How do I handle spoofing when DMARC reject is set but not enforced on inbound mail server?
Summary
What email marketers say9Marketer opinions
Email marketer from Proofpoint shares that DMARC enforcement on the receiving end is crucial. A DMARC record only instructs receiving mail servers on how to handle mail failing authentication checks. If the inbound server ignores the DMARC policy, spoofing can still occur. Consider using email security solutions that enforce DMARC for inbound emails.
Email marketer from Reddit mentions that it is a common misconception that setting DMARC is enough. Setting up the record in DNS is not enough - you have to also ensure that the receiving end actually performs the checks. Without that you will still have spoofing.
Email marketer from Reddit mentions that DMARC relies on the recipient mail server to respect the policy. If the receiving server doesn't check DMARC, spoofed emails can still get through. It is up to each provider to enforce it, so you may have to contact them.
Marketer from Email Geeks shares that a DMARC record with p=reject is useless if recipients don't check DMARC. If a provider doesn't enforce DMARC, you should ask them to do so, or change providers. Also, because one of the client's colleagues received the phishing email does not mean the whole world is targeted. If the emails are only affecting internal emails then getting the email provider (OVH) to act is the best course of action.
Email marketer from Email Security Advice mentions that DMARC is only as effective as the recipient's mail server's willingness to check the records and comply with the rules you have set. If the receiver of your email does not check, or ignores your request, then the receiving user will still get those emails that you have specified to reject.
Marketer from Email Geeks shares that DMARC is not a spam filtering technology and there are better tools for that. Deployed incorrectly, DMARC can cause a lot of false positives and has a very niche use. Also, providers like Google, Yahoo!, and Microsoft check DMARC globally and use ARC to reduce false positives, potentially using AI/ML to deduce if a DMARC policy should be honored.
Email marketer from Email Security Forums explains that even with DMARC set to reject, some mail servers might not enforce the policy, allowing spoofed emails through. Monitor your DMARC reports to understand how different mail servers are handling your email and identify those not enforcing DMARC. Complain to those not enforcing DMARC or consider using other filtering solutions to protect your inbound email.
Email marketer from SparkPost shares that DMARC policies are not universally enforced. If a receiving server ignores DMARC, spoofing can still occur. Make sure that the correct DNS records are set up and to continue to monitor DMARC reports. Improve deliverability through better list hygiene.
Email marketer from Mailjet explains that DMARC’s effectiveness relies on recipient mail servers respecting the published policy. If a receiving server doesn't perform DMARC checks or ignores the policy, spoofed emails will bypass the intended protection. Implement SPF and DKIM correctly to improve chances of authentication passing and make it easier for a server to accept DMARC.
What the experts say5Expert opinions
Expert from Word to the Wise explains that proper monitoring of DMARC reports is vital to understanding how recipients are treating your DMARC policies. If you are not receiving or analyzing these reports, you will not know if your policy is being followed or if spoofing attempts are occurring. Use DMARC monitoring tools to help read and interpret DMARC aggregate reports.
Expert from Email Geeks explains the client is not enforcing DMARC on the inbound mail server for their domain, meaning the incoming mailserver for nesformation.fr is not checking for DMARC. To fix this, implement DMARC checking, likely through cpanel or a similar interface at OVH.
Expert from Spam Resource shares that while DMARC is designed to prevent spoofing, its effectiveness depends on recipient mail servers enforcing the policy. If inbound servers ignore DMARC, spoofed emails can still land in inboxes. Suggests contacting the recipient's ISP or email provider to push for DMARC adoption and enforcement, or consider using alternative email filtering solutions at the receiving end.
Expert from Email Geeks explains that publishing a DMARC policy is a request, not a requirement, for others to respect it. Global mailbox providers like G Suite and O365 allow DMARC to be turned on/off on a per domain basis, or will take into account when making delivery decisions.
Expert from Word to the Wise responds that achieving DMARC compliance is not a one-time event. Even with a strict reject policy, some providers may not fully comply. Continuous monitoring and adjustments are needed to maintain protection against spoofing. Understand that receivers may make their own decision based on their experience of email originating from a sender.
What the documentation says5Technical articles
Documentation from Cloudflare advises that DMARC is effective in protecting domains from email spoofing. However it relies on the destination email provider to actually check and respect the DMARC record settings. In the event that a destination server does not respect or check a DMARC record, there will be no protection against spoofing.
Documentation from RFC details DMARC, what it does, and it also highlights that receivers need to be configured correctly in order to respect the policies set by the owner of the domain. The receivers should also provide feedback in the form of reports to the senders so that they can improve.
Documentation from DMARC.org explains that DMARC allows domain owners to specify how email receivers should handle messages that fail authentication. However, the receiver must actively check and enforce DMARC for this to be effective. DMARC cannot force inbound mail servers to use DMARC checks, it is a decision made by each receiving mail server.
Documentation from Microsoft explains that anti-spoofing protection in Office 365 relies on SPF, DKIM, and DMARC. If inbound mail servers are not configured to check these protocols, spoofed email can bypass these security measures. Ensure Microsoft 365 is set to respect and enforce DMARC policies of sending domains.
Documentation from Google Workspace Admin Help explains that even with a DMARC record set to reject, inbound mail servers must still perform DMARC checks. If the receiving server doesn't check DMARC, spoofed emails can still land in inboxes. Workspace can be configured to check incoming mail for DMARC compliance and quarantine non-compliant messages.