DMARC blame game - is there a way to bypass the failure?
Posted by CeC-P@reddit | sysadmin | View on Reddit | 83 comments
I'm working for an MSP. One of our clients forwarded us an email from a project management company (that isn't one of our customers) that says "Hey, people are saying they didn't get that request that was sent by us so check your spam."
Well, client can't find it in his spam so sent us a ticket. I checked the trace.
Error: 550 5.7.509 Access denied, sending domain [the project manager's domain] does not pass DMARC verification and has a DMARC policy of reject.
I wrote back the shortest summary possible of how it's 100% their fault, they need to fix their email DMARC and SPF entries, and I can't undelete or recover an email that was rejected at the border and never received.
But at the same time, I looked into if there's a way to exempt DMARC checks per domain or something in Exchange/Defender. I got very mixed results on that. Apparently adding to an allowed tenant domain list might bypass DMARC but it sometimes works and sometimes doesn't? Which probably means it used to work but doesn't now or it requires a higher level of Defender license than they have.
The other hundred people on the email chain also didn't receive the email so I'd prefer these geniuses just fix their damn email system because how the **** is April 2026 and they don't have working DMARC?! That stuff was due March 31, 2025. I know, because my last company made me do it at the last second because the CIO forgot! I think I know what project this is in relation to and if I told you the budget and scope of it, you'd spit out your coffee and join an Amish community because the world doesn't deserve computers if a company that large gets paid $1+ billion and can't fix their DMARC/SPF config for automated requests for insurance coverage statements.
Anyway, anyone have a way to force an MS365 environment to not honor DMARC reject failures that's verified working recently?
andr0m3da1337@reddit
Use this: https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-about#spoof-protection-and-sender-dmarc-policies
ek54ljl@reddit
Joining in with this.
Somebody here says its 2026, I refuse to bypass. Hear, hear, same here!
When I have 3rd party people complaining about DMARC/SPF rejections I send them here https://www.learndmarc.com/ I am not the author, I bow down to the author for such a solid site. It has helped me personally call out more than one "director" who should know better.
For the vast majority of 3rd party issues its either DNS records incorrect or no actual DKIM signing of their outbound message even if they have managed to insert a seemingly correct public key into DNS.
Probably configured from some crappy AI document. Harrumph.
OP, I feel your pain!
electrobento@reddit
I refuse to do a bypass for senders that don’t have both SPF and DKIM set up. It’s 2026.
vppencilsharpening@reddit
If it's a vendor I like I will usually provide something like "your mail sending configuration explicitly states that the messages is spoofed and should not be delivered. Our mail server is honoring the configuration provided by your domain.
If this configuration is not correct, please share this with your IT team.
This can be corrected by doing x, y and z.
Here are the mail headers to support this and recommended changes."
Smith6612@reddit
This is honestly the best way. If it's happening for you, it's likely happening for many others. At this point, e-mails will get spammed or rejected for people using Free providers like GMail and Yahoo if there isn't a valid DMARC policy configured, or if the checks fail.
My personal mail server will reject anything that isn't matching SPF/DKIM, and it is very apparent if whatever tool they're using tracks bounceback reasons.
Icy_Conference9095@reddit
Hilariously, I was working at a larger post secondary school at the help desk and had someone complain that a local org was sending them emails but they never got them - I did exactly this, sending the header info to the main help desk email for the org and explaining this issue.
Two years later I ended up working at that org and found my own email, emailing them, and the ticket that followed. 😂
robsablah@reddit
Thats a great phrase.
czj420@reddit
I send them an email of what their records should be.
CeC-P@reddit (OP)
Ohhhh I'm leaning towards that, instead of being the one person out of 50 in the email chain that can get their emails.
But management "wanted me to try to do something about it so we look good"
man__i__love__frogs@reddit
When my hands were tied I added an email banner along the lines of This message bypassed email security scanning due to a misconfiguration on the senders email server. If the sender is compromised it will still be delivered. Treat with extra care“
electrobento@reddit
That’s smart.
vppencilsharpening@reddit
Hug them with kindness.
Provide the reason it is failing validation and show them (with a screenshot) that their DMARC policy is reject. Tell them that your mail server is following the guidance they are providing and until that is corrected, everything is working as designed to protect their e-mail domain.
If you can see the problem, give them (or more appropriately ask them to share with their IT team) guidance on how to address the problem. Offer to help them test the new configuration.
--
Then explain to management that if you bypass these checks, anyone can then use that domain to send messages that are indistinguishable from legitimate messages. Ask them to accept the risk of phishing or invoice/payment fraud that could result from exploitation of this bypass.
badtz-maru@reddit
Yup! This is pretty much our templates response whenever this comes up. We will not degrade our security posture for their mail misconfiguration.
I also like to point out to the offending sender that it is in their best interest to fix the problem on their end because it is a potential blocker for any of their emails, not just ones to us. Even if we do an exception for them, they will continue battling the issue elsewhere until properly configured.
alm-nl@reddit
In that case I provide the solution, but they would have to implement it themselves (on their end, where it is supposed to be fixed).
maxxpc@reddit
It is EXTREMELY common. We did this at one of customers recently where we quarantine and reject SPF and DMARC permerrors, and it’s been pretty awful with the amount of requests we get to safe list domains.
People are bad at email security.
sryan2k1@reddit
At some point someone will make you. As long as it's in writing and you try and explain the risks....
PhoenixVSPrime@reddit
Yes this. OP needs to put his foot down. No exception's.
hkusp45css@reddit
Yup and my CEO is with me on it.
RagnarStonefist@reddit
I work for a facilities company that has customers that range from Mom and Pop companies to state governments and fortune 500 companies.
We have an email filtering system that flags stuff that fails SPF, DKIM, or DMARC and sends a daily email to the user with their quarantined mail. Inevitably we get requests to 'whitelist this very important email because I'm tired of releasing it/asking you to release it'.
We push back; 'this failed SPF/DKIM/DMARC coming from the customer because their DNS isn't set up right; please have them fix it' and we are told:
'this is a government entity they're not going to change this'
'I can ask but my customer isn't going to change it'
'my customer doesn't have an IT department, can you reach out to them and help?'
and, the best thing, from my direct manager:
'we're a service based department. Can't we bend on this?'
No Karen. We can't bend on this. this is security. we got breached last year because of this.
pdp10@reddit
If you got breached because you received an email, then you've got bigger problems.
ihaveabs@reddit
How do you think most breaches start?
pdp10@reddit
Today it's usually when a user punches a an externally re-usable credential into a trojan dialog, or when a user locally executes some code that they shouldn't have.
But you're not allowing those things, and you're definitely not trying to block email as a proxy to prevent those things. Right?
ihaveabs@reddit
So you think email should be a free for all because there’s other protections?
pdp10@reddit
I think nobody should be sending all of their users faked fake email, and then putting everyone who clicked on the link, into a remedial training program. That's a farce, a professional embarrassment, and a waste of time. A workaround from the era when IT departments were giving users a broken five year old copy of IE and then telling everyone not to go to naughty sites or they'd get the dancing toolbar virus and it would be their own fault.
Should MTAs be enforcing SPF and DKIM? Obviously so. Do mail receiving sites and users have the right to filter their own mail? Obviously so. Will some compliance regimes request paperwork to not phish your own userbase? Could be.
Just don't convince yourself that email is the fundamental reason why some SMB server got every globally-writable file on its shares scrambled by third world extortionists, and that stopping some email is the key to preventing that.
unseenspecter@reddit
This is such a reductionist reply. The issue is complex and the solutions are multi-faceted. Email security is absolutely one of the solutions, but not the entire solution. But any solution that does not also include email security is also not a comprehensive solution.
So yes, I am absolutely convinced that "some SMB server [that] got every globally-writable file on its shares scrambled by third world extortionists" would have been prevented by an email security solution if the initial access of that breach was an email.
That said, defense-in-depth is still a thing. If the malicious email isn't what led to a breach, it's only a matter of time until something else does if areas of the business are not secure.
winmace@reddit
Where I'm from sending an email with any kind of identifying information to the wrong person, even if they are in your organisation is a data breach that has to be reported.
pdp10@reddit
And receiving an email is neither necessary, nor sufficient, to cause that to happen.
RagnarStonefist@reddit
We were being way too permissive about MFA and email security in general. Now we're not. People are struggling to adapt.
tristand666@reddit
Funny. I work for a government entity and I am usually the one telling them to fix their DNS. I would 100% fix any issue that was found with our setup if someone informed me of it, but I am pretty sure ours is correctly set up.
fadinizjr@reddit
Me too.
BlueHatBrit@reddit
"Their email system is instructing us that these emails are spoofed. If that is not the case, they need to fix their email server configuration. Ours is just doing exactly what they're asking us to do, and not allowing someone who is unauthorised to send fake emails pretending to be them."
GroundbreakingCrow80@reddit
Gmail and Yahoo will send their mail to junk as well. From a deliverability standpoint it's in their interest to fix it
I like to see what they're using from the headers and refer them to their vendor documentation sometimes the documentation even says how important the setup is which helps drive the point home that it is a them problem.
Luckily I'm internal IT though.
ISeeDeadPackets@reddit
I block 100% of Yahoo addresses unless someone explicitly requests a whitelisting. How on earth people are still using hotmail/yahoo and AOL of all things as a business account is beyond any rational thought.
logoth@reddit
Once upon a time I had a client ask me to block all email coming from yahoo and aol. I made sure they understood what that meant and then did it.
ISeeDeadPackets@reddit
I'm getting downvoted, but the thing is I 100% know what I'm doing, a very tiny number of our customers are on those services while at the time we were getting when over 99% of the traffic from those domains was spam or malicious. That's cooled down over the last few years, but for my org it was a great move.
Blog_Pope@reddit
If you are their MSP, why aren’t you fixing it? At the least you could provide recommendations to change the records for them to pas to whomever is managing DNS.
britannicker@reddit
Reading is so difficult... OP wrote "not one of our customers"... guess you missed that.
Blog_Pope@reddit
My assumption was the person was alerting them to the problem with their company’s email. If it’s an external company with the problem records,, the correct answer is “”I can help fix that for $5,000”, or you can sign a contract and become a full time customer
britannicker@reddit
5k minimum :-)
alm-nl@reddit
They should hire somesome to fix it if they cannot fix it themselves. Not your problem. If it stops working again after you implemented a workaround, they will blame it on you.
CeC-P@reddit (OP)
But alm...they only have a few billion dollars.
Independent-Sir3234@reddit
I wouldn’t whitelist around a DMARC reject unless you’re ready to own the spoofing risk that comes with it. We made that exception once for a noisy partner and it just turned into a longer support mess because nobody trusted what was real anymore. If the sender owns the domain, fixing SPF/DKIM/DMARC is the clean answer.
stewartjarod@reddit
You nailed it—whitelisting around a reject policy is just deferring the problem and creating audit risk. The reason the fix matters: DMARC reject forces the sender to actually own their authentication. Once SPF/DKIM are aligned and the policy is enforced, you get signal, not noise. The sender either has their infra in order or they don't.
If they're struggling with the setup itself (SPF hitting lookup limits, DKIM config, policy tuning), this guide covers the common friction points: https://wraps.dev/blog/your-dmarc-policy-is-useless
mr_pm2@reddit
no reliable way to bypass DMARC reject in modern Exchange Online/Defender that I'd recommend using. The allowed sender lists are hit or miss and Microsoft keeps tightening those loopholes. Your best bet is to document exactly what's happening (the 550 error, the DMARC policy, etc.) and send it back to them with a clear explanation that this is blocking delivery to everyone, not just your client. If they're dealing with a billion dollar project, they can afford to hire Formula Inbox to fix their email authentication properly instead of asking hundreds of recipients to create workarounds for their broken setup.
UninvestedCuriosity@reddit
Fucken reject all baby. The world needs to accept it for what it is.
Tatermen@reddit
Don't make exceptions for these people. If they haven't bothered to properly setup DMARC/SPF/DKIM etc, they likely have many, many more issues and will likely be a future source of viruses - which you will have explicitly allowed into your systems.
blow_slogan@reddit
Don’t bypass their failure, it exposes both of you to massive risk. Put it back on them, it takes like 15 minutes to properly configure this. They’re just lazy.
angrydave@reddit
Not really.
If their email is being sent to junk or deleted; it’s because their DMARC policy told our server that’s what it should do, or the policy doesn’t exist.
Ignoring other email server’s DMARC policy defeats the point of DMARC.
Tell the sender’s IT to fix their DMARC policy or fix up missing or incomplete SPF or DKIM records.
Individual_Ad_5333@reddit
The irony of smtp - its Simple for a reason
Valkeyere@reddit
"Your vendor/contacts bad aecurity practices arent worth creating a major security hole in your network. We're happy to work with them to fix their configuration if they can't work it out. Of course we'll bill them for that, not yourself."
"If they cant understand the importance of fixing this, look, I can make this hole for you if you really want me to. I'll need you to sign off on this as an accepted risk. Just know that this hole doesn't even work half the time, so its still not guaranteeing delivery of their emails while opening you up."
CountyMorgue@reddit
Yes, set scl to -1 in mailflow rules for domain. Also if using defender you can set to allow mail even if dmarc is set to reject. Not best practice really but doable.
Silent_Villan@reddit
We have Defender override DMARK rejects to quarantine instead of reject.
TheBigBeardedGeek@reddit
Yes, you can set up rules to bypass DMARC failures.
No, it's not a good idea.
I had to do it because we're in a weird state in an acquisition, and we're getting mail still routed from the original parent company's tenant that they pass through their email security software. The software modifies the message to the point it won't pass DMARC anymore, causing the emails to fail DMARC
Zozorak@reddit
Recently turned on DMARC reject for our m Domains.
Suddenly 3rd party provider for web stuff couldn't send service ticket updates to us and part of our website failed.
This is about the time I lost faith in them, they have details to use our server for smtp using oauth...
As for the ticketing thing... Yeah that's on them, thier ticking service shouldn't be spoofing on our behalf to send emails to us. Set your shit up properly.... They even blamed me for it... I mean yes I did it, but you been using this like this for how long now?
Broad-Celebration-@reddit
Dmarc/spf/dkim are a sending domain security configuration. They chose a DMARC option of reject for a reason.
This is a simple "Hello, your vendor has their domain security configured so that emails sent from their @contoso.com accounts get rejected if they don't pass incoming security checks. This is unfortunately outside of our control and would require them to get with their IT team to resolve. "
ISeeDeadPackets@reddit
There's a company I'm currently fighting (healthcare insurance subcontractor, shocking) that's sending out very important emails with a "from" address as the intended recipient. So if they're sending it to tomsmith@contoso.com, they set the from address as tomsmith@contoso.com. So since they're not authorized senders for contoso, it's getting blocked. They send literally hundreds of these things out a night, how have they not gotten the memo that that's a bad idea?
Puzzleheaded_You2985@reddit
As a fellow MSP, if you can spare the time to fix it for the errant sender, at the very worst it will generate enormous good will from both parties and at the very best, might get you more business. It’s a pretty easy fix, low maintenance once it is fixed.
Competitive_Run_3920@reddit
I do not like holes in my security for vendors who have poor security. I expect my vendors to have equal or better security than me, not lesser.
lolklolk@reddit
"Sorry, talk to your internal IT department about the email authentication issue, we cannot fix this problem for you."
Insec_Bois@reddit
My favorite is when it originates from a mass mail service and I get to link a guide on how to fix it lmao
sembee2@reddit
I have been having this problem since DMARC was first released. It has got worse recently. I blogged on a recent experience.
https://blog.sembee.co.uk/post/dmarc-quarantine-and-missing-spf-why-legitimate-email-gets-blocked
Getting the sender to understand we, the recipient, is doing what they ask is half of the battle.
pixeladdie@reddit
Send them their own lookup results. Should get the point across that it’s THEIR domain that’s fucked.
https://mxtoolbox.com/dmarc.aspx
CharcoalGreyWolf@reddit
EZDMARC.
Easy to implement, easy to use.
Put it on them, but explain in basic terms —then inform them of a solution.
CrazyFelineMan@reddit
This obviously doesn't apply to OP's post, but for others searching this issue in the future who have a Hybrid Exchange environment:
Double check that it's not one of your forwarders (on prem Exchange, email scanner, any smtp hop in the chain) that 365's SPF check is triggering on. In that case you'd need to configure enhanced filtering (in Defender) on the Exchange connector to ignore the IP's of every hop.
DaemosDaen@reddit
Dealing with this now actually... *headdesks*
Refurbished_Keyboard@reddit
You could change the DMARC posture depending what is failing (DMARC checks both DKIM and SPF posture). You could soft fail and then whatever security solution you use exempt only traffic from this vendor, but I'd push back on them to ensure you are making your client meet the security standards which may or may not have compliance implications and be contractual.
tristand666@reddit
I do not do bypass but I offer to help their techs fix the issue if they want assistance. I also send all of the proof I collect and how they can remediate the issue (in general terms since every DNS provider is different.
TxTechnician@reddit
Send them a strongly worded letter.
littleko@reddit
you're right to be frustrated, and honestly your instinct to push back on the sender is the correct move here. bypassing DMARC reject on your end is technically possible in some configurations but it's a terrible idea in practice (you'd be opening a hole for anyone spoofing that domain, not just their legit mail).
the transport rule / allowed sender approaches in Exchange Online are inconsistent at best. microsoft has been tightening this up over the past year or so, and even when it "works" you're basically telling your tenant to accept mail that fails authentication from that domain, which is exactly what attackers would also be sending.
i'd send the project management company a more pointed email explaining that
Happy_Kale888@reddit
I also send a link and a screenshot for thsi as well. I know there are others but this is all one page and unbiased as it is run from a third party.
https://enrichley.com/tools/domain-health-checker
The_Koplin@reddit
It's called 'SENDER' policy framework for a reason. The issue is always the sender with such a rejection.
I have just such a reject rule setup like this. I refuse to bypass for a simple reason. The sending domain voluntarily implemented it and did it wrong, that is not my fault nor will I try to fix the problem for them. You are not required to have SPF or DMARC or DKIM. They are very strongly advised. Without such domain and message validation tools and systems fall back and likely flag as spam not outright reject. My system rejected the message because your asked me to do so.
Again, the SENDER asked the receiver to reject the message pretending to be from their domain! Now you are asking how to bypass that?
There is no difference between a failed check, and a impersonation. Not my job to figure out what is right.
Thus its a mess of ones own making and if they loose out of opportunities because they cheeped out on IT services, thats a them issue not a me issue. It is one of very few immutable rules at my agency.
In summery
Bob, delete ALL messages that do not arrive in a red envelope!
(Sends message in white envelope)
Bob, why did you delete all of my messages?
Sue, did you use a red envelope?
Bob, Well no I didn't use a red envelope, why?
Sue, do you want to change the rules about what color envelopes are acceptable to use?
Bob, No, I want you to just ignore that stuff and make it work!
Expensive_Plant_9530@reddit
I just wouldn’t. If they can’t pass DMARC and SPF, then bypassing for them would leave you wide open to an attack if someone tried to impersonate them.
Tell the client that this is 100% on the other company and they need to fix their email servers.
It’s a required security setting now.
Public_Fucking_Media@reddit
THEY are the ones telling you to reject emails that don't pass DMARC, while also sending you emails that don't pass DMARC. They need to fix it.
Assumeweknow@reddit
smtp2go is your friend. For 75 bucks a month all emails get out correctly.
ARC-Relay@reddit
recommend they try my service; simple ARC email smtp relay
dylanimal@reddit
Add a rule setting the SCL to -1 for that domain, I believe that should still work.
CeC-P@reddit (OP)
Apparently that used to work but doesn't now because "The message never enters your mailbox pipeline so mail flow rules like SCL setting never get evaluated"
dylanimal@reddit
Ah - I guess this changed in the last year or two then. I would honestly just tell your client that its not on your end, the other companies IT needs to update their DNS to current standards and send them a few articles. Ive had a similar situation and even offered to assist for a small fee.
apandaze@reddit
https://learn.microsoft.com/en-us/answers/questions/4744171/deliverability-issues-all-emails-going-to-spam-des
https://www.mailreach.co/blog/office-365-email-goes-to-spam
I have users who use Anywhere.net and Microsoft actively puts those emails into Junk. Its an issue with many smaller email clients. The 'geniuses' could do everything right and Microsoft still would block the email. I am moving my users next week to our Microsoft tenant its been that big of an issue.
Civil_Inspection579@reddit
m365 used to have some “bypass-ish” behavior with allow lists, but it’s not reliable now and doesn’t truly override DMARC reject at best you might get it to junk instead of drop, but even that’s inconsistent
Wodaz@reddit
I don't think you want to allow anything. Even when clients ask. The policy is the policy, even/especially regarding money. You don't exempt/whitelist/allow anything. If you do you bypass security that was put in place for a reason. And, in dmarc/spf scenarios, you are following their directions. It really is on them to fix it.
stillwind85@reddit
Agreed. The whole point of publishing a DMARC record is telling email operators “this is what I want you to do with email that claims to be from us”. They verify authenticity according to other DNS records you publish, process the mail and inform what they did all according to these instructions. If something isn’t getting delivered it’s always best to figure out why and fix it. Asking everyone to allow misconfigured mail doesn’t scale and always makes me question the security of the service.
Witte-666@reddit
I had the same issue at my previous job with a company that couldn't mail us once we had Dmarc and DCIM enabled.
It took me way too much time to explain to the "IT specialist" that the problem was on their side. The mail didn't even make it to our tenant. It was blocked and dumped by the provider.