What are policy overrides?
Receivers can override the policy you've set in your DMARC record. Why does this happen? Let's say that you have a p=reject policy and en route, through multiple forwards, both DKIM and SPF break on the email you've sent. This would result in a DMARC fail and based on what's been specified in your policy, the expectation would be that the receiver blocks the email.
However, when a receiver has some other information available that allows them to validate the email is genuine, they can override your DMARC policy and accept it, regardless of the DMARC alignment.
Here are some of the most common DMARC overrides we see:
- Forwarded: The message was relayed via a known forwarder, or local heuristics identified the message as likely having been forwarded. There is no expectation that authentication would pass.
- Mailing list: Local heuristics determined that the message arrived via a mailing list, and thus authentication of the original message was not expected to succeed.
- Sampled out: The message was exempted from application of policy by the "pct" setting in the DMARC policy record.
- Local policy: The Mail Receiver's local policy exempted the message from being subjected to the Domain Owner's requested policy action.
- Trusted_forwarder: Message authentication failure was anticipated by other evidence linking the message to a locally-maintained list of known and trusted forwarders.
- Other: Some policy exception not covered by the other entries in this list occurred.
Source: Descriptions of the PolicyOverrideTypes listed on RFC 7489