Recently set up DMARC on my domains. One seems to have no issues. The other only had 2 “threats” reported.
The sources were, shocker, russian IPs/ISPs.
So what is the next step?
According to the dashboard the “quarantine policy” is applied to these 2 threats.
Is there anything else I need to do or is this just a notification?
The results is meant to confirm that your policy enforcement is being applied to what is reported as threat. You are achieving your goal, ensuring that unauthorized emails sent spoofing your domains are not allowed. Additional action you may be interested in taking could be using the IP information from these messages and confirm what action is taken by your inbound messaging gateway in case those emails are targeting your users.
You can also click on the geolocation flag in the console to get an analysis from Cisco Talos if you are curious about the reputation of the IP on their system.
I agree with Icarus that the Threat/Unknown tab feels daunting. I have many domains that are fully protected with DKIM, DMARC with reject=100 and even SPF -all… yet still the spammers use the domains.
I’d assume they’d eventually go away if they are having no luck… but maybe that isn’t a thing with automation. Maybe they just keep pounding away.
Even when you see lots of red… are you essentially good taking “no action” knowing that the spammers are all getting rejected?
I suppose we could have clients double-check those IP addresses for internal sends… but hopefully those are getting blocked by our DNS settings before even internal servers accept those emails.
All of the red, and nothing to do always feels a little wrong.
This is an excellent point. How is your inbound system configured regarding anti-spoofing technologies? Review your system’s capabilities, and configure them using best practice defined by the vendor. Ensure DMARC verification rules are enabled for inbound mail. Not only will it prevent spoofing of any domains that make use of DMARC, but also will help in preventing inbound mail spoofing your own domain targeting your users.
Regarding ongoing abuse of domain that are protected by DMARC, most spam runs are not actively monitored by an individual. These are mostly botnets that bad actors are paying to gain access to and scheduling spam runs. These are automated and occurs on cycles. All that a bad actor monitors is if the target of such email reply. In my experience, it may take up to 1, and sometimes even 2 years before there is a reduction in spoofing abuse on a domain protected by DMARC.
Thank you! That 1-2 year advice will be really helpful when talking to clients… and even just giving me a timeframe in my brain. My gut would have thought it shorter than that. Thanks for that advice.