Today's data question: What if we scanned the top one million domains, looking for DMARC records and DKIM records misconfigured so that they're living at the top level of the organizational domain? Well, I did that, and it turns out that there are more than 11,000 domains with either a misconfigured DKIM or DMARC record (or in a few cases, both), living at the top level of the domain.
Methodology:
Looking for TXT record containing "v=dmarc1" at top level of the organizational domain (think spamresource.com, not _dmarc.spamresource.com). If so, we've got a DMARC record living where it shouldn't.
Looking for a TXT record containing "v=dkim1" at the top level of the organizational domain, OR looking for a TXT record containing a fingerprint of a commonly used CRM/ESP DKIM key, whether or not it contains v=DKIM1. (There's a broadly used public key used by a couple of different platforms that omits the v=spf1.) If I find either of these, we've got a DKIM record living where it shouldn't.
And that leaves us with 11,890 domains with some form of broken DKIM or DMARC record lying about. Break it down and you get 5,918 domains with a funky DKIM record, 6,333 domains with a funky DMARC record, and 361 domains that managed to get funky with both records.
What I didn't check is whether or not they also have valid DMARC or DKIM records in place. I'm sure a lot of them do, as when they get an alert saying that the record isn't found, few checkers go look for it instead at the top level of the organizational domain. So people probably don't go back and fix the errant, leftover DNS record, leaving it to sit and fester forever.
It might be harmless, but it also might be confusing and it's never a great thing to leave bits of bad data oozing out from the DNS for your domain name. I think it might be time for DKIM and DMARC testers to look for and fail records found in that wrong place. If we want people to get better at implementing email authentication, we've got to give them better guidance and feedback while they attempt to do so.
Today's data question: What if we scanned the top one million domains, looking for DMARC records and DKIM records misconfigured so that they're living at the top level of the organizational domain? Well, I did that, and it turns out that there are more than 11,000 domains with either a misconfigured DKIM or DMARC record (or in a few cases, both), living at the top level of the domain.
Methodology:
And that leaves us with 11,890 domains with some form of broken DKIM or DMARC record lying about. Break it down and you get 5,918 domains with a funky DKIM record, 6,333 domains with a funky DMARC record, and 361 domains that managed to get funky with both records.
What I didn't check is whether or not they also have valid DMARC or DKIM records in place. I'm sure a lot of them do, as when they get an alert saying that the record isn't found, few checkers go look for it instead at the top level of the organizational domain. So people probably don't go back and fix the errant, leftover DNS record, leaving it to sit and fester forever.
It might be harmless, but it also might be confusing and it's never a great thing to leave bits of bad data oozing out from the DNS for your domain name. I think it might be time for DKIM and DMARC testers to look for and fail records found in that wrong place. If we want people to get better at implementing email authentication, we've got to give them better guidance and feedback while they attempt to do so.
Comments
Post a Comment
Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.