DMARC Monitoring Tools Comparison

I’ve been testing DMARC monitoring tools in order to get my personal and work domains to DMARC enforcement. Here’s what I’ve learned from testing a handful of different services.

Valimail

Valimail may have the best available product, but I believe they have priced themselves out of the small business market. I received a demo but did not have a chance to use their product hands on. Their SPF macro expansion tool is impressive and having them fully manage your SPF and DKIM DNS records is incredibly convenient.

Fraudmarc

Fraudmarc does not provide enough detail to fully understand why your email sources are not compliant. For a given source, it tells you if it was SPF and/or DKIM aligned, but if it isn’t it doesn’t tell you whether it was aligned to another domain or none at all. They do provide an appealing SPF flattening tool called SPF Compression. They provide a free plan for “low message volumes.”

DMARC Analyzer

DMARC Analyzer has an attractive website that adequately conveys which of your sources are compliant or why they are failing. It requires more clicking to expand details than I would like, but it’s functional. They provide a free plan for up to 100k monthly DMARC complaint messages.

250ok

250ok provides a suite of tools to help monitor and improve your email deliverability. Their DMARC reporting interface requires a little too much mousing over to see details, but it’s functional. Unfortunately, their system doesn’t differentiate between a message that passes SPF and/or DKIM and is aligned with DMARC. For example, a non-whitelabled email sent with SendGrid could pass SPF with domain sendgrid.info, but it would fail DMARC because the from address says lundscape.com. 250ok considers this DMARC compliant even though it is not. 250ok says these messages are ARC compliant, but their system doesn’t yet have a way to convey that to the user. (See below.) 250ok’s own domain is also not set to enforce a policy.

Dmarcian

Dmarcian’s user interface is a little rough around the edges, but it does the best job of conveying which of your sources are complaint, which are failing, and why they are failing. They provide a free plan for up to 10k monthly DMARC compliant messages and up to two domains (sub-domains are counted separately). (A few months ago the limit was 100k monthly emails, and then they dropped it to 50k monthly emails. 10k monthly emails seems to be a very recent change.)

ARC Support

ARC is a method of validating forwarded emails that would otherwise fail DMARC validation. It’s still not fully supported, but more mailbox providers seem to be recognizing it. As I stated above 250ok is parsing it but not yet doing a good job of showing the results. DMARC Analyzer says it’s on their roadmap, but they have not yet implemented it. Dmarcian was not aware of ARC and seemed skeptical even though I provided them with links to the specification. I do not know the status of ARC support for Valimail or Fraudmarc.

Conclusion

Overall Dmarcian seems to provide the most useful analytics for low volume domains or at a reasonable price. If you are looking for a free option or need to monitor a lot of (sub-)domains, DMARC Analyzer may be a better choice.

Fix ISP DNS Hijacking with DD-WRT

Ars Technica recently wrote up an article ISPs hijacking DNS requests to watch web searches. A couple years ago, I discovered that any time that I punched in an invalid domain name, instead of telling me the domain name did not exist, I was redirected to a search page. The search page had an opt out feature, but it reset after a few hours. I wrote a script to automatically opt myself out every few hours, but it was ineffective. When I called CenturyLink (my ISP) about this problem, they first denied it. After arguing with the representative for a while, he eventually informed me that this was how the feature was supposed to work. I asked him how that could be useful if the opt out really wasn’t an opt out. He didn’t have an answer. Eventually I opted to use alternative DNS. However, one solution for those of us running DD-WRT on our routers is to add additional DNSMasq options. While OpenDNS does honor opt outs, I still add the IP addresses they use to my configuration.

Before adding anything, pinging an invalid domain shows:

ping garbage.invalidtld
PING garbage.invalidtld (67.215.65.132) 56(84) bytes of data.
64 bytes from hit-nxdomain.opendns.com (67.215.65.132): icmp_req=1 ttl=56 time=54.4 ms

I went into the Services page of DD-WRT and added the following to the “Additional DNSMasq Options” section:

bogus-nxdomain=67.215.65.132
bogus-nxdomain=184.106.31.182

Now the same command returns the proper response:

ping garbage.invalidtld
ping: unknown host garbage.invalidtld

I could have applied the same method to filter CenturyLink’s DNS responses, but I have been happier with OpenDNS and decided not to switch back.