Should you use Strict or Relaxed alignment for your DMARC settings?
The DMARC standard enables a domain owner to allow relaxed alignment or to require strict alignment, do note however that there is no noticeable increase in protection by using Strict mode.
We do not recommend using Strict mode (unless you have a specific reason) since there is no improvement in protection but it does make configuration and management of authentication more difficult.
Relaxed alignment is achieved if the organizational domain is the same between the user-visible From address and either the Return Path (SPF) or authenticated with the DKIM signature.
Strict alignment on the other hand requires an EXACT match between the Fully Qualified Domain Name (FQDN) of the user-visible From address and either the Return Path (SPF) or authenticated signing domain (DKIM).
If strict alignment is required and the email does not pass strict alignment, the email is considered to have failed DMARC authentication for that method (SPF or DKIM).
Strict vs Relaxed alignment is specified in the DMARC record using the following tags:
The default setting, if it is not specified in the DMARC record, is relaxed alignment. For example, the following DMARC records are equivalent:
If the user-visible From address is [email protected] and the authenticated signing domain is mydomain.com,
The email is not strictly aligned with DKIM
What is the return-path email header?
Return-path is a hidden email header that indicates where and how bounced emails will be processed. This header, also referred to as a bounce address or reverse path, is an SMTP address that is separate from your original sending address, and is used specifically for collecting and processing bounced messages.
Having a clear return-path system in place is incredibly important for your email program. It acts as a safeguard, protecting senders by providing a separate location for processing bounced emails. Your original sending inbox isn’t crowded by those “failed delivery” emails and that bounced messages are kept organized and together. Having a clear, organized return-path for bounced messages can also help your email deliverability and maintain your sending reputation.
To test whether your emails are compliant, try the Email investigation tool over at EasyDMARC.
Why is return-path important?
Return-path is an important tool to have at your disposal, especially for mass email sends. Let’s say you’re sending an email blast about an offer your company is promoting to your entire email list. While we don’t want to see bounced emails, the reality is that messages can and do bounce for a variety of reasons.
When you’re sending to large groups, you can get tens, maybe even hundreds of bounced messages depending on the size and nature of your campaign. These “failed delivery” messages then come back to haunt and crowd your original sending inbox. Instead, by having an established return-path, those messages are processed and stored separately in their own specified inbox.
Return-path also helps with your deliverability and sending reputation by helping to validate your identity as a sender (i.e. whether or not you’re sending spam). Because return-path is an SMTP address, it can be used by servers and inbox providers to decide how or if they want to filter your messages. Having a properly set-up return-path can help provide credibility for your messages and subsequently, you, the sender, which in turn boosts your sending reputation.
This can be a particular issue when using domain aliases (send mail as) with Google Workspace (gmail), as gmail will use the primary domain in the return-path and will thus fail authentication when using strict mode. To avoid this, use relaxed mode, which will fix spf alignment failed.
Below is an example where the primary domain is michaels.me.uk and the secondary (alias) domain is kopage.com, using send email as in the gmail settings.
The above report was generated using the email investigation tool at EasyDMARC.
How return-path works
Return-path specifies where bounced messages should go when they cannot be delivered. It is usually set up by your email or other relay platform provider but can often be customized.
Servers and inbox providers validate your identity and reputation before pushing your message through to recipients’ inboxes.
To get you through these filters, return-path and DMARC work together. DMARC examines your message to confirm that the domain provided in the “sent from” field matches the domain provided in the return-path field, which helps to validate your identity as a sender. After DMARC has verified and matched these domains, servers and inbox providers will be able to filter you out more easily.
Types of bounced emails
There are two types of bounced emails: hard bounces and soft bounces.
A hard bounce occurs when you have a permanent issue with a recipient, such as an invalid email address or typo in your mailing list.
Soft bounces are more temporary and usually occur when there’s a problem with a recipient’s inbox, including file size or attachment issues or the possibility of a recipient having a full inbox.
When a message hard bounces, the general best practice is to check that there are no typos in the recipient’s address. If there are none, you should remove the address from your mailing list. Keeping email addresses that hard bounce can damage your reputation as a sender and affect your deliverability in the long run.
When an email soft bounces, you have a little bit more wiggle room than with a hard bounce. Email addresses that soft bounce can be kept in your mailing list for future campaigns, but you’ll want to watch them to see if they bounce again. If they continue to bounce, they should be removed from your mailing list.
Today I discovered some great news, for me at least….
Cloudflare has now added the ability to add custom comments on your DNS records, on all plans. Users on the Pro, Business and Enterprise plan will also be able to tag DNS records as well.
This is a feature I have been waiting for for many years, not just from Cloudflare, but from Cpanel and DNS in general.
Managing DNS and keep track of what every record is for has always been problematic due to this lack of any notes or comments. This has become even more of a problem in recent years due to the requirements for the myriad of TXT records for verification, DKIM, Dmarc etc.
You very quickly lose track of what a record was for or if it is still required, so don;t want to delete it. This results in redundant, legacy records being left hanging around, potentially causing security issues, such as when an old email no longer authorized email source still has a valid dmarc and dkim record.
more details below from Cloudflare’s blog.
DNS records are important
DNS records play an essential role when it comes to operating a website or a web application. In general, they are used to mapping human-readable hostnames to machine-readable information, most commonly IP addresses. Besides mapping hostnames to IP addresses they also fulfill many other use cases like:
Ensuring emails can reach your inbox, by setting up MX records.
Validating a TLS certificate by adding a TXT (or CNAME) record.
Specifying allowed certificate authorities that can issue certificates on behalf of your domain by creating a CAA record.
Validating ownership of your domain for other web services (website hosting, email hosting, web storage, etc.) – usually by creating a TXT record.
And many more.
With all these different use cases, it is easy to forget what a particular DNS record is for and it is not always possible to derive the purpose from the name, type and content of a record. Validation TXT records tend to be on seemingly arbitrary names with rather cryptic content. When you then also throw multiple people or teams into the mix who have access to the same domain, all creating and updating DNS records, it can quickly happen that someone modifies or even deletes a record causing the on-call person to get paged in the middle of the night.
Enter: DNS record comments & tags 📝
Starting Dec 21st 2022, everyone with a zone on Cloudflare can add custom comments on each of their DNS records via the API and through the Cloudflare dashboard.
To add a comment, just click on the Edit action of the respective DNS record and fill out the Comment field. Once you hit Save, a small icon will appear next to the record name to remind you that this record has a comment. Hovering over the icon will allow you to take a quick glance at it without having to open the edit panel.
What you also can see in the screenshot above is the new Tags field. All users on the Pro, Business, or Enterprise plans now have the option to add custom tags to their records. These tags can be just a key like “important” or a key-value pair like “team:DNS” which is separated by a colon. Neither comments nor tags have any impact on the resolution or propagation of the particular DNS record, and they’re only visible to people with access to the zone.
Now we know that some of our users love automation by using our API. So if you want to create a number of zones and populate all their DNS records by uploading a zone file as part of your script, you can also directly include the DNS record comments and tags in that zone file. And when you export a zone file, either to back up all records of your zone or to easily move your zone to another account on Cloudflare, it will also contain comments and tags. Learn more about importing and exporting comments and tags on our developer documentation.
;; A Records
*.mycoolwebpage.xyz. 1 IN A 192.0.2.3
mycoolwebpage.xyz. 1 IN A 203.0.113.1 ; Contact Hannes for details.
sub1.mycoolwebpage.xyz. 1 IN A 192.0.2.2 ; Test origin server. Can be deleted eventually. cf_tags=testing
sub1.mycoolwebpage.xyz. 1 IN A 192.0.2.1 ; Production origin server. cf_tags=important,prod,team:DNS
;; MX Records
mycoolwebpage.xyz. 1 IN MX 1 mailserver1.example.
mycoolwebpage.xyz. 1 IN MX 2 mailserver2.example.
;; TXT Records
mycoolwebpage.xyz. 86400 IN TXT "v=spf1 ip4:192.0.2.0/24 -all" ; cf_tags=important,team:EMAIL
sub1.mycoolwebpage.xyz. 86400 IN TXT "hBeFxN3qZT40" ; Verification record for service XYZ. cf_tags=team:API
It might be that your zone has hundreds or thousands of DNS records, so how on earth would you find all the records that belong to the same team or that are needed for one particular application?
For this we created a new filter option in the dashboard. This allows you to not only filter for comments or tags but also for other record data like name, type, content, or proxy status. The general search bar for a quick and broader search will still be available, but it cannot (yet) be used in conjunction with the new filters.
By clicking on the “Add filter” button, you can select individual filters that are connected with a logical AND. So if I wanted to only look at TXT records that are tagged as important, I would add these filters:
One more thing (or two)
Another change we made is to replace the Advanced button with two individual actions: Import and Export, and Dashboard Display Settings.
You can find them in the top right corner under DNS management. When you click on Import and Export you have the option to either export all existing DNS records (including their comments and tags) into a zone file or import new DNS records to your zone by uploading a zone file.
The action Dashboard Display Settings allows you to select which special record types are shown in the UI. And there is an option to toggle showing the record tags inline under the respective DNS record or just showing an icon if there are tags present on the record.
And last but not least, we increased the width of the DNS record table as part of this release. The new table makes better use of the existing horizontal space and allows you to see more details of your DNS records, especially if you have longer subdomain names or content.
Try it now
DNS record comments and tags are available today. Just navigate to the DNS tab of your zone in the Cloudflare dashboard and create your first comment or tag. If you are not yet using Cloudflare DNS, sign up for free in just a few minutes.
Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive and personal data such as banking, credit card details, and passwords, usually on fake websites.
The information is then used to access important accounts and can result in identity theft, fraud and financial loss.
The first phishing lawsuit was filed in 2004 against a Californian teenager who created the imitation of the website “America Online”. With this fake website, he was able to gain sensitive information from users and access their credit card details to withdraw money from their accounts. Other than email and website phishing, there’s also ‘vishing’ (voice phishing), ‘smishing’ (SMS Phishing) and several other phishing techniques cybercriminals are constantly coming up with.
Common Features of Phishing Emails
Too Good To Be True– Lucrative offers and eye-catching or attention-grabbing statements are designed to attract people’s attention immediately. For instance, many will claim that you have won an iPhone, a lottery, or some other lavish prize. Just don’t click on any suspicious emails. Remember that if it seems too good to be true, it usually is!
Sense of Urgency – A favorite tactic amongst cybercriminals is to ask you to act fast because the super deals are only for a limited time. Some of them will even tell you that you have only a few minutes to respond. When you come across these kinds of emails, it’s best to just ignore them. Sometimes, they will tell you that your account will be suspended unless you update your personal details immediately. Most reliable organizations give ample time before they terminate an account and they never ask patrons to update personal details over the Internet. When in doubt, visit the source directly rather than clicking a link in an email.
Hyperlinks – A link may not be all it appears to be. Hovering over a link shows you the actual URL where you will be directed upon clicking on it. It could be completely different or it could be a popular website with a misspelling, for instance, www.bankofarnerica.com – the ‘m’ is actually an ‘r’ and an ‘n’, so look carefully.
Attachments – If you see an attachment in an email you weren’t expecting or that doesn’t make sense, don’t open it! They often contain payloads like ransomware or other viruses. The only file type that is always safe to click on is a .txt file.
Unusual Sender– Whether it looks like it’s from someone you don’t know or someone you do know, if anything seems out of the ordinary, unexpected, out of character or just suspicious in general don’t click on it!
Here is a great KnowBe4 resource that outlines 22 social engineering red flags commonly seen in phishing emails. We recommend printing out this PDF to pass along to family, friends, and coworkers.
Prevent Phishing Attacks:
Though hackers are constantly coming up with new techniques, there are some things that you can do to protect yourself and your organization:
To protect against spam mails, spam filters can be used. Generally, the filters assess the origin of the message, the software used to send the message, and the appearance of the message to determine if it’s spam. Occasionally, spam filters may even block emails from legitimate sources, so it isn’t always 100% accurate.
The browser settings should be changed to prevent fraudulent websites from opening. Browsers keep a list of fake websites and when you try to access the website, the address is blocked or an alert message is shown. The settings of the browser should only allow reliable websites to open up.
Many websites require users to enter login information while the user image is displayed. This type of system may be open to security attacks. One way to ensure security is to change passwords on a regular basis, and never use the same password for multiple accounts. It’s also a good idea for websites to use a CAPTCHA system for added security.
Banks and financial organizations use monitoring systems to prevent phishing. Individuals can report phishing to industry groups where legal actions can be taken against these fraudulent websites. Organizations should provide security awareness training to employees to recognize the risks.
Changes in browsing habits are required to prevent phishing. If verification is required, always contact the company personally before entering any details online.
Generally, emails sent by cybercriminals are masked so they appear to be sent by a business whose services are used by the recipient. A bank will not ask for personal information via email or suspend your account if you do not update your personal details within a certain period of time. Most banks and financial institutions also usually provide an account number or other personal details within the email, which ensures it’s coming from a reliable source.
If you need help in protecting yourself from phishing ransomware or other cybercrime, get in touch.
Easydmarc has a FREE plan which is great for personal domains or small businesses that just want the basics, it also allows you to manage unlimited domains. Prices are then $17.99 / month for the Plus plan and $39.99 for the Premium plan. Plans are cheaper if you go yearly.
Dmarcly does not have any free plan but they do offer trials, and their prices are pretty identical, with the professional plan at $17.99, growth at $39.99, business at $69.99 and Enterprise at $199 per month.
For the purposes of this article, we will be comparing the $39.99 growth and premium plans.
Price (per month)
$39.99 monthly $35.99 yearly
DKIM Record Generator
Processing/rendering of aggregate reports
Processing/rendering of forensic reports
Aggregate Reports (RUA)
Automatic Subdomain Detection
2 Factor Authentication
The dmarcly system is very text-based no frills solution, not very visually appealing at all, and feels very much like a legacy web 2.0 app from 20 years ago.
Overall I did not find the dmarcly system very intuitive or nice to use compared to Easydmarc.
The reports are very minimalistic. The whole site/admin interface feels like it was created by developers with no real UI/UX experience. The target audience here is definitely techies, not end users or business owners.
Below is one of the email summary reports. As you can see, rather than an actual report, you get a notification that a report is available, which you have to login to view. This is just time consuming and annoying having to do this. Compare this to the lovely email reports from Easydmarc .
Frustrated with “SPF PermError: Too Many DNS Lookups“? This can cause emails to not reach the inbox.
SPF allows up to 10 DNS queries upon validation. However, some domains have SPF records requiring 10+ DNS queries, which results in SPF validation failures and deteriorated email deliverability.
The good news is, DMARCLY’s Safe SPF feature solves this problem perfectly.
Precise SPF validation
Always up to date
Boost email deliverability
No manual maintenance
DMARCLY renders Authenticated Received Chain (ARC) results when the final disposition is overridden by the local policy.
ARC preserves email authentication results across subsequent intermediaries that may modify the message, allowing legitimate messages from indirect mailflows to be delivered.
Your email is susceptible to Man-in-the-Middle (MitM) attacks, if you allow messages to be delivered to your domain via unencrypted connections.
Implement MTA-STS/TLS reporting to identify and fix email security issues.
Adaptive Blacklist Monitoring
Monitor the reputation of IP addresses from which your outbound emails are actually sent.
Dmarcly check against these industry standard blacklists: Spamhaus ZEN, SpamCop Blocking List, Barracuda Reputation Block List, and Passive Spam Block List.
Multiple Email recipients
One feature I initially thought was useful was that dmarcly allows you to setup multiple email recipients for each domain. Which I thought would make it useful for consultants or MSP’s who want to send reports directly to customers. But alas, this turned out to not be very useful due to the aforementioned fact that the system doesn’t actually send reports via email, just notifications telling you to login to view the report. Meaning that every email recipient would actually need a login in order to be able to see the report.
This feature is further deprecated by the limited number of users per account and and there does not appear to be any way to limit a user to a specific domain. So even if you did sent a report to every client, they wouldn’t actually be able to login to view it.
I contacted their support a few times with various questions, and while they responded within a timely manner, I found their responses to be very terse. The customer service/support felt as minimalistic as the website UI/UX.
More domains and email traffic with each plan.
MTA-STS & TLS Reporting
Poor UI/UX, lack of visualisations. Lacks the intuitive look and feel of easy dmarc.
No email reports, just notifications.
no free plan
No support for MSP’s/Resellers
The Easydmarc app has a beautiful and intuitive interface that is a joy to use and easy to understand, very visual with nice looking icons, graphs and charts everywhere with all the info you need at a glance.
You can tell that a lot of thought went into the UI/UX and that actual UX designers were involved in the process, unlike damrcly. Easydmarc is definitely the better solution for users and business owners but is great for techies too.
The email reports are beautiful and visually tell you everything you need to know, without having to login to your account.
During my time testing Easy Dmarc, I did, however, discover issues with the reporting, the stats would randomly change every time I reloaded the page, giving completely different data for every domain. Same on the aggregate reports.
It took more effort than it should have done to get them to investigate this issue and finally realize the system was broken, and I found it rather worrying that they were oblivious to it and that I was the only user who had noticed it and reported it.
The Hosted DMARC tool provides a unique CNAME record to update your DNS and start using the feature, preventing the need to visit your DNS each time.
Hosted BIMI helps you to manage BIMI record easily directly within their platform. You need to add a single CNAME record to your domain DNS, after which you can securely host the SVG logo and VMC certificate with Easydmarc.
SMB’s are not likely to want or need to bother with BIMI though as it is costly, requiring you to buy a certificate that costs $1400 per year and register your trademark. This is more something for large organizations that already have trademarks.
By default SPF can not exceed 10 DNS lookup. If it does, then this results in “Too many DNS lookups” issue causing “permerror”.
Easy SPF solves this by providing an SPF flattening solution that allows you to Add, remove, update lots of email service providers without being concerned about SPF 10 DNS lookup limitation.
Mitigate and avoid outgoing emails’ loss by automatically authorizing new email sending sources even when your DMARC policy is “quarantine” or “reject”
Real-time Reputation Monitoring
Keep an eye on your domain, IP address, and mail server reputation with the advanced blacklist monitoring service. They notify you once you appear in blacklists, so you’ll be able to quickly act to get them delisted and avoid potential delivery issues.
How does Reputation Monitoring work?
EasyDMARC’s Blacklist Monitoring service provides indispensable information about your domain, IP address, and mail server blacklist status. Our system delivers automated checks and notifies you if they are found in any blacklist. You can monitor both IP addresses (IP4 and IP6) and domains.EasyDMARC’s automated checks run real-time. Our email alert system gives you the link to every IP blacklist provider’s website. From there, you’ll be able to quickly delist your domain or IP address, and mitigate any damages your email sender reputation may experience.
Email Investigation Tool
Setting up domain alignment initially can be quite a complex task, especially if you have multiple sources such as a CRM, ticket system, billing system, blog etc all sending email from your domain.
The email investigation tool makes this easier. It will generate a special email address, which you use to send emails from each of your sources, and Easydmarc will then tell you if that email passed the domain alignment checks.
However during my time using EasyDmarc, I found that the email investigation tool was incorrectly reporting the domain was not aligned and was failing both SPF and DKIM checks because the domain did not match the return path. This was false, both SPF and DKIM were fine, verified via other tools, Even the error clearly showed that the domain and return path both matched.
When I contacted Easydmarc to report this, they were not interested and told me I needed to upgrade to the Enterprise plan if I wanted them to even look into it.
I had to resort to posting the issue on Twitter to get them to look into it, at which point they confirm there was an issue with the tool.
I understand that they must limit providing support to free users, but bug reports should be taken seriously regardless.
Easydmarc state that they have MSP features, however, these are very basic and I would disagree that they are MSP features.
All it really gives you is the ability to manage multiple domains and users and to assign a user to a domain. There is no ability to generate reports and send them to clients. If you want a client to get reports, then you must add them as a user so they can set this up themselves.
There is no option to setup branding, so if you do give a client access, they will know they are using Easydmarc.
In stark contrast to dmacly, I found Easydmarc to very pleasant to deal with and generally more helpful with their responses. While testing out their service I noticed that I was getting emails sent through postmark servers passing the DKIM tests. When I quizzed them on this, they spotted an old dkim record I had left in my DNS.
Very visual, easy to understand UX/UI that is pleasant to use.
Nice email reports. Pretty, easy to understand email reports that show you current alignment status at a glance.
Free plan with unlimited domains
Friendly customer service
Reputation monitoring included
Handy email investigation tool
Less domains & email traffic compared to dmarcly
No MTA-STS & TLS Reporting (although they say it is coming soon)
Very limited/Basic MSP features
So which solution is best? This very much depends on your requirements, although you can probably tell I prefer Easydmarc.
If you want a solution that looks nice, generates attractive, easy-to-understand reports either for yourself or to send to clients or you are an MSP looking for a solution to resell, then I would go for Easydmarc.
If you are looking for the cheapest solution with the most domains and don’t really care about the visuals and UI or your specific need MTA-STS & TLS Reporting, then go for Dmarcly.
If you are interested in a fully managed domain alignment and Dmarc solution, get in touch.
DKIM stands for DomainKeys Identified Mail and is used for the authentication of an email that’s being sent. Like SPF, DKIM is an open standard for email authentication that is used for DMARC alignment. A DKIM record exists in the DNS, but it is a bit more complicated than SPF. DKIM’s advantage is that it can survive forwarding, which makes it superior to SPF and a foundation for securing your email.
Starting in 2004 from merging two similar efforts, “enhanced DomainKeys” from Yahoo and “Identified Internet Mail” from Cisco and has since been widely adopted for email authentication.
What is a DKIM Record?
A domain owner adds a DKIM record, which is a modified TXT record, to the DNS records on the sending domain. This TXT record will contain a public key that’s used by receiving mail servers to verify a message’s signature. The key is often provided to you by the organization that is sending your email, for example SendGrid, Postmark, or Google Apps.
What is a DKIM Signature?
DKIM gives emails a signature header that is added to the email and secured with encryption. Each DKIM signature contains all the information needed for an email server to verify that the signature is real, and it is encrypted by a pair of DKIM keys. The originating email server has what is called the “private DKIM key,” which can be verified by the receiving mail server or ISP with the other half of the keypair, called the “public DKIM key.”
These signatures travel with the emails and are verified along the way by the email servers that move the emails toward their final destination.
How does DKIM work?
When an inbound mail server receives a message, it will detect the DKIM signature and look up the sender’s public DKIM key in DNS. The variable or DKIM selector provided in the DKIM signature is used to determine where to look for this key. If the key is found, it can be used to decrypt the DKIM signature. This is then compared to the values retrieved from the received mail. If they match, the DKIM is valid.
Read about DKIM Selectors and how to discover which ones your domain may be currently using.
Why use DKIM for Email?
Implementing DKIM for email provides major benefits:
Protection of message integrity. The content of the email can be verified that it hasn’t been changed while being sent.
Increases domain reputation and email deliverability.
One of the foundational methods of email authentication for DMARC.
How do I know if DKIM is working?
Test your domain’s DKIM settings – Our DKIM Inspector is a free diagnostic tool that check if the public part of your DKIM signature—using the selector—has been implemented correctly in the DNS of your domain. Our free DKIM Validator can help you verify that your DKIM record is properly formatted.
What happens when DKIM fails?
When DKIM alignment fails—or when the d= value in the Header From does not match the d= value in the DKIM signature—it can negatively impact deliverability as mailbox providers may send the message to the spam folder or block it entirely.
It is important to examine all messages that have failed to identify the sources as valid or as malicious. If you recognize a source as legitimate, you can investigate and set up DKIM correctly. If a source is not recognized, make sure to research it because this could indicate an attempt to send malicious emails on behalf of your domain.
Why DKIM-Only Isn’t Safe Enough
DKIM on its own isn’t a reliable way of authenticating the identity of the email sender and does nothing to prevent the spoofing of the domain visible in the header of the email. DMARC solves the problem by guaranteeing that the domain the end user sees is the same as the domain that is validated by DKIM and SPF. Learn more about DMARC alignment.
Furthermore, the addition of DMARC provides email received instructions on what to do with emails which do not match these checks via DMARC policy enforcement.