It's almost definitely an anti-phishing setting. In my experience, domains sit on p=none for a long time, and in the meantime a lot of other senders send email as them - most legitimate but some malicious. This setting is designed to catch the malicious.
So, either (a) you rely upon DMARC proper but have to add additional layers to catch the rest of the phish, or (b) you go hyper-aggressive and then add layers (overrides) to allow the legitimate email. Both options are not great, although having to set up override after override after override is management pain as it is prone to false positives. I used to say that I would probably treat your own domain(s) as p=quarantine/reject but respect the setting for domains you don't own. But in the past month or two, I've seen plenty of "other-domain" spoofing, that is, spammers/phishers spoofing domains with weak authentication policies and getting in that way. -----Original Message----- From: dmarc-discuss [mailto:[email protected]] On Behalf Of Al Iverson via dmarc-discuss Sent: Monday, November 14, 2016 7:53 AM To: [email protected] Subject: Re: [dmarc-discuss] FortiNet’s FortiMail DMARC implementation I agree with John Payne on this one. Their implementation shouldn't work this way based on the default settings. Regards, Al Iverson -- Al Iverson _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
