> dmarc-discuss mailing list >> dmarc-discuss@dmarc.org >> http://www.dmarc.org/mailman/listinfo/dmarc-discuss >> >> NOTE: Participating in this list means you agree to the DMARC Note Well >> terms (http://www.dmarc.org/note_well.html) >> > > >
_______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)