On Mon, Aug 17, 2020 at 1:00 PM Luis E. Muñoz <dmarc-ietf.org= 40lem.cl...@dmarc.ietf.org> wrote:
> On 14 Aug 2020, at 12:47, Neil Anuskiewicz wrote: > > Under 50% of companies have any DMARC record. Of those who deploy > > DMARC, > > about ~2% have p=quarantine and ~5% p=reject, though some industries > > such > > as finance it looks like it's closer to 15% p=reject. I'm sure these > > numbers aren't perfect but what you have likely isn't radically > > different. > > My numbers are inverted regarding quarantine vs reject, as I posted on > this list: > > On 30 Jul 2020, at 18:01, Luis E. Muñoz wrote: > > > > I am currently observing ~215.5 million domain names. Out of those, > > ~64 million have a seemingly _valid_ SPF record and ~113 million with > > at least one MX record. > > > > This is a current breakdown of the (valid) DMARC records I am > > observing over the general domain population above. This amounts to an > > adoption rate of ~1.7%. > > > > | p | count | > > | :--------- | ------: | > > | none | 2715614 | > > | quarantine | 238584 | > > | reject | 726045 | > > Numbers have moved a bit since then, but not much. I'm seeing 3:1 reject > to quarantine ratio across the board. > > > Why is adoption low? Is that a big problem? Why so few aggressive > > policies? > > Is that a big problem? > > DMARC can be quite useful even with p=none. This use case provides > insight on what's going on and sometimes, that's all that is wanted. > Moving to more aggressive policies require a degree of control on the > mail flows that not all organizations are prepared to exercise, IMO. > > Yes, I completely agree, p=none is useful. It's helped me help the client (I'm basically an IT freelancer) make sure all their email sources' DKIM and SPF's squared away. More interesting, DMARC's found things that have surprised clients. Wait, who's using ESP X? Some detective work and a few days later... Okay, it's the such and such office or sometimes even individuals. And there's oh right we do use Y. Let's get that authenticated.. So it's legit sources that need to be authenticated, semi-legit sources that either need to be authenticated and viewed as fully legit or told to stop and there's sources that are legit but have been running on autopilot. Let's think about whether we need this or what changes we can make to it. This aspect serves as a sort of internal audit of email sources and authentication. DMARC's been very, very useful for that. Then there's discovering spoofing sometimes, of course. Neil
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
