The DMARC reports contain three main types of senders
Assets - These are your legitimate services that you have configured and authorized to send emails on behalf of your domain.
Forwarders - These are services that receive emails from you eg. your recipient mail server, and then auto-forward your emails onto other destinations. This article focuses on this type of sender.
Malicious senders - Email services that are spoofing your domain eg. an attacker using your domain to send malicious emails.
Scenario:
Lets assume you send emails from Office 365 only, and you have configured this service with SPF and DKIM. In this case all your emails outbound originate from Office 365, and nowhere else.
You then look at your DMARC reports and see many more senders in your reports that are compliant and pass DKIM and DMARC. Why is that?
That immediately indicates that those other services are Forwarders. What is happening is that you send DMARC compliant emails from Office 365 to many recipients, such as clients, customers, partners or suppliers of yours. Many of your recipients will have auto-forwarding rules that will automatically forward your emails to another destination as demonstrated below.
Office 365 --> Gmail (auto-forward) --> Yahoo
Yahoo is the final recipient that will receive your email, which passed through Google. Google will be the service that is shown in your DMARC reports as this is where the email originated from last. Essentially, this auto-forwarding is outside of your control and is configured by your recipients. The DMARC reports will show the last hop that emails took from a sender to the final recipient.
If the email that was forwarded from Google was not modified in transit, it will pass DKIM and therefore DMARC.
Typically, forwarders are services that you don't recognize and they have 0% SPF pass rate, and higher than 0% DKIM pass rate.
Here is an example of forwarders passing DKIM 100%.
What could happen to the email when it is automatically forwarded?
SPF almost always fails when an email is automatically forwarded. The only chance for the email to pass DMARC is if DKIM passes.
If the email is not modified by the forwarding system, DKIM will pass and therefore DMARC will pass when the email is evaluated by the final destination. The DMARC report will show DKIM & DMARC passing.
If the email is modified, DKIM will fail and therefore DMARC will fail when the email is evaluated by the final destination. The DMARC report will show DMARC failing.
Finally, even if DMARC fails when an email is automatically forwarded, the final destination will decide what to do with the email. They could treat it according to the DMARC policy of the sending domain OR accept the email despite the fact it failed DMARC (this is called an override). An override essentially means that the final destination has accepted the email even though it failed DMARC. This could be due to various reasons eg. local policy, they trust the forwarder, ARC (protocol) and others. The sender has no influence over that decision.
How are overrides shown in OnDMARC?
If you see a star [*] next to your Compliance results number, that means some emails were overridden. You can hover over the number to see exactly how many emails this applied to.
In the below example, 25 emails of the 47 failures are overridden, which means that only 22 will be affected by the DMARC policy in this case.
