What does arc=pass actually mean?

Hey guys, sorry if this is a silly question.
Currently using policy=none, 99.98% of my emails are passing DMARC validation, however, filtering by “show non-compliant email” shows thousands of reports. The vast majority, over 99%, are in the Forwarders tab.

In the Forwarders tab, there are emails being forwarded by Google on *.google.com, for example. However, almost all the rows have the column “override comment: arc=pass”.
Which brings me to my questions:

  1. What I understand from this is that although DMARC has failed, it was overridden because “arc=pass”, is that correct?
  2. Can I assume that if I had set my DMARC policy to reject, these emails would have been delivered successfully?

Something similar is happening for Microsoft 365, on *.outlook.com. There is, however, no “override comment” column, only “override reason: none”.
Now, I don’t understand whether:
1) the DMARC failure has been overridden because my policy is set to none, and if it were set to quarantine/reject the delivery would have reached spam/failed
2) there has been no overrides whatsoever and my emails wouldn’t have been delivered if I had a policy other than “none”.

This is all that is keeping me from setting my policy to quarantine/reject, since the domain that show up in the Forwarder tab belong to customers of high importance to the company I work in.

Thanks in advance for the time and help :slight_smile:

Hi glore and welcome to the forums!

This is a good question to ask.

  1. A policy override means the disposition of the email (policy applied) will different from the published policy in DNS for anything else than “none”. This means had you published a DMARC enforcement of quarantine or reject, the policy applied would have been “none” instead due to the policy override.

  2. That is correct! A policy override with a reason of arc=pass will result in a “none” action policy applied.

If the override column says “none” there it means no policy override applied, and for emails that fail DMARC the policy applied will reflect the published policy in the domain’s DNS. If you are at “p=none” then you will see “none”.

That being said, Microsoft does not currently report if an override took place for any reasons (arc, whitelist). This means Enterprise Outlook and Outlook reporters will only ever show you results of either “none” for when DMARC passes, or whatever your policy is at in DNS for a failure verdict.

I hope this helps!

1 Like

Thanks, Asher, that really helps.

Nice job, thank you for your answer :slight_smile: