When an email fails DMARC because it is not authenticated with SPF or DKIM in an aligned manner, the disposition of that message can be affected by the DMARC policy set by the sending domain. For example, when a Quarantine or Reject policy is enforced on the sending domain, mail receivers should report through aggregate feedback reports, a disposition of quarantine or reject for the emails failing DMARC (when the action is due to DMARC policy and not local policy).
If the sending domain is enforcing a Quarantine or Reject policy, and there are no subdomains where a DMARC record is published with a policy of None, then technically there should be no emails shown under the disposition Passed: P=None in the Valimail Authentication Reports. If the conditions above are met, but there are still emails shown under this disposition, then some aggregate feedback reports may contain erroneous data.
Each aggregate report lists the organizational domains' DMARC policy as well as the subdomain policy seen by the recipient MTA at the moment DMARC was evaluated. When both the organizational domain policy (p) and the subdomain policy (sp) are enforcing Quarantine or Reject, we consider the domain at enforcement; in case one of the two or both have the policy set to "none" then we no longer see the domain as fully protected by DMARC, and as a result, we classify the emails with the disposition Passed: P=None.
<policy_published>
<domain>example.com</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>quarantine</p>
<sp>quarantine</sp>
<pct>100</pct>
<fo>0</fo>
</policy_published>
Most domains do not set a subdomain policy, in which case subdomains automatically inherit the DMARC policy from the organizational domain. When there is no subdomain policy in the DMARC record, the aggregate feedback reports should show a matching policy for the organizational domain policy (p) and the subdomain policy (sp).
We recently discovered a case where the aggregate feedback reports sent by the mail receiver called Mimecast, contain erroneous data which causes the emails to show the disposition Passed: P=None. The reports we are receiving from Mimecast, show a subdomain policy of "none" when the DMARC record does not contain a subdomain policy (sp); instead, the reports should show a subdomain policy that matches the one on the organizational domain.
Mimecast is still honoring the sending domain's Quarantine or Reject policies, but because of the issue exampled above, all the emails passing DMARC will show the disposition Passed: P=None if the sending domain does not have a subdomain policy enforcing Quarantine or Reject.
โ
Note: Valimail has reached out to Mimecast and brought this issue to their attention, and we will update this article as soon as we receive word that the issue has been fixed.