Policy Override (DMARC)

What is Policy Override in DMARC?

A Policy Override in DMARC occurs when a receiving mail server applies a final disposition (such as deliver, quarantine, or reject) that differs from the sender’s published DMARC policy. This happens when other factors, like local filtering rules, forwarding behavior, or trusted sender lists, take precedence over the DMARC recommendation. Policy overrides are reported in DMARC aggregate reports so domain owners can understand when and why mail handling deviates from the declared policy.

In other words, even if a domain’s DMARC record specifies that unauthenticated mail should be rejected, a recipient server may still choose to accept it under certain conditions. The “Policy Override” field in DMARC reports documents these cases, helping senders see when enforcement wasn’t applied as expected.

How Policy Overrides Work

When an email fails SPF alignment and DKIM alignment, DMARC instructs the receiver on how to handle the message, typically via the p= tag in the DMARC record (none, quarantine, or reject). However, the receiver may override this instruction based on its own rules, user preferences, or system policies. The reasons for these decisions are included in the “policy_override” element of DMARC aggregate reports.

Example excerpt from a DMARC report showing a policy override:

In this example, the message failed both SPF and DKIM, but the receiver still chose to deliver it (disposition “none”) due to a local policy override.

Common Types of DMARC Policy Overrides

Several types of overrides are recognized in DMARC reporting. These values help domain owners understand how their messages are being handled by different mail systems:

• forwarded – The message was forwarded, and authentication failed due to changes in headers or message content.
• sampled_out – The message was part of a PCT (percentage) sampling policy and was exempt from full enforcement.
• trusted_forwarder – The receiver trusts the forwarder (e.g., an intermediary mail relay or known service) and delivered the message despite authentication failure.
• local_policy – The receiver applied an internal policy that overrides the DMARC instruction, such as a whitelist or anti-spam decision.
• arc – The message included a valid ARC (Authenticated Received Chain) header that preserved authentication through forwarding.
• other – The reason for override does not fit the standard categories.

Each of these override conditions helps explain why unauthenticated mail might still reach the inbox, even under strict DMARC enforcement. This information is critical for diagnosing gaps in mail flow, especially for forwarded or indirect messages.

Why Policy Overrides Occur

Policy overrides usually reflect the flexibility of recipient mail systems rather than sender misconfiguration. Common scenarios include:

• Forwarding through mailing lists or automated systems that modify messages
• Trusted intermediaries that bypass DMARC checks
• Local spam or phishing filters taking precedence over DMARC policy
• Partial DMARC enforcement when using pct<100
• Recipient preferences allowing delivery from known senders despite failures

Overrides do not necessarily mean a DMARC setup is faulty, but frequent occurrences may indicate misalignment issues, forwarding problems, or inconsistent DKIM signatures.

Policy Overrides and DMARCeye

DMARCeye visualizes policy override data directly from DMARC aggregate reports, helping organizations identify patterns and understand why enforcement outcomes differ across recipients. The platform categorizes overrides by type, such as forwarded, arc, or local_policy, and correlates them with sending sources to pinpoint where authentication breaks down.

By highlighting override frequency and impact, DMARCeye enables domain owners to adjust their authentication setup, optimize DKIM key propagation, and ensure that legitimate messages aren’t falsely rejected or quarantined. This transparency gives administrators confidence that their DMARC enforcement aligns with real-world delivery behavior.

Sign up for a free trial of DMARCeye today and secure your email domain.

To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.