When an email has the Override policy applied to it, that email is not considering as passing DMARC, unless it passes with either SPF or DKIM. The Override policy is applied by the receiver, which chooses to disregard your DMARC policy when it comes to that email and just allow the email to be delivered, even though it might not be authenticated properly.

When utilizing DMARC reporting, policy overrides might be a situation your company encounters, especially if your emails are being delivered to a large and wide variety of customers. Essentially, a DMARC policy override occurs when an email recipient decides to override the policy that you have specified in your DMARC record.

Typically, when a receiver's email gateway choses to receive an email and apply a DMARC Override policy regardless of what the sender's DMARC policy is, it generally does so because it trusts the source of that email.

For example, a policy override could happen when you have a DMARC policy of reject (p=reject) and your outbound email goes through a mailing list, which breaks both SPF and DKIM. In this instance, DMARC will fail; however, the receiver may decide to override your policy and accept the email because they know and trust the source.

In conclusion, a DMARC Override policy does not necessarily mean that email is DMARC authenticated - it just means that the receiver chooses to ignore that. You still need to check in the email header and make sure the email is passing SPF and/or DKIM.

Related articles:

What is DMARC Override?