Skip to main content

Defensive Domain Identification

  • Updated

It can be difficult to identify which domains should be categorized as Defensive, particularly if you have a significant number of domains for your organization.

After DMARC reporting data has been collected for a while, it can easier to spot which domains you can categorize as defensive and start locking them down.

It is recommended to have been collecting DMARC data for at least 60-90 days when producing this report.

 

Step 1: Extracting required data from the portal
The first task is to get the data we want to work from out of the Customer Protect portal.

  • Navigate to the Diagnostics > Domains page. By default, this page shows only the Active Domains, which we want, but we need to extend the time period.
  • Click Show Options and modify the View Messages From. It is recommended that you would want at least 60-90 days of DMARC data, but if you have been collecting data for longer, you can go back even further.
  • Click Submit to apply the new time period.
  • Now click Share and then click Send Email to send yourself a CSV of the Domain data.

 

Step 2: Preparing the data
Once you have the email, you can open the attached CSV and we can clear some data that we don’t need for this exercise.

  • Delete columns H to T
  • Delete column D
  • Delete Column B

You should now be left with the following column headers: Domain Name, Message Count from My Senders, Message Count from Unauthorized Senders, Pass Rate of Unauthorized Sender Messages, DMARC Policy.

The last step in preparing the data is to sort it using a two-step sort.  You want to sort first by Message count from My Senders (Smallest to Largest) and then Message Count from Unauthorized Senders (Smallest to Largest) as per the screenshot:

 

Step 3: Analyzing the results

The results will vary somewhat depending on the traffic from your domains.  If you have any domains with no traffic at all, they will be at the top of the list.  This is the first group of domains we want to consider for Defensive categorization.  If a domain has a blank DMARC Policy field it should be excluded as we would not be receiving data for it. 

It is recommended to:

  • Copy the list of domain names in to a text file. You can then use the txt file to create a domain group in the portal under Configure > Manage Domains (https://my.agari.com/domain_sets).
  • Check within your organization to identify and use cases for these domains.
  • Classify any that are truly not being used as Defensive Domains.
  • Move them to a DMARC Quarantine policy.
  • Implement SPF Records for any that currently do not have one (either authorizing legitimate servers, or for truly non-mail sending domains use “v=spf1 –all” to identify that there is no legitimate source for mail).
  • Monitor reporting on these domains for 30 days.
  • Consider moving to DMARC Reject if the 30 days of data doesn’t reveal any issues.

It is recommended to:

  • Copy the list of domain names in to a text file. You can then use the txt file to create a domain group in the portal under Configure > Manage Domains (https://my.agari.com/domain_sets).
  • Check within your organization to identify and use cases for these domains.
  • Confirm that there aren’t Authorized Sources that are missing and indicator of this would be a significant pass rate in column D. That would indicate a sender that is DKIM Signing that has not been added to SPF or to the Sender Inventory.
  • Classify any that are truly not being used as Defensive Domains.
  • Move them to a DMARC Quarantine policy.
  • Implement SPF Records for any that currently do not have one (either authorizing legitimate servers, or for truly non-mail sending domains use “v=spf1 –all” to identify that there is no legitimate source for mail).
  • Monitor reporting on these domains for 30 days.
  • Consider moving to DMARC Reject if the 30 days of data doesn’t reveal any issues.

Related articles

Comments

0 comments

Please sign in to leave a comment.