With the DMARC technical standard, the importance for reporters to include DKIM selectors in their reports cannot be minimized. DMARC aggregate reporting is high level and includes all the information you would expect is important and sometimes necessary to identify who sent the original email. The DKIM selector is vital when it comes to deciding if an email source is only present because of forwarded emails and not because the source is being used by the domain owner. Missing information such as DKIM selectors can make the report less helpful in identifying legitimate emails.
In the context of DMARC, it takes three to tango, and those three, as you might have heard, are:
- Brands – organizations who want to protect and prevent email abuse for their domain through DMARC
- Sources, aka senders – second parties used by the brands to send their emails via the source’s emailing infrastructure
- Receivers – third parties who receive the emails sent by the sender/source and typically send DMARC reports.
Receivers can be and typically are sources; a good example is Google, which is often used for company email as the sender but also receives the email, so they are receivers too.
Back to the problem. Amazon is widely used and is a contributor to DMARC reporting. Amazon does not include DKIM selector data in their DMARC reports even though they would need to know and use the selector to query DNS to see if DKIM should pass or fail. Below is an Amazon report where I have redacted the client data:
In comparison, following is a Google report that serves as an ideal example:
Here are two reasons why reporters need to be more like Google when they send a DMARC report:
- The extra contact information included in the raw DMARC XML (highlighted above) report links to a Google support page that is helpful when it comes to needing guidance.
- The actual DKIM selector data being included is a must for maximizing the report’s value in helping move forward with DMARC.
The selector data makes a huge difference when helping an organization move from p=none to p=reject in a methodological manner—every data point is valuable. In the near future, I hope Amazon changes their reporting to include the DKIM selector data.