DMARC Override is just policy that can be applied by the receiver. The DMARC Override policy is usually applied when the receiver chooses to disregard your DMARC policy when it comes to that email and just allow the email to be delivered, even though it might not be authenticated properly.
When an email has the Override policy applied to it, that email is not considering as passing DMARC, unless it passes with either SPF or DKIM.
Because this is an action taken on the receiver's end, it bears only the responsibility of the receiver. Your responsibility when it comes to authentication is just to make sure that email was sent in an authenticated manner.
When utilizing DMARC reporting, policy overrides might be a situation your company encounters, especially if your emails are being delivered to a large and wide variety of customers. Essentially, a DMARC policy override occurs when an email recipient decides to override the policy that you have specified in your DMARC record.
Typically, when a receiver's email gateway choses to receive an email and apply a DMARC Override policy regardless of what the sender's DMARC policy is, it generally does so because it trusts the source of that email.
For example, a policy override could happen when you have a DMARC policy of reject (p=reject) and your outbound email goes through a mailing list, which breaks both SPF and DKIM. In this instance, DMARC will fail; however, the receiver may decide to override your policy and accept the email because they know and trust the source.
Here are some descriptions of common DMARC overrides:
- Forwarded: The initial message was relayed via a known forwarder, or local heuristics identified the message as likely having been forwarded. There’s no expectation that authentication would pass.
- Local_policy: The mail recipient’s local policy exempted the message from being subjected to the domain owner’s requested policy action.
- Mailing_list: Local heuristics determined that the message arrived via a mailing list; therefore, authentication of the original message wasn’t expected to succeed.
- Trusted_forwarder: Message authentication failure was anticipated by other evidence linking the message to a locally-maintained list of known and trusted forwarder.
In conclusion, a DMARC Override policy does not necessarily mean that email is DMARC authenticated - it just means that the receiver chooses to ignore that. You still need to check in the email header and make sure the email is passing SPF and/or DKIM.
Related articles:
As always, if you have any questions, please don't hesitate to submit a ticket.