DMARC Policy Override Reasons

Email receivers can optionally accept email even if it fails authentication. You can track these reasons using the PolicyOverride field in DMARC reports.

This article explores the common PolicyOverride reasons found in DMARC reports and what they mean.

This occurs when the mail receiver believes that the email was forwarded. It makes this guess by local heuristics or protocol evidence. This could be IP reputation, headers (X-Forwarded-For, Resent-From), user configuration (e.g., Gmail user forwards from one mailbox to another), and traffic shape.

It's also common to see SRS (Sender Rewriting Scheme) employed on forwarded email where the proxy server (forwarding MTA) overwrites the Return-Path to its own domain. In this case, SPF will pass for the new domain, but DMARC will fail alignment. This is a signal of forwarded email.

Mailing lists commonly add a subject tag (e.g., [Mailing-List]: Subject) or an unsubscribe footer. This breaks DKIM since no one but the original sender can sign or modify a message.

The receiving mail server can check for a List-Id header (RFC 2919) and then verify the reputation of the IP address. They should also check the new DKIM key and ensure that the mail is coming from a reputable IP.

The most ambiguous but versatile override reason. It simply means that the receiving mail server decided to accept the email based on its own policies.

A very common reason is due to ARC (Authenticated Received Chain). With ARC, intermediate servers can sign and "seal" the message with cryptographic email headers that can be validated later. The receiving email server can then verify the ARC headers and, depending on reputation, trust the email. When using ARC, it's common to see a comment in the comment field such as "arc=pass".

Besides ARC, local_policy could also be used for reputation whitelists or user-level whitelists.

The dmarc pct tag allows domain owners to apply DMARC to only a percentage of their email. If an email would have failed but isn't included because of the pct check, it will be marked as sampled_out.

A deprecated method used when the receiving server maintains a whitelist of known forwarders. This approach has a high maintenance burden and has been largely replaced by better heuristics such as ARC.

A catch-all for other reasons not covered by the specific override types:

When looking at policy overrides with "other", it's important to examine the comment field for additional context.

When investigating DMARC failure reports, it's important to look at the PolicyOverride reason for cases where DKIM/SPF failed but the email was still accepted. Understanding these override reasons helps you distinguish between legitimate email flows (like forwarding and mailing lists) and potential security concerns.