how DMARC works - updated
How dmarc works with Google Mail and Office 365 in the autumn of 2020.
We’ve tested again how email authentication affects the delivery
to Google Mail and Office 365 mailboxes, the most popular business emails providers.
The results can be divided into two groups:
emails delivery
(how spf, dkim and dmarc affect the delivery of sent messages)
# Google mail: the emails are always accepted, the spf authentication seems not to be considered at all
Dkim signature is evaluated only if it’s aligned with the From email address and dmarc is set with policy “quarantine” or “reject”.
# Office 365: is fully responsive to spf, when a message passes the spf check, it reaches the Inbox.
Dkim signature is considered only if it’s aligned with the From email address, otherwise it doesn’t matter.
Notes: in the last week of August Office 365 had a strange behavior:
only the messages signed with dkim (signing domain aligned with the From address)
and dmarc record set (with any policy), were delivered to the Inbox
spoofing protection
(how spf, dkim and dmarc protect the sender’s email address from being spoofed*)
* = make the message appear from someone other than the actual source
# Google mail: activating dmarc, the spoofed senders get filtered to the Spam folder (with p=quarantine) or rejected (with p=reject).
Nothing happens if the policy is set to “none” (p=none), in this case all the messages reach the Inbox.
# Office 365: “spf fail” or “spf softfail” results, are enough to send the fake senders to the Junk email folder.
authentication requirements
the suggested email authentication requirements, are summarized as follows:
| emails delivery | spoofing protection | |
|---|---|---|
| Google Mail | dkim pass (domain aligned) | dmarc set with p=quarantine or p=reject |
| Office 365 | spf pass and dkim pass (domain aligned) | spf set and dmarc set (for added security) |
email delivery test results
below there is the full range of tests that have been made
| Google Mail | Google Mail (dmarc set) |
Office 365 | Office 365 (dmarc set) |
||
|---|---|---|---|---|---|
| spf Pass | dkim none | inbox | inbox | inbox | inbox |
| spf Fail | dkim none | inbox | spam | junk | junk |
| spf SoftFail | dkim none | inbox | spam | junk | junk |
| spf none | dkim none | inbox | spam | junk | junk |
| spf Pass | dkim diff | inbox | inbox | inbox | inbox |
| spf Fail | dkim diff | inbox | spam | junk | junk |
| spf SoftFail | dkim diff | inbox | spam | junk | junk |
| spf none | dkim diff | inbox | spam | junk | junk |
| spf Pass | dkim pass | inbox | inbox | inbox | inbox |
| spf Fail | dkim pass | inbox | inbox | inbox | inbox |
| spf SoftFail | dkim pass | inbox | inbox | inbox | inbox |
| spf none | dkim pass | inbox | inbox | inbox | inbox |
| spf Pass | dkim invalid | inbox | inbox | inbox | inbox |
| spf Fail | dkim invalid | inbox | spam | junk | junk |
| spf SoftFail | dkim invalid | inbox | spam | junk | junk |
| spf none | dkim invalid | inbox | spam | junk | junk |
Notes:
- the From address (visible sender) and the Mail-from (also said “envelope from” or “return-path”) are the same, they refer to the same domain
- “dkim pass”: the dkim signing domain is the same as the one of the From address (the domain is aligned)
- “dkim diff”: the dkim signing domain is different than the one of the From address (the domain IS NOT aligned)