--- title: "DMARC policy overrides- meaning and mechanism | DuoCircle" description: "DMARC policy overrides- meaning and mechanism." image: "https://www.duocircle.com/images/og-default.png" canonical: "https://www.duocircle.com/blog/dmarc/dmarc-policy-overrides-meaning-and-mechanism/" --- Quick Answer A DMARC policy override is when a receiving server decides not to apply the published DMARC policy for a specific message and delivers it anyway. The DMARC specification allows this and identifies five override reasons: forwarded (mail forwarded by a service that breaks SPF/DKIM but the receiver trusts the route), local\_policy (the receiver has its own rules that take precedence), mailing\_list (mail through a list that rewrote headers), sampled\_out (the receiver applied the policy to only a percentage of traffic), and trusted\_forwarder (a known forwarder the receiver trusts). Overrides show up in aggregate reports with the reason recorded, which is how domain owners detect them. Override visibility is useful: it surfaces forwarding paths that break alignment, exposes mailing list problems, and flags receivers that are loosening policy in ways that could let forged mail through. A policy override is not the same as a DMARC failure: failure means authentication did not pass, override means the receiver chose not to act on the failure. DMARC policy overrides- meaning and mechanism Your browser does not support the audio element. [ Download episode](https://media.mailhop.org/duocircle/images/2024/10/DMARC-policy-overrides-meaning-and-mechanism.mp3) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fdmarc%2Fdmarc-policy-overrides-meaning-and-mechanism%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=DMARC%20policy%20overrides-%20meaning%20and%20mechanism&url=undefined%2Fblog%2Fdmarc%2Fdmarc-policy-overrides-meaning-and-mechanism%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fdmarc%2Fdmarc-policy-overrides-meaning-and-mechanism%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fdmarc%2Fdmarc-policy-overrides-meaning-and-mechanism%2F&title=DMARC%20policy%20overrides-%20meaning%20and%20mechanism "Share on Reddit") [ ](mailto:?subject=DMARC%20policy%20overrides-%20meaning%20and%20mechanism&body=Check out this article: undefined%2Fblog%2Fdmarc%2Fdmarc-policy-overrides-meaning-and-mechanism%2F "Share via Email") ![DMARC policy overrides](https://media.mailhop.org/duocircle/images/2024/10/SMTP-email-0281.jpg) [DMARC](/resources/what-is-dmarc) is based on three policies: **none, quarantine, and reject**. As a domain owner, you have the choice to apply one of these three policies for [illegitimate emails](https://www.linkedin.com/pulse/illegitimate-emails-protect-yourself-indigo-it-limited) sent from your domain. However, sometimes, receiving servers don’t respect the policy you applied; they adjust the policy according to what seems to be better for the emails sent from your domain. For example, if you instruct the recipient’s server to ‘reject’ an email that fails DMARC, the receiver could still deliver it to the inbox or [spam folder](https://cybernews.com/news/microsofts-breach-notification-emails-end-up-in-spam-folder/) instead of rejecting it. This is called policy override, and this happens because of the receiving server’s own **security policies** or because the sender is on a trusted list. ## What is the DMARC policy override mechanism? DMARC is an [email authentication](/resources/email-authentication) protocol that allows you to tell **receiving servers** how you want them to handle emails that are sent from your domain but don’t pass the DMARC check. The policies you can set are- ### p=none _It instructs the recipients’ mailboxes to treat emails that failed DMARC checks as normal_. This is generally applied only during the first few weeks of **DMARC deployment**, as it doesn’t provide any protection against [spoofing and phishing](https://www.darkreading.com/threat-intelligence/cyberattackers-spoof-google-translate-unique-phishing-tactic). ### p=quarantine It instructs the recipients’ mailboxes to place the emails that failed DMARC checks in the spam folders, thereby reducing the **possibility of recipients** opening such messages and [getting scammed](https://www.bbc.com/news/articles/c988v355e8do). ### p=reject It instructs the recipients’ mailboxes to disallow the emails that failed DMARC checks from entering the inbox. Such emails **simply bounce back** to the senders. However, there are cases when the recipient’s email server has its own local policies for **treating incoming emails**. In such instances, your DMARC policy can be overridden. ## The five values of DMARC policy overrides ### Forwarded [Forwarded emails](https://www.activecampaign.com/glossary/email-forwarding) sometimes fail DMARC checks because the **forwarding service alters** the emails’ content or headers. However, a receiving server may still deliver the email because it recognizes that it was legitimately forwarded. This overriding mostly works in your favor, provided an intruder or [threat actor](https://thehackernews.com/2024/07/tag-100-new-threat-actor-uses-open.html) didn’t forward the email. [![Forwarded emails ](https://media.mailhop.org/duocircle/images/2024/10/SMTP-email-0280.jpg)](https://media.mailhop.org/duocircle/images/2024/10/SMTP-email-0280.jpg) ### Local policy The receiving server has its own local rules that might override your DMARC policy. For example, the receiver may have decided to accept emails from certain **trusted sources**, even if those emails fail DMARC. ### Mailing list Emails sent through [mailing lists](https://en.wikipedia.org/wiki/Mailing%5Flist) may have their **original sending domain altered**, causing them to fail DMARC checks. The receiving server might override your policy if it recognizes the email is from a trusted mailing list. ### Sampled out Sometimes, the receiver might sample or skip applying DMARC to a small percentage of emails for **testing or monitoring** purposes, which results in an override. ### Trusted forwarder If the email was **forwarded by a trusted forwarder** (such as certain email providers or partners), the receiving server might ignore your [DMARC policy](/resources/dmarc-policy) because it knows the forwarder can be trusted. ## Does RFC allow DMARC policy overriding? RFC states that [mail servers](https://www.techtarget.com/whatis/definition/mail-server-mail-transfer-transport-agent-MTA-mail-router-Internet-mailer) should honor the DMARC policy set by the domain owners. Overriding goes against the fundamental purpose of DMARC; however, it is still permissible. This permission sometimes causes false negatives, **allowing forged emails** to pass through. ## DMARC policy override reports DMARC policy override reports are produced by recipients’ servers to inform the senders and [domain owners](/dmarc/microsofts-latest-updates-help-domain-owners-fight-modern-phishing-with-dmarc/) whenever they override the policy set by the sender. The purpose of these reports is to explain why the policy was not followed, **offering insights** into the potential problems. _The sender requests the reports by configuring their DMARC policy, and the receiver decides whether to send the override reports based on that request_. You should not neglect these reports as they provide you with the **following benefits**\- ### Visibility You get visibility into the issues causing DMARC overriding, which you can resolve before it’s too late. For example, your policy might be overridden for legitimate reasons like email forwarding, which alters the [email headers](https://www.hostinger.in/tutorials/email-headers/), or because a mailing list modifies the **email’s sender details**, causing a DMARC failure. In some cases, the receiving server may have local policies that prefer trusted sources, even if the DMARC for emails sent from them fails. _By monitoring these reports, you learn about certain scenarios that disrupt your intended email flow, helping you recognize patterns_. If analyzed efficiently, you can understand what **proactive steps** should be taken to adjust your [email configurations](https://www.ibm.com/docs/en/sqsp/50?topic=guide-email-configuration) and work with trusted forwarders. ### Security monitoring DMARC policy override reports help strengthen your [email security](/) posture. By regularly analyzing these reports, you can assess whether SPF and DKIM have any issues. If your emails **frequently trigger overrides**, it might indicate potential [security gaps](https://www.bleepingcomputer.com/news/security/audit-finds-notable-security-gaps-in-fbis-storage-media-management/) or misconfigurations in your email setup. For example, if you notice that certain **legitimate emails** are being overridden due to [DKIM failures](/email-security/canonicalization-reason-behind-dkim-signature-verification-failures/), then there could be issues with how [DKIM signatures](https://docs.mapp.com/docs/dkim-signature) are being applied. Monitoring these reports allows you to quickly identify and address such vulnerabilities, ensuring that your domain remains protected against spoofing and phishing attempts while still maintaining strong [email deliverability](/a-guide-on-email-deliverability). ### Improving email deliverability What’s best is that these reports contain information that can be used to improve your domain’s deliverability strength. So, if you notice that emails you forwarded are frequently subjected to policy overrides, then you must run your [SPF](/resources/what-is-spf) and [DKIM](/resources/what-is-dkim) records through their **respective lookup tools**. There is a possibility that these records are misconfigured, triggering policy overriding. [![improve domain deliverability](https://media.mailhop.org/duocircle/images/2024/10/office-365-migration-service.jpg)](https://media.mailhop.org/duocircle/images/2024/10/office-365-migration-service.jpg) ## Final words _Please be aware that there is a difference between DMARC policy failure and DMARC policy override. You can’t get confused and use them interchangeably_. The former refers to emails that don’t pass the **DMARC authentication checks**, and the latter means the receiving server didn’t honor your selected DMARC policy for some reason. We suggest you keep a proper record of the override reports so that you know what’s going on with your [email domain](https://www.one.com/en/email/what-is-an-email-domain) and if it requires any troubleshooting. If you feel too overwhelmed with all the responsibilities and want someone to look after the email authentication part for you, including tracking overriding reports, then please feel free to [contact us](/contact). We have a **team of professionals** who are just the right fit for your needs. ## Topics DKIMDMARCemail securityspf ![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) Brad Slavin General Manager General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio. ## Secure your email infrastructure Protect, authenticate, and deliver. Contact our team to find the right solution. [Contact Sales](/contact/) [Explore Products](/products/) ## Related Articles [ DMARC 6m How to become a DMARC expert: a 6-step learning path Sep 24, 2024 ](/blog/dmarc/a-detailed-guide-on-becoming-a-dmarc-expert/)[ DMARC 6m A guide to detecting DMARC problems using the pentesting techniques Oct 3, 2024 ](/blog/dmarc/a-guide-to-detecting-dmarc-problems-using-the-pentesting-techniques/)[ DMARC 6m Avoiding common BIMI pitfalls: What goes wrong and how to fix it Jun 24, 2025 ](/blog/dmarc/avoiding-bimi-pitfalls-common-errors-and-how-to-fix-them/)[ DMARC 3m Can threat actors bypass DMARC? Feb 21, 2025 ](/blog/dmarc/can-threat-actors-bypass-dmarc/) ```json {"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"DMARC policy overrides- meaning and mechanism","description":"DMARC policy overrides- meaning and mechanism.","url":"https://www.duocircle.com/blog/dmarc/dmarc-policy-overrides-meaning-and-mechanism/","datePublished":"2024-10-03T12:52:52.000Z","dateModified":"2025-08-29T15:06:52.000Z","dateCreated":"2024-10-03T12:52:52.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/dmarc/dmarc-policy-overrides-meaning-and-mechanism/"},"articleSection":"dmarc","keywords":"DKIM, DMARC, email security, spf","wordCount":1024,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/10/SMTP-email-0281.jpg","caption":"DMARC policy overrides","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"DMARC"},{"@type":"ListItem","position":3,"name":"DMARC policy overrides- meaning and mechanism","item":"https://www.duocircle.com/blog/dmarc/dmarc-policy-overrides-meaning-and-mechanism/"}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"DMARC","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"DMARC policy overrides- meaning and mechanism","item":"https://www.duocircle.com/blog/dmarc/dmarc-policy-overrides-meaning-and-mechanism/"}]} ``` ```json {"@context":"https://schema.org","@type":"BlogPosting","headline":"DMARC policy overrides- meaning and mechanism","description":"DMARC policy overrides- meaning and mechanism.","url":"https://www.duocircle.com/blog/dmarc/dmarc-policy-overrides-meaning-and-mechanism/","datePublished":"2024-10-03T12:52:52.000Z","dateModified":"2025-08-29T15:06:52.000Z","dateCreated":"2024-10-03T12:52:52.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/dmarc/dmarc-policy-overrides-meaning-and-mechanism/"},"articleSection":"dmarc","keywords":"DKIM, DMARC, email security, spf","wordCount":1024,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/10/SMTP-email-0281.jpg","caption":"DMARC policy overrides","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}} ```