how DMARC works
How dmarc works with Google Mail and Office 365 in 2020 ?
We’ve tested how email authentication affects the delivery
to Google Mail and Office 365, the most popular business emails providers.
The results can be divided into two groups:
-
emails delivery
(how spf, dkim and dmarc affect the delivery of sent messages)
Google mail: the emails are always accepted, authentication seems not to be considered at all
Office 365: is generally responsive to spf and dkim. The only way to get consistent results, reaching the inbox, is to associate them with dmarc
-
spoofing protection
(how spf, dkim and dmarc protect the sender’s email address from being spoofed*)
* = make the message appear from someone other than the actual source
Google mail: combining dmarc and spf (fail or softfail qualifiers), the spoofed senders get filtered to the Spam folder or rejected (depending on your dmarc settings)
Office 365: spf (fail or softfail qualifiers) is enough to send fake senders to the Junk email folder
They are summarized as follows:
| emails delivery | spoofing protection | |
|---|---|---|
| Google Mail | always accepted, authentication is not considered at all | dmarc + spf (fail or softfail) |
| Office 365 | dmarc + spf pass or dmarc + dkim pass | spf (fail or softfail) |
Below there is the full range of tests that have been made.
| Google Mail | Office 365 | |
|---|---|---|
| spf Pass - dkim none | inbox | inbox |
| spf Fail - dkim none | inbox | junk |
| spf SoftFail - dkim none | inbox | junk |
| spf Neutral - dkim none | inbox | inbox |
| spf none - dkim none | inbox | junk |
| spf Pass - dkim pass | inbox | junk* |
| spf Fail - dkim pass | inbox | junk |
| spf SoftFail - dkim pass | inbox | junk* |
| spf Neutral - dkim pass | inbox | junk* |
| spf none - dkim pass | inbox | junk* |
| spf Pass - dkim invalid | inbox | junk |
| spf Fail - dkim invalid | inbox | junk |
| spf SoftFail - dkim invalid | inbox | junk |
| spf Neutral - dkim invalid | inbox | junk |
| spf none - dkim invalid | inbox | junk |
| spf Pass - dkim invalid - dmarc reject | inbox | inbox |
| spf Fail - dkim invalid - dmarc reject | dsn=5.0.0, stat=Service unavailable | junk |
| spf SoftFail - dkim invalid - dmarc reject | dsn=5.0.0, stat=Service unavailable | junk |
| spf Neutral - dkim invalid - dmarc reject | inbox | inbox |
| spf none - dkim invalid - dmarc reject | dsn=5.0.0, stat=Service unavailable | junk |
| spf Pass - dkim pass - dmarc reject | inbox | inbox |
| spf Fail - dkim pass - dmarc reject | inbox | inbox |
| spf SoftFail - dkim pass - dmarc reject | inbox | inbox |
| spf Neutral - dkim pass - dmarc reject | inbox | inbox |
| spf none - dkim pass - dmarc reject | inbox | inbox |
| spf Pass - dkim diff - dmarc reject | inbox | inbox |
| spf Fail - dkim diff - dmarc reject | dsn=5.0.0, stat=Service unavailable | junk |
| spf SoftFail - dkim diff - dmarc reject | dsn=5.0.0, stat=Service unavailable | junk |
| spf Neutral - dkim diff - dmarc reject | inbox | inbox |
| spf none - dkim diff - dmarc reject | dsn=5.0.0, stat=Service unavailable | junk |
Notes:
- the from address (visible sender) and the envelope from (return-path) are from the same domain
- “dkim pass”: the dkim signing domain is the same as the one of the from address
- “dkim diff”: the dkim signing domain is different than the one of the from address
- the asterisks in the second group means that the results have not been consistent over time