"Everyone fears rejection"
It finally happened. I got kicked in the head and rejected.
Here is what happened.
As you may know, for last couple of years I have been writing and presenting on email reliability. SPF, DKIM and DMARC. This topic has been evolving rapidly over the years. Those of you who started down this road generally started as I did - Report Only - to see what bad actors were out there sending emails in your name. In my case a frightening amount of people are out there pretending to be CSINY.COM. If you checked, I am sure you have just as many bad folks pretending to be you as I do.
Way back when I started email cleanup process, I stated that I didn't think any school district could ever get to the mythical goal of "reject" the fake emails because I didn't think we could control the email stream enough with so many sources to not lose email. However, I believed we could get to "quarantine" where we at least made the strong recommendation to anyone around the world that was receiving fake emails in our name to at least quarantine them, because we didn't believe they were from us.
I did my work over these last two years and cleaned up my email stream. I finally felt confident that I had my email in a good place. I crossed my fingers and I turned on quarantine.
Nothing bad happened.
I ran this way for months.
I scoured my DMARC reports. I continued to run clean for CSINY.COM from everything I could see.
Then I got bold.
I turned on reject.
The DMARC warning for reject is that you will no longer know what is not delivered - good or bad. It just won't happen.
I looked and looked and again I could find nothing bad that happened. I was proud that I had seemingly attained the highest email security standard out there. I was proud that the number of fake emails in the world in my name went from thousands a week to almost nothing. There were actually days with no fake emails.
However, today it happened. My good emails got rejected. Since the system won't tell me these rejection messages anymore, I found out indirectly. The revelation I learned was that DMARC reject not only applies to emails sent in your name. It also blocks your emails forwarded by others that came from you! Therefore, DMARC = reject means forwarding your emails is no longer possible outside of your own domain!
That was a bridge too far. Feeling dejected with my ego bruised I quickly reset my DMARC to quarantine. My reports are sure to fill up again. However, my original assumption has been validated. DMARC = reject is probably unattainable for all of us.
Regardless, I am still feeling quite good about DMARC = quarantine and making it harder for people to do bad things in my name.
If you are at DMARC = report, it is really time to push towards quarantine and at least make it harder for the bad guys to do what they do in your name.
If you need help getting there, give us a call