DMARC policy overrides

This article explains in detail what DMARC policy overrides are, how they work, what’s the difference between a DMARC policy override and a DMARC policy failure, and whether overriding DMARC records is legitimate or not.

DMARC Policy Overrides: Explained

DMARC policy override happens when the receiving email server overrides the DMARC record that is set by the sender. This occurs when the sender has specified that they want their email to be rejected if it doesn’t match an incoming mail server’s policy, but the receiving email server decides that it is not appropriate for its own set of policies.

For instance, if the sender has specified a strict policy (like “p=reject all mail without SPF or DKIM”) and the receiving email server has a relaxed or loose policy (like “accept all mail without SPF or DKIM”). In this situation, the receiving server may override the sender’s DMARC policy setup with its own local policy and deliver the message to the receiver’s inbox even if it fails DMARC checks.

Understanding DMARC Policy Override Mechanism

DMARC is used to communicate policy settings that email receivers can use to enforce against emails sent from your domain.

For example, you can use a policy for DMARC to tell the recipient’s email server what it should do (p=reject or p=none or p=quarantine) if an SPF or DKIM check fails in emails sent from your domain.

This pretty much sums up the power of DMARC, right?

But what if the receiving mail server has its own set of local policies to treat receiving emails? Will it abide by the DMARC policies set by the sender OR will it override the sender’s policies with its own local policies?

Well…

DMARC specification requires mail receivers to make a good faith effort to respect Domain Owners’ published DMARC policies. So if a test of the sender’s SPF, DKIM, and From header fails on a message that should trigger what is specified in the sender’s DMARC policy (p) like quarantine, reject, or NONE.

Now let’s assume, the situation is this:

➜ Your domain (mypersonaldomain.org) has DMARC policy (p=none).

➜ The e-mail server run by the receiver (theirdomain.org) rejects all mail that fails an SPF check. It means if an email sent to (theirdomain.org) fails the SPF check, it will be rejected. Right?

But…

What will happen if an email from your domain (mypersonaldomain.org) with DMARC policy p=none is received at somedomain.org and fails the SPF check?

In this case, it will depend on the receiving mail server (how it is configured) to agree with the DMARC policy set by the sender OR reject the email by overriding the sender’s policy with rules defined in its local policy of p=reject on SPF check failure.

Microsoft 365 is a real-time example of this, as it sends all p=reject emails into the user’s junk/spam folder instead of rejecting it. This is because O365 considers it fine for the recipient to make the final decision on ultimate disposition.

The Five Values of DMARC Policy Overrides

forwarded – The email was likely forwarded, based on local algorithms that identified forwarding patterns. Authentication can be expected to fail.

local_policy – the local policy of the Mail Receiver exempted the email from being subjected to the action requested by its Domain Owner. For example, when the requested policy is set to “reject” but the ARC check passed, a mail receiver can override that decision and choose not to reject an email.

What is ARC?

ARC stands for Authenticated Received Chain (ARC). With ARC, the DKIM and SPF protocols of an email will no longer be broken by forwarding or mailing lists. This is because ARC preserves the results of email authentication across routers, intermediaries, and other systems (“hops”) that may modify a message as it passes from one node on the Internet to another.

So if an ARC chain were present, the receiving mail server who would otherwise discard the messages might choose to evaluate the results of testing—and make an exception, allowing legitimate messages from these indirect mailflows to reach their destinations.

mailing_list – The email was sent from a mailing list, so the filter program decided that it probably wasn’t legitimate.

sampled_out – The message did not apply to the policy because its “pct” setting was set in the DMARC record.

trusted_forwarder – The failure was anticipated by evidence that linked the email to a locally maintained list of trusted forwarders.

other – Some policies contained exceptions that were not addressed by the other entries in the list.

DMARC Policy Overriding: Is it permissible?

Section 6 of RFC 7489 states that mail servers should honor and handle messages in line with the sender’s policy. Although overrides are against the spirit of DMARC, mailbox providers reserve the right to override any sender’s policy. So yes, it is permissible for the receiving server to override DMARC policy with its local policy.

This means that an email server could still deliver a forged message even though the policy it was supposed to follow said otherwise.

Should You Send DMARC Policy Override Reports?

DMARC Policy Overrides mostly take place when:

  • the receiver’s heuristics identify a message that failed authentication but might have been sent by an authorized source.
  • a mailbox provider has a message that failed DMARC due to email forwarding but they are confident enough in its legitimacy, they may override the policy and deliver it anyway.

Though DMARC Policy Overrides are permissible, Sections 6 and 7.2 of the RFC 7489 state that when a receiver chooses to deviate from the domain owner’s published policy, it must report that fact as well as its reasons for doing so (using aggregate feedback reporting format) back to the domain owner.

How is DMARC Policy Overrides Permissible?

DMARC is composed of two parts:

DMARC Policy – This is set up by the sending organization (on the sending organization’s public-facing DNS along with SPF and DKIM) and defines how the receiving side should handle messages that fail to comply with its policies.

DMARC Verification – It is used by the receiving organization (on the receiving organization’s email security gateway) and checks every message received from a particular organization for the policies listed in that company’s DMARC records. However, the ability to override a sending organization’s DMARC policy enforcement is also true for receiving organizations.

Setting up a DMARC policy is a “REQUEST, NOT AN OBLIGATION”: it essentially means that you’re ‘requesting’ mail servers to indicate how they should handle the email messages sent from or impersonating your domain.

However, email receivers are not required to follow a strict set of guidelines when processing incoming emails. They may develop their policies regarding the messages they accept or reject and apply those standards accordingly.

For example, if the email receiver considers the message to be valid. So if an email fails a DMARC check, the receiver can still apply its local policy and deliver it to inboxes. In addition, the email receiver’s policies may override a domain owner’s policy.

How Can A Receiving Organization Override My DMARC Policy?

Other organizations can override your DMARC policy configuration by their own DMARC verification tools and decide their own set of policies on how to act on incoming messages. Depending on the system, a user with admin privileges may be able to override all domains or only certain ones.

It is to be noted that DMARC policies are set by the domain owner, and each policy applies only to that organization’s domains. So a DMARC policy can not affect other organizations’ addresses or their messages.

DMARC Policy Failure vs DMARC Policy Overrides: What’s the difference?

DMARC failure is when a mail server does not properly implement DMARC which leads to SPF and DKIM verification failure at the receiver’s end. Inability to verify your legitimacy can lead inboxes to mark you as spam or reject your messages. Here the receiving mail server honors the sender’s policy and does not override the said policy with its local policy.

DMARC policy overrides occur when the receiving mail server does not honor the sender’s policy. Instead, it overrides the sender’s DMARC policy with its local policy. This means if the sender’s message has a strict policy of p=reject without SPF or DKIM verification, the receiving mail will override the policy and still deliver the message to the inbox anyway.

Keep a Proper Track of DMARC Policy Overrides with PowerDMARC

Staying up to date on DMARC policy overrides is a critical part of preventing email spoofing and impersonation. However, most organizations don’t have the time or resources to keep track of their DMARC policy overrides.

You can’t stop DMARC policy overrides, but you can keep track of them with our DMARC service. We’ll provide you with complete reports of which organizations override your policy mode and what type of messages from which and which emails were allowed at the receiver’s end. This will help the sender keep track and take any necessary action if spoofing or impersonation is found.

Sign up for our Free DMARC trial today and test it yourself!

Latest posts by Ahona Rudra (see all)