Why did I get a spoof/phish/spam email

A question we receive occasionally: "I have my domain using DMARC enforcement (p=quarantine or p=reject), why did I receive this phish/fraud/spoof message in my inbox?"

There are a variety of reasons to explain this, we'll try to point out the most common ones here.

a) Does your mailbox provider actually support DMARC? If the environment where your domain is hosted does not check and enforce DMARC policies as the domain owner specifies in the DMARC record, then that could be a reason for fraudulent messages to continue arriving in your inbox. You can always check our public Data Reporters page to see if your hosting environment is listed as a DMARC participant.

b) Is the domain in the From header of the message actually your domain? Sometimes scammers will use small intentional typos in a domain name to skirt your DMARC policy. Inbox provider antispam and antiphishing heuristics systems usually find these, but if not then you will need to work with your inbox provider to improve in that area.

• a footnote in this area: if the domain's top level policy is p=reject but has a subdomain policy such as sp=none, then fraudulent messaging via subdomains is not protected against.

c) It is possible that your inbox provider is overriding the logical DMARC policy result, delivering the message in question despite a DMARC failure. This could occur because of a server-side failure in the DMARC implementation, a slow rollout of DMARC policy enforcement, or some other internal provider logic determining that the message should be delivered (incorrect ARC signing and verification for example). If options (a) and (b) do not match and you believe that this last scenario is likely, you will need to consult with your inbox provider to discuss and learn more.