Blog article

  • 8 minutes read
Author Profile Picture
  • Kiara Saloojee
  • DMARC Enthusiast

DMARC bypass techniques: How threat actors exploit gaps

Digital Shield With Red Flares Passing Through

A Domain-based Message Authentication, Reporting, and Conformance (DMARC) bypass happens when attackers send a spoofed email that still passes DMARC checks. On paper, your domain looks protected. In reality, a determined attacker has found a way around your controls.

For security and email teams, this is a high-impact problem. If someone can bypass DMARC, they can deliver convincing phishing emails straight into inboxes.

To bypass DMARC, it isn’t about “breaking” the protocol itself. It is more often the result of overly broad Sender Policy Framework (SPF) records, weak DomainKeys Identified Mail (DKIM) practices, forwarding paths, and application-specific behavior. Understanding these gaps is the first step to closing them.

Before you go deeper, run a quick DMARC check to see if attackers could already be exploiting your domain.

Analyze your domain

Common ways to bypass DMARC

1. Abusing authorized infrastructure

One of the easiest ways to bypass DMARC is to send from infrastructure you already trust. Attackers look for:

  • IP ranges that have been added to an SPF record and never removed
  • Third-party platforms you once used but no longer do
  • Servers and services that are officially authorized via DKIM

If a malicious actor can send from an authorized IP address or from the same server you use, they can align SPF or DKIM and pass DMARC. DMARC only requires one aligned standard (SPF or DKIM) to pass. Many organizations lean on that flexibility and fail to enforce both consistently.

The weakness isn’t in DMARC itself, but in how authorized senders are defined and how alignment is enforced.

2. Using compromised legitimate senders

Account takeover gives attackers a perfect DMARC bypass. When they send from:

  • Compromised user mailboxes
  • Systems configured to send on your behalf

…every message they send looks authentic. SPF passes. DKIM passes. DMARC passes. From a pure authentication perspective, nothing looks wrong. Detecting these attacks relies on behavioral, content, and anomaly-based controls – which means DMARC needs to be part of a broader email security strategy.

Microsoft DMARC bypass risks

Microsoft is often at the center of DMARC bypass investigations. Its evaluation logic, trust model, and legacy tenants can all influence how DMARC is applied.

SCL and trusted signals

In some scenarios, an email that should be rejected by DMARC still lands in the inbox. This can happen when Microsoft assigns a Spam Confidence Level (SCL) value of SCL:-1 to a message. This is generally due to misconfigured connectors or allow lists.

In addition, many older Microsoft 365 tenants don’t enforce DMARC by default, so spoofed messages can still be delivered unless admins adjust settings.

From your perspective, it looks like Microsoft has ignored a DMARC policy of p=reject. In reality, trust signals and configuration settings have taken priority, effectively allowing an attacker to bypass DMARC.

Forwarding and SRS

Microsoft uses Sender Rewriting Scheme (SRS) to rewrite the “From” address so SPF can pass at the next hop.

Here is how that can play out:

  1. An attacker sends a spoofed email that appears to be from your domain.
  2. The message is forwarded by a system that performs SRS on the “From” address.
  3. Downstream, the rewritten sender passes SPF.

By the time the email reaches the recipient, it can appear to have passed SPF and DMARC, even though it began as a spoofed message.

Digital Email On A Laptop Screen

Steps to secure against DMARC bypass

Preventing DMARC bypass means combining strong email authentication with the right application settings and ongoing user training.

1. Build a complete inventory of senders

Start by identifying every system that sends email for your domain:

  • Marketing, CRM, and newsletter platforms
  • Ticketing and support tools
  • Payroll, HR, and finance systems

Ensure that each sender is correctly configured. Remove unused services and legacy IP addresses so attackers can’t hide behind old configurations. Where internal expertise is limited, work with specialists who manage large, complex email environments every day.

2. Harden SPF, DKIM, and DMARC

Once you understand who’s sending, focus on strengthening your protocols:

  • Keep SPF records lean and specific. Avoid unnecessary mechanisms.
  • Ensure all critical senders sign outgoing mail.
  • Explicitly set alignment modes (aspf and adkim).
  • Progress from p=none to p=quarantine and finally p=reject.

3. Monitor DMARC data for anomalies

DMARC aggregate and failure reports are your early-warning signs for bypass attempts and misconfigurations. Use them to:

  • Detect unknown senders using your domain
  • Spot intermittent SPF or DKIM failures

Regular review of this data turns DMARC from a static protocol into an ongoing security control.

4. Reduce Microsoft DMARC bypass risk

Because Microsoft is so widely used, its behavior is often at the center of DMARC bypass cases. A few targeted checks can close common gaps:

  • Block unauthenticated direct sending: Enable RejectDirectSend to stop unauthenticated direct-to-MX traffic that spoofs your domain.
  • Align policy and enforcement: Make sure the Defender or Exchange Online Protection policy is set to act on DMARC failures. Legacy tenants need explicit enablement before p=reject is enforced.
  • Tighten connectors, rules, and allow lists: Review mail flow rules, connectors, and allow lists; these can assign an SCL:-1 value and/or bypass spam filtering.
  • Improve user awareness: Alert users that even “authenticated” emails can be malicious, and train them to escalate any unexpected payment, credential, or policy-change requests.

How Sendmarc helps you close DMARC bypass gaps

Managing email authentication manually is time-consuming and easy to get wrong, especially in large or scaling environments. Sendmarc is designed to reduce that risk.

It helps you:

  • Discover every system sending on behalf of your domain and visualize SPF, DKIM, and DMARC results.
  • Move safely to p=reject with guided changes and staged enforcement to safeguard legitimate email.

When you’re ready for deeper visibility and improved security, book a demo with Sendmarc. We will help you build an email environment that’s protected against real-world DMARC bypass techniques, not just compliant on paper.

Book a demo