First off let me start by saying I understand DMARC and SPF do not do the same thing.
However both have an option to tell the receiving servers what to do with mails that do not pass SPF (and DKIM in the case of DMARC).
Now let’s have a theoretical case with SPF set to v=spf1 include:… ~all
(the important part being ~all
) and a DMARC set to v=DMARC1; p=reject; rua=…
.
In this situation, if I understand correctly, we have an SPF record telling “mark mails that do not pass SPF as spam” and a DMARC record telling “do not accept mails that do not pass DKIM or SPF.”
Which instruction will have priority when a mail failing SPF is received? And if the DMARC entry is set to p=none
, is the answer the same?
Best Answer
From RFC 7208:
The key phrase here is "SHOULD NOT", thus the receiving server can enforce other policies and still be within the standard.
From RFC 7489:
The key phrases here are "wishes" and "SHOULD", thus the receiving server can enforce other polices and do whatever they want during the SMTP transaction while still being within the policy.
My best guess is that if the receiver is enforcing DMARC, then
p=reject
will be the overriding policy.Also from the same section in RFC 7489:
The key phrase here is "requests". In practice, this is nearly always treated the same as having no DMARC policy, other than to send reports since this policy is used for testing.
As a side note, you appear to have a common misunderstanding of what DMARC is testing. DMARC tests alignment, which is not what DKIM or SPF are testing, so those tests can both pass while DMARC fails.