If you’re a customer of Office 365, you know that you’ve been protected by DMARC for the past several months. But you may have a question if you look at the email headers. What is this dmarc=bestguesspass that is sometimes seen in the Authentication-Results headers?
Maybe something like this:
From: Joe User <joe@contoso.com>
Authentication-Results: spf=pass (sender IP is 1.2.3.4)
smtp.mailfrom=example.com; dkim=pass (signature was verified)
header.d=example.com; dmarc=bestguesspass action=none
header.from=example.com;
What is this and what does it mean? The DMARC best guess pass is unique to Exchange Online Protection. It means that the domain in the From: address does not have a DMARC record but it would have passed DMARC if it did. This is only for the case where it would have passed DMARC, there is nothing for the negative case where it would have failed.
In this case, example.com passed SPF and DKIM and has no DMARC record, but you can see that the From: domain contoso.com aligns with both the SPF and DKIM verified domains (it only needs to align with one of those, just like regular DMARC).
It doesn’t mean that example.com is a good sender or a bad sender, it just means that what shows up in the From: address in your mail client aligns with the domain that was verified. I like to think of it as “This domain is doing the right things. When does it plan to set up DMARC for real?”
It can be useful for creating Transport rules to allow email from a domain. Rather than allowing a sender of example.com, you might create a Transport rule that looks for the Authentication-Results header with the text dmarc=bestguesspass action=none header.from=example.com. In this way, you know you are always trusting the domain rather than a spoofed domain. You can also create a rule that looks for just the normal DMARC result dmarc=pass action=none header.from=example.com.
Not every domain publishes DMARC records. For the ones that don’t but would align with a domain that authenticates, this result will let you know.
Related links:
- How to use DMARC in Office 365
http://blogs.msdn.com/b/tzink/archive/2014/12/03/using-dmarc-in-office-365.aspx - Best practices for Exchange Online customers to align with DMARC
http://blogs.msdn.com/b/tzink/archive/2015/03/03/best-practices-for-exchange-online-protection-customers-to-align-with-dmarc.aspx - How to align with SPF and DMARC for your domain if you use a lot of 3rd parties to send email as you
http://blogs.msdn.com/b/tzink/archive/2015/03/13/how-to-align-with-spf-and-dmarc-for-your-domain-if-you-use-a-lot-of-3rd-parties-to-send-email-as-you.aspx