Question Bounce emails end up in spam – DMARC triggered on local deliveries?

[enerspace]

Server operating system version

Almalinux 8.10

Plesk version and microupdate number

18.0.69

Hi everyone,

I’ve encountered a strange behavior on one of my mail servers and I’m wondering if anyone else has experienced something similar – or if this might actually be a bug.

When I send an email from an existing account (e.g. [email protected]) to a non-existent mailbox on a third-party server, I should receive a bounce email from MAILER-DAEMON. However, this bounce message ends up in the spam folder.

My configuration:​

DMARC record (DNS): v=DMARC1; p=quarantine; adkim=s; aspf=s
/etc/psa/dmarc.conf: IgnoreMailFrom example.mydomain.com, ...

Header of the bounce message (before adjustment):​

Authentication-Results: example.mydomain.com; dmarc=fail (p=QUARANTINE sp=NONE) smtp.from= header.from=example.mydomain.com
Return-Path: <MAILER-DAEMON>
From: [email protected]
Subject: Undelivered Mail Returned to Sender

Here you can clearly see that DMARC is being applied even to locally generated messages – even though IgnoreMailFrom is configured. As a result, the bounce message is marked as suspicious and lands in the spam folder.

However, when I run the following command:​

plesk bin settings -s mail_dmarc_reject_at_smtp=false && plesk repair mail -y

…the behavior changes. DMARC checks appear to be skipped for locally delivered bounce emails, and the header looks like this

Header of the bounce message (after adjustment):​

X-Spam-Status: No, score=-0.0 required=7.0 ...
Return-Path: <MAILER-DAEMON>
From: [email protected]
Subject: Undelivered Mail Returned to Sender
...

Is it intended behavior for DMARC to also apply to system-internal messages like bounces? Or am I missing a setting here? The fact that IgnoreMailFrom seems to be ignored feels wrong to me.

Thanks!