how DMARC works
How dmarc works with Google Mail and Office 365 in 2020.
We’ve tested how email authentication affects the delivery
to Google Mail and Office 365, the most popular business emails providers.
The results can be divided into two groups:
-
emails delivery
(how spf, dkim and dmarc affect the delivery of sent messages)
Google mail: the emails are always accepted, authentication seems not to be considered at all
Office 365: is generally responsive to spf and dkim. The only way to get consistent results, reaching the inbox, is to associate them with dmarc
-
spoofing protection
(how spf, dkim and dmarc protect the sender’s email address from being spoofed*)
* = make the message appear from someone other than the actual source
Google mail: combining dmarc and spf (fail or softfail qualifiers), the spoofed senders get filtered to the Spam folder or rejected (depending on your dmarc settings)
Office 365: spf (fail or softfail qualifiers) is enough to send fake senders to the Junk email folder
They are summarized as follows:
| emails delivery | spoofing protection | |
|---|---|---|
| Google Mail | always accepted, authentication is not considered at all | dmarc + spf (fail or softfail) |
| Office 365 | dmarc + spf pass or dmarc + dkim pass | spf (fail or softfail) |
Below there is the full range of tests that have been made.
| Google Mail | Office 365 | |
|---|---|---|
| spf Pass - dkim none | inbox | inbox |
| spf Fail - dkim none | inbox | junk |
| spf SoftFail - dkim none | inbox | junk |
| spf Neutral - dkim none | inbox | inbox |
| spf none - dkim none | inbox | junk |
| spf Pass - dkim pass | inbox | junk* |
| spf Fail - dkim pass | inbox | junk |
| spf SoftFail - dkim pass | inbox | junk* |
| spf Neutral - dkim pass | inbox | junk* |
| spf none - dkim pass | inbox | junk* |
| spf Pass - dkim invalid | inbox | junk |
| spf Fail - dkim invalid | inbox | junk |
| spf SoftFail - dkim invalid | inbox | junk |
| spf Neutral - dkim invalid | inbox | junk |
| spf none - dkim invalid | inbox | junk |
| spf Pass - dkim invalid - dmarc reject | inbox | inbox |
| spf Fail - dkim invalid - dmarc reject | dsn=5.0.0, stat=Service unavailable | junk |
| spf SoftFail - dkim invalid - dmarc reject | dsn=5.0.0, stat=Service unavailable | junk |
| spf Neutral - dkim invalid - dmarc reject | inbox | inbox |
| spf none - dkim invalid - dmarc reject | dsn=5.0.0, stat=Service unavailable | junk |
| spf Pass - dkim pass - dmarc reject | inbox | inbox |
| spf Fail - dkim pass - dmarc reject | inbox | inbox |
| spf SoftFail - dkim pass - dmarc reject | inbox | inbox |
| spf Neutral - dkim pass - dmarc reject | inbox | inbox |
| spf none - dkim pass - dmarc reject | inbox | inbox |
| spf Pass - dkim diff - dmarc reject | inbox | inbox |
| spf Fail - dkim diff - dmarc reject | dsn=5.0.0, stat=Service unavailable | junk |
| spf SoftFail - dkim diff - dmarc reject | dsn=5.0.0, stat=Service unavailable | junk |
| spf Neutral - dkim diff - dmarc reject | inbox | inbox |
| spf none - dkim diff - dmarc reject | dsn=5.0.0, stat=Service unavailable | junk |
Notes:
- the from address (visible sender) and the envelope from (return-path) are from the same domain
- “dkim pass”: the dkim signing domain is the same as the one of the from address
- “dkim diff”: the dkim signing domain is different than the one of the from address
- the asterisks in the second group means that the results have not been consistent over time