• The APS Catalog has been deprecated and removed from all Plesk Obsidian versions.
    Applications already installed from the APS Catalog will continue working. However, Plesk will no longer provide support for APS applications.
  • Please be aware: with the Plesk Obsidian 18.0.78 release, the support for the ngx_pagespeed.so module will be deprecated and removed from the sw-nginx package.

Question DMARC p=reject not rejecting spoofed inbound mail (MAILER-DAEMON sender)

E

enduser

Basic Pleskian
Server operating system version
AlmaLinux 9.4
Plesk version and microupdate number
18.0.74
Hi,

I would like to confirm whether the following behavior is expected in Plesk.

Environment:
  • Plesk version: 18.0.74
  • Plesk mail server (Postfix)
  • “Enable DMARC to check incoming mail” is enabled
  • Domain abc.com has DMARC: "v=DMARC1; p=reject;"
We received the following spoofed inbound email, which was accepted and delivered, even though SPF and DKIM both fail and DMARC policy is p=reject:

Code: 
Return-Path: <MAILER-DAEMON>
Delivered-To: [email protected]
Received: from [10.88.0.3] (70.143.139.34.bc.googleusercontent.com [34.139.143.70])
    by mail.abc.com (Postfix) with ESMTP id 295D24054E
    for <[email protected]>; Sun, 21 Dec 2025 04:09:05 +0800 (HKT)
Authentication-Results: abc.com;
        spf=none (sender IP is 34.139.143.70) smtp.mailfrom= smtp.helo=[10.88.0.3]
Received-SPF: none (abc.com: no valid SPF record)
Content-Type: multipart/related; boundary="===============7775878507290848036=="
MIME-Version: 1.0
From: "abc ." <[email protected]>
To: [email protected]
Subject: =?UTF-8?B?56uL5Y2z5pu05paw5q2k55S15a2Q6YKu5Lu25biQ5oi3Lg==?=

Observations:
  • SPF = none
  • No DKIM signature
  • Header From domain = abc.com
  • DMARC policy = p=reject
  • Message still delivered
It appears DMARC was not enforced for this message (no dmarc=fail / reject), possibly because the envelope sender is MAILER-DAEMON (null sender).

Questions:
  1. Is this behavior expected by design in Plesk?
  2. Does Plesk intentionally bypass DMARC enforcement for inbound mail with null sender / MAILER-DAEMON?
 
Please see -

Tools & Settings > Mail Server Settings

You should find the options such as "Enable SPF spam protection to check incoming mail"
 
@WebHostingAce

Thank you for your reply.

The SPF check for incoming mail is already enabled on this server.
The issue I reported is not about SPF being disabled, but about DMARC enforcement behavior.

To clarify again:
  • "Enable DMARC to check incoming mail" is enabled
  • Domain abc.com has DMARC policy: p=reject
  • Inbound message:
    • Header From domain: abc.com
    • SPF: none
    • DKIM: none
    • DMARC alignment: fail
  • Message was still accepted and delivered
Based on RFC 7489, DMARC evaluation is based on the Header From domain, not the envelope sender.
Even if the envelope sender is null / MAILER-DAEMON, DMARC should still be evaluated and the p=reject policy enforced when both SPF and DKIM fail alignment.

My questions remain unanswered:
  1. Is this behavior expected by design in Plesk?
  2. Does Plesk intentionally bypass DMARC enforcement for inbound messages with a null sender / MAILER-DAEMON?
  3. If so, is this documented behavior?
  4. If not, is this a known bug or limitation in the Plesk mail stack (Postfix + DMARC implementation)?
Please note that advising to enable SPF checking does not address this DMARC enforcement concern.
 
You must log in or register to reply here.

Similar threads

E
Issue DMARC p=reject causes locally generated DSNs (MAILER-DAEMON) to be silently discarded
Replies
2
Views
1K
enduser
E
nethubonline
Forwarded to devs Possible DMARC Bypass - Spoofed MAILER-DAEMON Return-Path Not Rejected
Replies
10
Views
2K
Sebahat.hadzhi
Sebahat.hadzhi
nisamudeen97
Question Unable to handle email bounce back of spoof email with sender and receiver the same
Replies
0
Views
2K
nisamudeen97
nisamudeen97
TorbHo
Resolved Lots of DKIM/DMARC errors - mails are rejected
Replies
5
Views
3K
TorbHo
TorbHo
enerspace
Question Bounce emails end up in spam – DMARC triggered on local deliveries?
Replies
0
Views
2K
enerspace
enerspace
Back
Top