Why might an email provider not honor a DMARC p=reject policy?
Summary
What email marketers say10Marketer opinions
Email marketer from EasyDMARC states that mailbox providers consider various factors beyond DMARC, like sender reputation and user engagement, to decide whether to deliver, quarantine, or reject an email. The 'reject' policy is not always the only determining factor.
Email marketer from Reddit suggests that providers may override DMARC 'reject' policies if the email originates from a known and trusted sender, even if it fails authentication checks. This is to prevent disruption of important communications.
Email marketer from EmailSecurityForum mentions that if DMARC is improperly configured by the sending domain, a provider may choose to ignore the 'reject' policy rather than block legitimate but misconfigured email. This ensures users don't miss important messages due to technical errors.
Email marketer from EmailGeeksForum explains that even with p=reject, high sender reputation can cause providers to override DMARC in order to ensure mail is delivered, especially if the user typically engages with mail from that sender.
Email marketer from Email Geeks mentions that Microsoft has historically treated reject as quarantine, highlighting that not every Mailbox Provider honors DMARC policies exactly.
Email marketer from Reddit notes that email forwarding often breaks DMARC authentication, and providers might choose to ignore a 'reject' policy in such cases to ensure forwarded emails still reach their intended recipients.
Email marketer from Mailjet shares that some providers might not strictly enforce the 'reject' policy to avoid blocking legitimate emails that fail DMARC due to misconfiguration or forwarding issues, prioritizing the delivery of potentially important messages.
Email marketer from Email Geeks shares that they asked Proton about the issue of not honoring DMARC earlier in the month and Proton is aware of it.
Email marketer from Email Geeks explains that many providers don't honor p=reject because it's a policy suggestion, not a requirement.
Email marketer from Postmark shares that some ISPs are hesitant to implement a reject policy due to the risk of blocking legitimate email. They may quarantine it or deliver it to the junk folder instead, even when DMARC enforcement would dictate outright rejection.
What the experts say3Expert opinions
Expert from Spam Resource shares that even when a domain implements a p=reject policy, mailbox providers may choose to make exceptions based on various factors, including the sender's historical reputation, user engagement patterns, and internal spam filtering algorithms. Legitimate mail may still be delivered even if it fails DMARC.
Expert from Word to the Wise explains that not all mailbox providers interpret and implement DMARC policies in the same way. Some providers may choose to quarantine instead of reject due to concerns about false positives or internal policies.
Expert from Email Geeks explains there are many reasons why Proton might not honor a DMARC p=reject policy, including known forwarder issues, internal decision-making processes, intentional disregard for DMARC, or seeing DMARC as problematic for legitimate mail.
What the documentation says3Technical articles
Documentation from DMARC.org explains that DMARC policies are suggestions, and receiving mail servers retain the right to make their own decisions based on factors beyond DMARC. These can include reputation, content analysis, and user-specific preferences. Full rejection isn't guaranteed.
Documentation from Microsoft Defender for Office 365 highlights that even with a DMARC 'reject' policy, Microsoft may choose to quarantine the message instead of rejecting it outright. This is based on their own assessment of the email's overall risk and to protect users from potential false positives.
Documentation from Google Workspace Admin Help explains that even with a 'reject' policy, final delivery decisions depend on various factors, including other signals and Google's spam detection mechanisms. Google may still deliver messages to the inbox or spam folder, even if DMARC specifies rejection.