ripple
If you don’t know what DMARC is, please see this link for a high-level introduction DMARC
Understanding the Security Status
✓ Green (Secure): A valid DMARC policy is active. The domain is protected because the policy is set to either
quarantine or reject, effectively blocking or flagging unauthorized emails as mandated in the Payment Card Industry Data Security Standard (PCI DSS).× Red (Inadequate): The domain fails to meet the "low bar" set by PCI DSS as the minimum requirement for protection. This occurs if the record is missing, duplicated, or if the policy is set to
none (monitoring mode only), which does not stop spoofing attempts.windcoop.co.uk →
DMARC Record: _dmarc.windcoop.co.uk
v=DMARC1; p=none; rua=mailto:0e86036c7c43417e9b9383f2ecbbcd9d@dmarc-reports.cloudflare.net× Warning: Main policy (p=none) is for monitoring only and does not prevent spoofing.
Once the domain name for the website has been registered, I don’t understand why it isn’t also used for sending emails. Using SendinBlue to send emails that appear to come from a Gmail account and have a DMARC status of
fail isn’t good.The Member Newsletter provides the contact addresses members@windcoop.co.uk and board@windcoop.co.uk for admin and strategic issues, respectively. Both of these addresses bounce with a
smtp; 550 No such recipient here message.
kirkhillcoop.org →
DMARC Record: _dmarc.kirkhillcoop.org
v=DMARC1; p=none× Warning: Main policy (p=none) is for monitoring only and does not prevent spoofing.
Emails from kirkhillcoop.org are DKIM-signed and SPF-authenticated, but the policy is
'none', which is poor practice.Another observation is that the domain is configured to receive email into Microsoft Office 365, but the only authorised sender is GoDaddy. While it’s normal for domains to use additional senders, it is unusual for Microsoft Office 365 to be configured as a receiver but not an authorised sender.
The website doesn’t appear in any search engine because it previously contained
<meta name='robots' content='noindex, nofollow' />This has now been fixed, but as yet it still isn’t appearing in searches.
Suggest changing
-all to ~all on SPF record, in line with best practice recommendations (see link at bottom of page).
kirkhillcoop.co.uk (Unable to link to website)
DMARC Status: No valid DMARC record found.
Curiously, the email configuration for this domain is very similar to that of kirkhillcoop.org, suggesting it was either created by the same people or deliberately cloned to look identical. This website has now been pointed to redirect users to kirkhillcoop.org.
Assuming kirkhillcoop.org is the primary domain, however, this domain still needs a DMARC record to mitigate the risk of abuse.
derrilwater.com →
DMARC Record: _dmarc.derrilwater.com
v=DMARC1; p=quarantine; pct=25; sp=none; rua=mailto:dmarc@derrilwater.com; ruf=mailto:dmarc@derrilwater.com; adkim=s; aspf=r; fo=1× Warning: Subdomain policy (sp=none) leaves subdomains vulnerable.
Email configuration is disappointing. As well as the subdomain policy being
'none', it also has a 25% (the pct parameter), meaning the policy is only applied to 25% of emails, which should only be used for testing, not for a production setup.This domain has tried to configure MTA-STS, which is good. However, it isn’t correctly configured and hence likely to cause serious issues as is!
Suggest changing
-all to ~all on SPF record, in line with best practice recommendations (see link at bottom of page).
ethex.org.uk →
DMARC Record: _dmarc.ethex.org.uk
v=DMARC1; p=none; sp=none; fo=1; rua=mailto:dmarc_agg@vali.email;× Warning: Main policy (p=none) is for monitoring only and does not prevent spoofing.
× Warning: Subdomain policy (sp=none) leaves subdomains vulnerable.
× Warning: Subdomain policy (sp=none) leaves subdomains vulnerable.
DMARC record has been created, but it isn’t giving any protection. At least the emails received from Ethex are DKIM-signed and SPF-authenticated. However, this is a disappointing setup from a financial organisation.
Link to M3AAWG Email Authentication Recommended Best Practices