how DMARC works - updated

How dmarc works with Google Mail and Office 365 in the autumn of 2020.

We’ve tested again how email authentication affects the delivery
to Google Mail and Office 365 mailboxes, the most popular business emails providers.

The results can be divided into two groups:

emails delivery

(how spf, dkim and dmarc affect the delivery of sent messages)
 
# Google mail: the emails are always accepted, the spf authentication seems not to be considered at all
   Dkim signature is evaluated only if it’s aligned with the From email address and dmarc is set with policy “quarantine” or “reject”.
 
# Office 365: is fully responsive to spf, when a message passes the spf check, it reaches the Inbox.
   Dkim signature is considered only if it’s aligned with the From email address, otherwise it doesn’t matter.
 
   Notes: in the last week of August Office 365 had a strange behavior:
   only the messages signed with dkim (signing domain aligned with the From address)
   and dmarc record set (with any policy), were delivered to the Inbox

spoofing protection

(how spf, dkim and dmarc protect the sender’s email address from being spoofed*)
* = make the message appear from someone other than the actual source
 
# Google mail: activating dmarc, the spoofed senders get filtered to the Spam folder (with p=quarantine) or rejected (with p=reject).
   Nothing happens if the policy is set to “none” (p=none), in this case all the messages reach the Inbox.
 
# Office 365: “spf fail” or “spf softfail” results, are enough to send the fake senders to the Junk email folder.

 

authentication requirements

the suggested email authentication requirements, are summarized as follows:

emails delivery spoofing protection
Google Mail dkim pass (domain aligned) dmarc set with p=quarantine or p=reject
Office 365 spf pass and dkim pass (domain aligned) spf set and dmarc set (for added security)

 

email delivery test results

below there is the full range of tests that have been made

Google Mail Google Mail
(dmarc set)
Office 365 Office 365
(dmarc set)
spf Pass dkim none inbox inbox inbox inbox
spf Fail dkim none inbox spam junk junk
spf SoftFail dkim none inbox spam junk junk
spf none dkim none inbox spam junk junk
spf Pass dkim diff inbox inbox inbox inbox
spf Fail dkim diff inbox spam junk junk
spf SoftFail dkim diff inbox spam junk junk
spf none dkim diff inbox spam junk junk
spf Pass dkim pass inbox inbox inbox inbox
spf Fail dkim pass inbox inbox inbox inbox
spf SoftFail dkim pass inbox inbox inbox inbox
spf none dkim pass inbox inbox inbox inbox
spf Pass dkim invalid inbox inbox inbox inbox
spf Fail dkim invalid inbox spam junk junk
spf SoftFail dkim invalid inbox spam junk junk
spf none dkim invalid inbox spam junk junk

Notes:

  • the From address (visible sender) and the Mail-from (also said “envelope from” or “return-path”) are the same, they refer to the same domain
  • “dkim pass”: the dkim signing domain is the same as the one of the From address (the domain is aligned)
  • “dkim diff”: the dkim signing domain is different than the one of the From address (the domain IS NOT aligned)