May 13, 2020

2020 dmarc works

How dmarc works with Google Mail and Office 365 in 2020.

We've tested how email authentication affects the delivery
to Google Mail and Office 365, the most popular business emails providers.

The results can be divided into two groups:

  1. emails delivery
    (how spf, dkim and dmarc affect the delivery of sent messages)
    Google mail: the emails are always accepted, authentication seems not to be considered at all
    Office 365: is generally responsive to spf and dkim. The only way to get consistent results, reaching the inbox, is to associate them with dmarc
     

  2. spoofing protection
    (how spf, dkim and dmarc protect the sender's email address from being spoofed*)
    * = make the message appear from someone other than the actual source
    Google mail: combining dmarc and spf (fail or softfail qualifiers), the spoofed senders get filtered to the Spam folder or rejected (depending on your dmarc settings)
    Office 365: spf (fail or softfail qualifiers) is enough to send fake senders to the Junk email folder

 
They are summarized as follows:

emails delivery spoofing protection
Google Mail always accepted, authentication is not considered at all dmarc + spf (fail or softfail)
Office 365 dmarc + spf pass or dmarc + dkim pass spf (fail or softfail)

 
Below there is the full range of tests that have been made.

Google Mail Office 365
spf Pass - dkim none inbox inbox
spf Fail - dkim none inbox junk
spf SoftFail - dkim none inbox junk
spf Neutral - dkim none inbox inbox
spf none - dkim none inbox junk
spf Pass - dkim pass inbox junk*
spf Fail - dkim pass inbox junk
spf SoftFail - dkim pass inbox junk*
spf Neutral - dkim pass inbox junk*
spf none - dkim pass inbox junk*
spf Pass - dkim invalid inbox junk
spf Fail - dkim invalid inbox junk
spf SoftFail - dkim invalid inbox junk
spf Neutral - dkim invalid inbox junk
spf none - dkim invalid inbox junk
spf Pass - dkim invalid - dmarc reject inbox inbox
spf Fail - dkim invalid - dmarc reject dsn=5.0.0, stat=Service unavailable junk
spf SoftFail - dkim invalid - dmarc reject dsn=5.0.0, stat=Service unavailable junk
spf Neutral - dkim invalid - dmarc reject inbox inbox
spf none - dkim invalid - dmarc reject dsn=5.0.0, stat=Service unavailable junk
spf Pass - dkim pass - dmarc reject inbox inbox
spf Fail - dkim pass - dmarc reject inbox inbox
spf SoftFail - dkim pass - dmarc reject inbox inbox
spf Neutral - dkim pass - dmarc reject inbox inbox
spf none - dkim pass - dmarc reject inbox inbox
spf Pass - dkim diff - dmarc reject inbox inbox
spf Fail - dkim diff - dmarc reject dsn=5.0.0, stat=Service unavailable junk
spf SoftFail - dkim diff - dmarc reject dsn=5.0.0, stat=Service unavailable junk
spf Neutral - dkim diff - dmarc reject inbox inbox
spf none - dkim diff - dmarc reject dsn=5.0.0, stat=Service unavailable junk

Notes:

  • the from address (visible sender) and the envelope from (return-path) are from the same domain
  • “dkim pass”: the dkim signing domain is the same as the one of the from address
  • “dkim diff”: the dkim signing domain is different than the one of the from address
  • the asterisks in the second group means that the results have not been consistent over time