Re: [dmarc-ietf] Stats on DMARC adoption ?
On Thu 14/Apr/2022 05:54:32 +0200 Seth Blank wrote: On Wed, Apr 13, 2022 at 2:25 PM Jim Fenton wrote: On 12 Apr 2022, at 20:39, Seth Blank wrote: Policies: https://dmarc.org/2022/03/dmarc-policies-up-84-for-2021/ Those are domains which publish a policy. An alternative graph here: https://dmarc.org/stats/farsight/dmarc/ The number published by a European research is about the double. They say that 8,129,795 out of 246,425,997 domains exhibit a DMARC record (3.3%). https://data.europa.eu/doi/10.2759/473317 (chapter 17, table 31). Dmarcian has a Fortune 100, 2021/2022, per-policy statistics: https://dmarcian.com/fortune-100-dmarc-policies/ In their home page, they count 1,776,500 monitored domains (35.7% or 21.8%). Counting domains is undoubtedly easier than counting validated mailboxes. My personal domain count, since one year ago, shows 9.3% domains having a DMARC record; 4.1% of the latter having "dmarcian.com" in their rua. (However, I, for one, send ag reports to Dmarcian without publishing their email address on my DMARC record.) For mailboxes that implement DMARC and send reports, Valimail (and Dmarcian I believe) have historically tracked and published that. [...] Out of curiosity, what does “properly validate DMARC” mean and how do you measure it? If it means “retrieved the DMARC record”, that’s a metric but not all that meaningful. I run Spamassassin so I probably would be part of that metric but I’m not doing anything with the result. For that matter, Spamassassin used to retrieve ADSP records. If, on the other hand, it means that the recipient domain is acting on a DMARC-published policy, that would be meaningful but I’m not sure how one would measure that. I don't think there is any available method to _check_ that a mail server acts on published policies correctly, including alignment considerations, sp= and np=. Checking also the accuracy of their aggregate reports would be a further step. Measuring how many domains do so seems to me to be beyond reach. Yes, "properly validates DMARC" means the mailbox provider validates and handles the message per RFC 7489. This is easy to measure, because there aren't that many large mailbox providers, and most are a) public with how many mailboxes they represent, b) public with the fact that they validate DMARC, and c) (in nearly all the cases, sans Microsoft) send reports which can be used to confirm the proper handling of messages per published policy. I'd call that a rough estimate, no? Best Ale -- ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Stats on DMARC adoption ?
On Wed, Apr 13, 2022 at 2:25 PM Jim Fenton wrote: > On 12 Apr 2022, at 20:39, Seth Blank wrote: > > > Policies: https://dmarc.org/2022/03/dmarc-policies-up-84-for-2021/ > > > > For mailboxes that implement DMARC and send reports, Valimail (and > Dmarcian > > I believe) have historically tracked and published that. I'll hunt down > > that data tomorrow. Off the top of my head, it was about 80% of mailboxes > > globally (4bn+) properly validate DMARC, and the majority of those send > > reports, with the notable exception of Microsoft, which is now finally > > starting to do that. > > Out of curiosity, what does “properly validate DMARC” mean and how do you > measure it? If it means “retrieved the DMARC record”, that’s a metric but > not all that meaningful. I run Spamassassin so I probably would be part of > that metric but I’m not doing anything with the result. For that matter, > Spamassassin used to retrieve ADSP records. > > If, on the other hand, it means that the recipient domain is acting on a > DMARC-published policy, that would be meaningful but I’m not sure how one > would measure that. > Yes, "properly validates DMARC" means the mailbox provider validates and handles the message per RFC 7489. This is easy to measure, because there aren't that many large mailbox providers, and most are a) public with how many mailboxes they represent, b) public with the fact that they validate DMARC, and c) (in nearly all the cases, sans Microsoft) send reports which can be used to confirm the proper handling of messages per published policy. S > > -Jim > -- *Seth Blank * | Chief Product Officer *e:* s...@valimail.com *p:* 415.273.8818 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system. ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Stats on DMARC adoption ?
On 12 Apr 2022, at 20:39, Seth Blank wrote: > Policies: https://dmarc.org/2022/03/dmarc-policies-up-84-for-2021/ > > For mailboxes that implement DMARC and send reports, Valimail (and Dmarcian > I believe) have historically tracked and published that. I'll hunt down > that data tomorrow. Off the top of my head, it was about 80% of mailboxes > globally (4bn+) properly validate DMARC, and the majority of those send > reports, with the notable exception of Microsoft, which is now finally > starting to do that. Out of curiosity, what does “properly validate DMARC” mean and how do you measure it? If it means “retrieved the DMARC record”, that’s a metric but not all that meaningful. I run Spamassassin so I probably would be part of that metric but I’m not doing anything with the result. For that matter, Spamassassin used to retrieve ADSP records. If, on the other hand, it means that the recipient domain is acting on a DMARC-published policy, that would be meaningful but I’m not sure how one would measure that. -Jim ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Stats on DMARC adoption ?
Policies: https://dmarc.org/2022/03/dmarc-policies-up-84-for-2021/ For mailboxes that implement DMARC and send reports, Valimail (and Dmarcian I believe) have historically tracked and published that. I'll hunt down that data tomorrow. Off the top of my head, it was about 80% of mailboxes globally (4bn+) properly validate DMARC, and the majority of those send reports, with the notable exception of Microsoft, which is now finally starting to do that. For PSD, I don't think that's implemented anywhere at any major mailbox provider, just in some open source libraries as a test. Seth On Tue, Apr 12, 2022 at 8:28 PM John Levine wrote: > Are there any public numbers on the amount of mail that is subject to > DMARC policy, number of mailboxes implementing DMARC policies, number > sending reports, stuff like that? > > Someone was also asking about PSD adoption but I assume at this point > it is still zero other than some small tests. > > R's, > John > > > > ___ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc > -- *Seth Blank * | Chief Product Officer *e:* s...@valimail.com *p:* 415.273.8818 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system. ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc