How do I handle spoofing when DMARC reject is set but not enforced on inbound mail server?

Summary

When DMARC 'reject' is set but not enforced on inbound servers, spoofed emails can still bypass security measures. The core issue is that DMARC's effectiveness hinges on the recipient mail server actively checking and enforcing the DMARC policy. Setting up DMARC is only the first step; if the inbound server doesn't respect the policy, spoofed emails can land in inboxes. Experts, marketers, and documentation uniformly suggest that continuous monitoring of DMARC reports is vital to understand how receivers treat DMARC policies, and that implementing DMARC checking on the inbound server is crucial. Furthermore, contacting ISPs and providers to push for DMARC adoption and enforcement is essential. Achieving DMARC compliance isn't a one-time event but an ongoing process requiring monitoring and adjustments. Major email platforms offer configurations for checking DMARC compliance on inbound mail.

Key findings

  • Enforcement Dependency: DMARC's success depends entirely on the recipient mail server actively enforcing the DMARC policy, making it a critical point of failure.
  • Non-Universal Enforcement: DMARC policies are not universally enforced, leading to potential spoofing vulnerabilities, even with a 'reject' policy in place.
  • Monitoring Imperative: Continuous monitoring of DMARC reports is essential to discern how different mail servers handle your email and pinpoint enforcement gaps.
  • Proactive Configuration: Major email platforms like Google Workspace and Microsoft 365 offer settings for checking DMARC compliance on inbound emails, which must be actively configured.
  • Ongoing Process: DMARC compliance requires continuous monitoring and adjustments to maintain optimal protection against spoofing attempts.

Key considerations

  • Enable Inbound Checks: Implement DMARC checking on your own inbound mail server to protect against spoofed emails targeting your domain.
  • Monitor DMARC Reports: Regularly analyze DMARC reports to gain insights into policy adherence, identify potential issues, and refine DMARC implementation.
  • Advocate for Enforcement: Contact ISPs and email providers to encourage DMARC adoption and enforcement, contributing to a more secure email ecosystem.
  • Stay Vigilant: Recognize that DMARC compliance is not a one-time task; maintain vigilance and make continuous improvements to your email security posture.
  • Consider Alternative Solutions: Explore alternative email filtering solutions that enforce DMARC for inbound emails, providing an additional layer of protection when recipient servers fail to enforce policies.

What email marketers say
9Marketer opinions

DMARC's effectiveness in preventing email spoofing hinges on the recipient mail server's enforcement of the DMARC policy. While setting a DMARC record to 'reject' instructs receiving servers on how to handle authentication failures, many servers do not consistently enforce this policy. This can lead to spoofed emails bypassing intended protections. Experts and marketers suggest strategies like monitoring DMARC reports, contacting non-enforcing providers, implementing stronger email security solutions, and ensuring proper SPF and DKIM setup to mitigate the risks.

Key opinions

  • Enforcement Issue: DMARC relies on the recipient mail server to respect and enforce the specified policies; a DMARC record alone isn't enough.
  • Non-Universal: DMARC policies are not universally enforced, leading to potential spoofing bypasses.
  • Monitoring Necessity: Monitoring DMARC reports is essential to understanding how different mail servers handle your email and identify enforcement issues.
  • Limited Scope: DMARC is not a comprehensive spam filtering solution; other security tools are necessary for broader protection.
  • Provider Dependant: Effectiveness of a DMARC record is limited to how well each email provider respects and enforces the set polices. If an email provider isn't enforcing then it won't work as expected

Key considerations

  • Proactive Measures: Consider implementing stronger email security solutions and contacting providers not enforcing DMARC.
  • Basic Setup: Ensure SPF and DKIM are correctly implemented to maximize the chances of authentication passing and DMARC working as intended.
  • Internal Impact: If spoofing mainly affects internal emails, focus on getting your own email provider to enforce DMARC.
  • DMARC reports: Continuously monitoring DMARC reports will give you an indication of who is ignoring the requests of the DMARC record.
Marketer view

Email marketer from Proofpoint shares that DMARC enforcement on the receiving end is crucial. A DMARC record only instructs receiving mail servers on how to handle mail failing authentication checks. If the inbound server ignores the DMARC policy, spoofing can still occur. Consider using email security solutions that enforce DMARC for inbound emails.

October 2022 - Proofpoint
Marketer view

Email marketer from Reddit mentions that it is a common misconception that setting DMARC is enough. Setting up the record in DNS is not enough - you have to also ensure that the receiving end actually performs the checks. Without that you will still have spoofing.

April 2021 - Reddit
Marketer view

Email marketer from Reddit mentions that DMARC relies on the recipient mail server to respect the policy. If the receiving server doesn't check DMARC, spoofed emails can still get through. It is up to each provider to enforce it, so you may have to contact them.

June 2023 - Reddit
Marketer view

Marketer from Email Geeks shares that a DMARC record with p=reject is useless if recipients don't check DMARC. If a provider doesn't enforce DMARC, you should ask them to do so, or change providers. Also, because one of the client's colleagues received the phishing email does not mean the whole world is targeted. If the emails are only affecting internal emails then getting the email provider (OVH) to act is the best course of action.

September 2024 - Email Geeks
Marketer view

Email marketer from Email Security Advice mentions that DMARC is only as effective as the recipient's mail server's willingness to check the records and comply with the rules you have set. If the receiver of your email does not check, or ignores your request, then the receiving user will still get those emails that you have specified to reject.

April 2021 - Email Security Advice
Marketer view

Marketer from Email Geeks shares that DMARC is not a spam filtering technology and there are better tools for that. Deployed incorrectly, DMARC can cause a lot of false positives and has a very niche use. Also, providers like Google, Yahoo!, and Microsoft check DMARC globally and use ARC to reduce false positives, potentially using AI/ML to deduce if a DMARC policy should be honored.

April 2023 - Email Geeks
Marketer view

Email marketer from Email Security Forums explains that even with DMARC set to reject, some mail servers might not enforce the policy, allowing spoofed emails through. Monitor your DMARC reports to understand how different mail servers are handling your email and identify those not enforcing DMARC. Complain to those not enforcing DMARC or consider using other filtering solutions to protect your inbound email.

September 2024 - Email Security Forums
Marketer view

Email marketer from SparkPost shares that DMARC policies are not universally enforced. If a receiving server ignores DMARC, spoofing can still occur. Make sure that the correct DNS records are set up and to continue to monitor DMARC reports. Improve deliverability through better list hygiene.

May 2021 - SparkPost
Marketer view

Email marketer from Mailjet explains that DMARC’s effectiveness relies on recipient mail servers respecting the published policy. If a receiving server doesn't perform DMARC checks or ignores the policy, spoofed emails will bypass the intended protection. Implement SPF and DKIM correctly to improve chances of authentication passing and make it easier for a server to accept DMARC.

June 2021 - Mailjet

What the experts say
5Expert opinions

When DMARC 'reject' is set but not enforced on inbound servers, spoofed emails can still reach inboxes. This is because DMARC policies are requests, not requirements, and their effectiveness hinges on recipient mail server enforcement. Experts recommend implementing DMARC checking on your inbound server, continuously monitoring DMARC reports to track policy adherence, and contacting ISPs or providers to advocate for DMARC adoption. Achieving DMARC compliance is an ongoing process requiring monitoring and adjustment.

Key opinions

  • DMARC Enforcement: DMARC's effectiveness depends on recipient mail servers actively enforcing the policy.
  • DMARC as a Request: Publishing a DMARC policy is a request, not a guarantee, that it will be followed.
  • Monitoring Importance: Continuous monitoring of DMARC reports is essential for understanding how recipients are treating your policies.
  • Continual task: Even with a strict reject policy some providers may not comply so it is a task that needs continual monitoring and assessment.

Key considerations

  • Inbound DMARC Checking: Implement DMARC checking on your own inbound mail server.
  • Continuous Monitoring: Regularly analyze DMARC reports to understand policy adherence and identify potential issues.
  • Advocate for DMARC: Contact ISPs and email providers to encourage DMARC adoption and enforcement.
  • Ongoing Process: Recognize that DMARC compliance is not a one-time task and requires ongoing monitoring and adjustments.
Expert view

Expert from Word to the Wise explains that proper monitoring of DMARC reports is vital to understanding how recipients are treating your DMARC policies. If you are not receiving or analyzing these reports, you will not know if your policy is being followed or if spoofing attempts are occurring. Use DMARC monitoring tools to help read and interpret DMARC aggregate reports.

October 2023 - Word to the Wise
Expert view

Expert from Email Geeks explains the client is not enforcing DMARC on the inbound mail server for their domain, meaning the incoming mailserver for nesformation.fr is not checking for DMARC. To fix this, implement DMARC checking, likely through cpanel or a similar interface at OVH.

December 2023 - Email Geeks
Expert view

Expert from Spam Resource shares that while DMARC is designed to prevent spoofing, its effectiveness depends on recipient mail servers enforcing the policy. If inbound servers ignore DMARC, spoofed emails can still land in inboxes. Suggests contacting the recipient's ISP or email provider to push for DMARC adoption and enforcement, or consider using alternative email filtering solutions at the receiving end.

January 2023 - Spam Resource
Expert view

Expert from Email Geeks explains that publishing a DMARC policy is a request, not a requirement, for others to respect it. Global mailbox providers like G Suite and O365 allow DMARC to be turned on/off on a per domain basis, or will take into account when making delivery decisions.

February 2025 - Email Geeks
Expert view

Expert from Word to the Wise responds that achieving DMARC compliance is not a one-time event. Even with a strict reject policy, some providers may not fully comply. Continuous monitoring and adjustments are needed to maintain protection against spoofing. Understand that receivers may make their own decision based on their experience of email originating from a sender.

December 2022 - Word to the Wise

What the documentation says
5Technical articles

When DMARC is set to 'reject' but not enforced on the inbound mail server, spoofed emails can bypass security measures. Documentation highlights that DMARC relies on receiving mail servers to actively check and enforce DMARC policies. Without this enforcement, DMARC is ineffective, and spoofing can occur. Platforms like Google Workspace and Microsoft 365 can be configured to check for DMARC compliance. Key to successful implementation is ensuring receivers are configured correctly and provide feedback reports.

Key findings

  • Receiver Responsibility: DMARC's effectiveness depends on receiving mail servers actively checking and enforcing DMARC policies.
  • Lack of Enforcement: If inbound servers don't check DMARC, spoofed emails bypass security measures.
  • Configuration Options: Platforms like Google Workspace and Microsoft 365 offer configurations to check for DMARC compliance.
  • Feedback Reports: Feedback reports improve the effectiveness of DMARC by allowing senders to make adjustments based on how receivers are handling email.

Key considerations

  • Enforce on Receiving End: Ensure inbound mail servers are configured to check and enforce DMARC policies.
  • Configure Platforms: If using platforms like Google Workspace or Microsoft 365, configure settings to enforce DMARC policies of sending domains.
  • Utilize Feedback: Actively review feedback reports from receiving servers to refine DMARC implementation.
Technical article

Documentation from Cloudflare advises that DMARC is effective in protecting domains from email spoofing. However it relies on the destination email provider to actually check and respect the DMARC record settings. In the event that a destination server does not respect or check a DMARC record, there will be no protection against spoofing.

June 2023 - Cloudflare
Technical article

Documentation from RFC details DMARC, what it does, and it also highlights that receivers need to be configured correctly in order to respect the policies set by the owner of the domain. The receivers should also provide feedback in the form of reports to the senders so that they can improve.

August 2023 - RFC
Technical article

Documentation from DMARC.org explains that DMARC allows domain owners to specify how email receivers should handle messages that fail authentication. However, the receiver must actively check and enforce DMARC for this to be effective. DMARC cannot force inbound mail servers to use DMARC checks, it is a decision made by each receiving mail server.

October 2022 - DMARC.org
Technical article

Documentation from Microsoft explains that anti-spoofing protection in Office 365 relies on SPF, DKIM, and DMARC. If inbound mail servers are not configured to check these protocols, spoofed email can bypass these security measures. Ensure Microsoft 365 is set to respect and enforce DMARC policies of sending domains.

July 2021 - Microsoft
Technical article

Documentation from Google Workspace Admin Help explains that even with a DMARC record set to reject, inbound mail servers must still perform DMARC checks. If the receiving server doesn't check DMARC, spoofed emails can still land in inboxes. Workspace can be configured to check incoming mail for DMARC compliance and quarantine non-compliant messages.

December 2024 - Google Workspace Admin Help