DMARC policy overrides- meaning and mechanism
DMARC is based on three policies: none, quarantine, and reject. As a domain owner, you have the choice to apply one of these three policies for illegitimate emails sent from your domain. However, sometimes, receiving servers don’t respect the policy you applied; they adjust the policy according to what seems to be better for the emails sent from your domain.
For example, if you instruct the recipient’s server to ‘reject’ an email that fails DMARC, the receiver could still deliver it to the inbox or spam folder instead of rejecting it. This is called policy override, and this happens because of the receiving server’s own security policies or because the sender is on a trusted list.
What is the DMARC policy override mechanism?
DMARC is an email authentication protocol that allows you to tell receiving servers how you want them to handle emails that are sent from your domain but don’t pass the DMARC check. The policies you can set are-
p=none
It instructs the recipients’ mailboxes to treat emails that failed DMARC checks as normal. This is generally applied only during the first few weeks of DMARC deployment, as it doesn’t provide any protection against spoofing and phishing.
p=quarantine
It instructs the recipients’ mailboxes to place the emails that failed DMARC checks in the spam folders, thereby reducing the possibility of recipients opening such messages and getting scammed.
p=reject
It instructs the recipients’ mailboxes to disallow the emails that failed DMARC checks from entering the inbox. Such emails simply bounce back to the senders.
However, there are cases when the recipient’s email server has its own local policies for treating incoming emails. In such instances, your DMARC policy can be overridden.
The five values of DMARC policy overrides
Forwarded
Forwarded emails sometimes fail DMARC checks because the forwarding service alters the emails’ content or headers. However, a receiving server may still deliver the email because it recognizes that it was legitimately forwarded. This overriding mostly works in your favor, provided an intruder or threat actor didn’t forward the email.
Local policy
The receiving server has its own local rules that might override your DMARC policy. For example, the receiver may have decided to accept emails from certain trusted sources, even if those emails fail DMARC.
Mailing list
Emails sent through mailing lists may have their original sending domain altered, causing them to fail DMARC checks. The receiving server might override your policy if it recognizes the email is from a trusted mailing list.
Sampled out
Sometimes, the receiver might sample or skip applying DMARC to a small percentage of emails for testing or monitoring purposes, which results in an override.
Trusted forwarder
If the email was forwarded by a trusted forwarder (such as certain email providers or partners), the receiving server might ignore your DMARC policy because it knows the forwarder can be trusted.
Does RFC allow DMARC policy overriding?
RFC states that mail servers should honor the DMARC policy set by the domain owners. Overriding goes against the fundamental purpose of DMARC; however, it is still permissible. This permission sometimes causes false negatives, allowing forged emails to pass through.
DMARC policy override reports
DMARC policy override reports are produced by recipients’ servers to inform the senders and domain owners whenever they override the policy set by the sender. The purpose of these reports is to explain why the policy was not followed, offering insights into the potential problems.
The sender requests the reports by configuring their DMARC policy, and the receiver decides whether to send the override reports based on that request. You should not neglect these reports as they provide you with the following benefits–
Visibility
You get visibility into the issues causing DMARC overriding, which you can resolve before it’s too late. For example, your policy might be overridden for legitimate reasons like email forwarding, which alters the email headers, or because a mailing list modifies the email’s sender details, causing a DMARC failure. In some cases, the receiving server may have local policies that prefer trusted sources, even if the DMARC for emails sent from them fails.
By monitoring these reports, you learn about certain scenarios that disrupt your intended email flow, helping you recognize patterns. If analyzed efficiently, you can understand what proactive steps should be taken to adjust your email configurations and work with trusted forwarders.
Security monitoring
DMARC policy override reports help strengthen your email security posture. By regularly analyzing these reports, you can assess whether SPF and DKIM have any issues. If your emails frequently trigger overrides, it might indicate potential security gaps or misconfigurations in your email setup.
For example, if you notice that certain legitimate emails are being overridden due to DKIM failures, then there could be issues with how DKIM signatures are being applied. Monitoring these reports allows you to quickly identify and address such vulnerabilities, ensuring that your domain remains protected against spoofing and phishing attempts while still maintaining strong email deliverability.
Improving email deliverability
What’s best is that these reports contain information that can be used to improve your domain’s deliverability strength. So, if you notice that emails you forwarded are frequently subjected to policy overrides, then you must run your SPF and DKIM records through their respective lookup tools. There is a possibility that these records are misconfigured, triggering policy overriding.
Final words
Please be aware that there is a difference between DMARC policy failure and DMARC policy override. You can’t get confused and use them interchangeably. The former refers to emails that don’t pass the DMARC authentication checks, and the latter means the receiving server didn’t honor your selected DMARC policy for some reason.
We suggest you keep a proper record of the override reports so that you know what’s going on with your email domain and if it requires any troubleshooting. If you feel too overwhelmed with all the responsibilities and want someone to look after the email authentication part for you, including tracking overriding reports, then please feel free to contact us. We have a team of professionals who are just the right fit for your needs.