On Jul 31, 2014, at 3:31 PM, Norman, Jean Marie via dmarc-discuss <[email protected]> wrote:
> Has anyone experienced unauthenticated emails being delivered to Google > recipients despite having a DMARC policy (quarantine or reject) in place? We > have seen evidence that unauthenticated emails (not passing both SPF and > DKIM) are being delivered to Google, despite a DMARC policy, when messages > pass through a ‘forwarder’, as noted by Google. We are trying to better > understand this behavior and whether or not anyone has found a solution? Any > insight or recommendations would be appreciated. Several large entities have published inappropriate DMARC records, leading to wanted mail from those entities not being authenticated when it ends up at the recipients inbox. Because of that, Google (and others) are unlikely to blindly follow DMARC policies. (It was always true that a DMARC record was no more than a recommendation to the receiving ISP, but the widespread misuse of DMARC means that it's now just a very mild suggestion). If you're, for example, a major financial institution there are a couple of things you could do. One would be to talk to Google and others to special case mail from your domain. Longer term, you could help with an alternative/extension to DMARC that is suitable solely for high-value transactional email, one that isn't self-published and so open to misuse (that would likely involve third-party managed whitelists with entry to them controlled by industry-specific or governmental groups). Cheers, Steve _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
