Associated with
Domains
Underlying signals
Email SPF Not Configured (RS3), Email Weak SPF Configured (RS4), Email DMARC Not Configured (RS7), Email Weak DMARC Configured (RS8)
Reasonings
- Observed domain, and
- We infer domains from inboxes and aliases, however we do not infer domains from PSA integrations since there are often different contacts sometimes not associated with the company
- RS3: DNS records do not include an SPF record, or
- RS7: DNS records do not include a DMARC record, or
- RS8: DNS record contains a valid DMARC record that contains one of:
- Empty policy or policy set to none
- Percentage less than 100%
- Subdomain policy is set to none
Resolutions
- Update or add an SPF DNS record with a strict qualifying mechanism
- Cork prefers
-all, however a soft fail ~all or pass +all is generally fine if there is a strong DMARC record also present
- Update or add a DMARC DNS record that is considered strict:
- Policy (
p=) is set to reject or quarantine
- Percentage (
pct=) is set to 100, this specifies the percentage of emails subject to filtering
- Set the subdomain policy (
sp=) to reject as well, unless you have specific DMARC records on those subdomains
Additional Considerations
- Cork does not consider the strictness of SPF configuration since it can be hardened with strictly configured DMARC
- However we will raise a recommendation, but not an alert, if the SPF qualifying mechanism is not
-all