I have spf and/or dkim set up for all legitimate sources of mail for my domain. Dmarcian xml parser reports show in the Policy Details table that my policy and subdomain policy are set to Quarantine. I’m gradually stepping up the percentage.
Hundreds of emails from my domain are listed in every report under DMARC Capable with high or perfect compliance rates.
Every few days, under the threat section, there’s activity listed under Other Servers. Right under Other Servers, it says “p=none Policy Applying To x of x messages.” Under that, all activity is listed under nxdomain in a table, and there is a line in that table for my domain – the same domain from which DMARC compliant mail is indicated in the DMARC Capable section. No policy is applied to this mail.
It seems that while the policy is set properly in DNS records, and respected enough by dmarcian to be listed in the report’s Policy Details, the same quarantine policy is not being respected by Threat/Unknown mail, which is listed under nxdomain, even though the domain listed in nxdomain table is the same exact domain that should be respecting the policy.
Can someone help me understand what I’m missing here and how to apply a quarantine policy to threat/unknown mail from my domain listed under nxdomain?
I want to make abundantly clear that the policy applied is not a decision made by dmarcian. The data displayed in the console is as reported by the receiver. There could be several reasons why the policy applied states none. One could be that you made the change recently, and you are looking at a span of time where data covers when you were at p=none and after you made the change. Clicking the reporter bubble in the Detail Viewer will tell you for what date the data reported is for.
Another reason could be the receiver performed an override. When viewing the data, click on the “x of x column visible” button on the right side just above the lines of metadata you are reviewing. Select the Override Reason and Override Comment columns to confirm if the receiver performed an override on your policy which would result in a policy applied different from the one you have published in your DMARC record.
Sometimes reporters send malformed, or inaccurate data. Ensure the reporter is a reputable one (Google, Yahoo, etc). You can filter by reporter in the Detail Viewer, which can help you look at all data reported by them and see if they systematically report incorrect data.
There could be more reasons, but these are the most common. I hope this helps.
I understand that dmarcian is just parsing the report and not making its own judgements.
For whatever reason, now that I stopped uploading xml reports ad-hoc and am sending data directly to dmarcian with a paid account, my quarantine policy is now being applied to email sent from my domain but classified under nxdomain. I changed my spf record from ~all to -all, maybe that had something to do with it, although it appears it shouldn’t.
In any case, it’s all working now, hopefully that will continue. If it does, and the “why” remains a mystery, I can live with that.
Great! I am glad things are working. While it may be difficult to dive into the root cause, always feel free to reach out to support should you feel you need to. We are always happy to help.
