Stop Bypassing DMARC: A Supply Chain Reality Check
DMARC isn’t the problem—how we respond to failed authentication often is.
For years, organisations have looked at DMARC with a mix of admiration and fear. On one hand, it’s one of the most effective controls to protect customers, partners, and employees from email impersonation. On the other, it’s often blamed for “breaking” legitimate business email.
The truth? More often than not, the problem isn’t DMARC. It’s how we respond when email from the supply chain doesn’t align.
The Easy Way Out: Adding Bypasses
When an important invoice, purchase order, or system notification is blocked because of DMARC, the reflex in many IT teams is to add a bypass. After all, business continuity matters. The sender insists the mail is “legitimate,” so why not?
Here’s the catch: bypasses introduce risk at scale. Once you start allowing mail that fails authentication, you’re effectively unravelling the very purpose of DMARC—keeping bad actors out of your users’ inboxes.
- Every bypass weakens your email security posture.
- Exceptions pile up and become hard to track or remove.
- Attackers learn to exploit known “allow” paths.
The Perception Problem
There’s a persistent narrative that “lots of organisations mess up their DMARC records” and that this causes widespread delivery issues. While misconfigurations do happen, context is everything:
- If a domain owner sets
p=quarantineorp=reject, they’ve made a deliberate risk decision. - From the outside, you can’t know if the “blocked” email was sanctioned or came from shadow IT—a platform sending on behalf of the organisation without security or data-privacy onboarding.
In other words, what looks like a false positive may actually be a false assumption.
The Shadow IT Grey Zone
This is the greyest of grey areas. That “legitimate” email may be:
- A SaaS tool bought on a corporate credit card.
- A system that never went through a security review.
- An integration no one in IT approved or onboarded.
In many cases, the sender’s own IT and security teams don’t authorise the source. Which means the sender will face the same DMARC “issues” with everyone they email—not just you.
Yes, Edge Cases Exist
Are there times when a sanctioned application has been genuinely missed during onboarding and the sender is enforcing DMARC? Of course. DMARC, like any control, isn’t immune to operational oversights.
But best practice is simple: report the issue to the sending organisation. Let their IT and security teams validate the source, correct SPF/DKIM/DMARC, and update their records accordingly—so the fix scales to all recipients, not just you.
Why This Matters
- Security: Bypasses open doors for spoofing and business email compromise (BEC).
- Consistency: Exceptions create inconsistent delivery and unpredictable support load.
- Scale: Fixing at the sender side benefits every recipient; a local bypass only helps you—and increases your risk.
DMARC is only as strong as the weakest exception.
What to Do Instead (Playbook)
- Hold the line: Don’t create allow-lists or bypasses for failed authentication.
- Notify the sender: Share the error and message sample (headers, authentication results).
- Ask for basics: Confirm the sender’s authorised platforms and whether IT/security sanctioned them.
- Verify fixes: Look for correct alignment: SPF (envelope/HELO), DKIM (aligned signing domain), and a valid DMARC policy.
- Close the loop: Test again and remove any temporary, time-boxed mitigations.
Helpful Language for Stakeholders
“We don’t add bypasses for failed DMARC. Please have your IT/security team confirm the sender is authorised and ensure SPF/DKIM align with your DMARC policy. Once corrected, delivery will work for all recipients, not just us.”
Final Thought
Instead of defaulting to bypasses, flip the script: treat failures as a supply-chain improvement opportunity. Push vendors and partners to properly onboard their sending systems. Recognise that DMARC isn’t the enemy—shadow IT is.
When you protect the integrity of your email channel, you’re not just defending your organisation—you’re raising the bar for everyone in your supply chain.
