DMARC Fail but mail ends up in Inbox

The problem is that SPF on it’s own is not enough to deal with mail forwarders. In fact reading the DMARC RFC makes me realise that some solutions that were considered in the original SPF specifications are no longer valid.

For instance:

SPF was set up to be run against the mail from: address of the SMTP transaction. A way of mitigating this was to encourage forwarders to use sender address rewriting. Certainly, under the SPF RFC’s that email should have passed as the mail from: address was that of Blackberry’s servers which from the address shown is actually employing Sender rewriting.

However the DMARC specification moves the SPF check so it’s done against the Authors Email address, i.e. the address in the From: field. The problem is that the mail was never put through Virgin Media’s smtp servers in the first place, as if it had, there would be a valid DKIM signature. This means that SRS is no longer a valid for mail forwarders to overcome the faults in SPF itself.

However failure to quarantine the mail does mean that it’s still possible for Spammers to spoof the domain so while I understand your thoughts, I do think the decision needs reviewing. as unwary users might take comfort in the fact that the mail ended up in their inbox and be less cautious than they should be.

Tim