DMARC Policy Overrides: Explained

DMARC Policy Overrides: Explained

This article explains what DMARC policies overrides are and how they work. It also explains what the differences between a DMARC failure and a DMARC override. Finally, it explains whether or not overriding DMARC records can be legal.

DMARC Policy Overrides Explained

DMARC policy override occurs when the receiving email server overrides DMARC records that are set by the sender. This happens when the sender specifies that they would like their email rejected if it does not match an incoming mail server policy. However, the receiving server determines that the email is not suitable for its own policies.

If the sender specifies a strict policy, such as “p=reject any mail without SPF or DKIM”), and the receiving server has a looser or more relaxed policy (like: “accept all mail sans SPF/DKIM”) This situation may lead to the sending server overriding the sender’s DMARC policies and setting its own local policy. The receiving server will then deliver the message directly to the receiver’s mailbox, even if it fails DMARC checks.

Understanding DMARC Policy Override Mechanism

DMARC allows you to communicate policies that can be used by email receivers to enforce your domain’s ban on sending emails from your domain.

You can, for example, use a policy to DMARC to inform the recipient’s mail server what it should do (p=reject, p=none, or p=quarantine), if there is an SPF/DKIM error in email sent from your domain.

This sums up the power and potential of DMARC.

What if the recipient mail server has its own local policies for handling receiving emails? It will either follow the DMARC policies of the sender or it will override them with its own local policies.

Well…

DMARC specifications require mail receivers make good faith efforts to comply with Domain Owners’ published DMARC policy. If a test of the sender’s SPF, DKIM and From header fails to detect a message, it should trigger the DMARC policy (p), such as quarantine, reject or NONE.

Let’s say the following:

Your domain (mypersonaldomain.org) has DMARC policy (p=none).

All mail that fails to pass an SPF test will be rejected by the e-mail server of the receiver (theirdomain.org). This means that if an email is sent to (theirdomain.org), it will be rejected. Right?

But…

What will happen if an email from your domain (mypersonaldomain.org) with DMARC policy p=none is received at somedomain.org and fails the SPF check?

This will depend on how the recipient mail server is configured. It may agree to the DMARC policy established by the sender or reject the email. The sender can override the policy by using rules in its local policy of p=reject upon SPF check failure.

Microsoft 365 is a good example of this. It sends all p=reject email to the user’s spam/junk folder, instead of rejecting them. O365 allows the recipient to decide on the ultimate disposition.

The Five Values of DMARC policy Overrides

forwarded — The email was likely to be forwarded based on local algorithms which identified forwarding patterns. It is possible for authentication to fail.

local_policy The local policy of the Mail Receiver exempted an email from the action requested to it by its Domain Owner. If the policy requested is to “reject”, but the ARC checks pass, a mail receiver may override this decision and refuse to reject an email.

mailing_list The filter program determined that the email was not legitimate because it was sent from a mailing address.

sampled_out – The message was not applicable to the policy as its “pct” setting was in the DMARC records.

trusted_forwarder The evidence linking the email to a local list of trusted forwarders was sufficient to anticipate the failure.

Other – There were exceptions to some policies that were not covered by the other entries on the list.

DMARC Policy Overriding – Is it permissible

Section 6 in RFC7489 says that mail servers must honor and deal with messages according to the sender’s policy. Overrides are not in accordance with DMARC’s spirit, but mailbox providers have the right to modify any sender’s policy. Yes, the receiving server can override DMARC policies with its own local policy.

This means that an email server can still send a forgery message, even though it is supposed to follow a different policy.

Do You Need to Send DMARC Policy Override reports?

DMARC Policy Overrides usually take place when:

• The heuristics of the receiver identify a message that has failed authentication, but may have been sent from an authorized source.
• A mailbox provider receives a message that fails DMARC because email forwarding, but they feel confident enough to deliver it anyway.

Although DMARC Policy Overrides may be allowed, Sections 6 & 7.2 of RFC 7489 stipulate that a receiver must report to the domain owner any deviation from the published policy.

What are the DMARC Policy Overrides?

DMARC is made up of two parts.

DMARC policy – This policy is created by the sending organisation (on its public-facing DNS with SPF, DKIM and SPF) and specifies how the receiving side should deal with messages that do not comply with its policies.

DMARC verification – This is used by the recipient organization (on the receiving organisation’s email security gateway). It checks all messages received from a specific organization for compliance with the policies in the company’s DMARC records. Receiving organizations have the same rights as sending organizations to modify their DMARC policies.

A DMARC Policy is a request, not an obligation. It basically means you’re asking mail server to handle email messages from your domain or impersonating it.

Email receivers don’t have to follow strict guidelines for processing incoming email. They can develop policies about which messages they accept and reject, and then apply these standards to their emails.

If the recipient considers the message valid, the receiver can accept it. Even if the email does not pass DMARC, the receiver can still use its local policy to deliver it to mailboxes. Additionally, policies of the email receiver may be more important than those of the domain owner.

What can a receiving organization do to override my DMARC policy?

Your DMARC policy can be overridden by other organizations using their DMARC verification tools. They can also decide their own policies regarding how to respond to incoming messages. Depending on the system used, admin privileges can be granted to either all domains or a limited number of them.

It should be noted that DMARC policy are set by domain owners and only apply to the domains of that organization. DMARC policies cannot be used to affect the addresses or messages of other organizations.

DMARC Policy Failure vs DMARC policy Overrides: What is the difference?

DMARC Failure occurs when a mail server fails to properly implement DMARC. This causes DKIM and SPF verification failures at the receiver’s side. Inboxes can reject or mark your messages as spam if they are unable to verify your legitimacy. The receiving mail server respects the policy of the sender and does not replace it with its own local policy.

DMARC policy overrides are when the receiving mail server doesn’t honor the sender’s policy. It instead overrides the sender’s DMARC policy and replaces it with its own local policy. If the sender has a strict policy that p=rejects messages without SPF/DKIM verification, the recipient mail will override this policy and still deliver the message.

PowerDMARC allows you to keep track of DMARC policy overrides.

It is essential to keep up with DMARC policy changes in order to prevent email spoofing or impersonation. Most organizations don’t have time or the resources to keep track DMARC policy overrides.

You cannot stop DMARC policy reversals, but you can track them with our DMARC service. You will receive complete reports detailing which organizations have overridden your policy mode, what type of messages were allowed and the recipients’ permissions. This will allow the sender to keep track of who has spoofed or impersonated them and take appropriate action.