What is DMARC BestGuessPass in Office 365?


If you’re a customer of Office 365, you know that you’ve been protected by DMARC for the past several months. But you may have a question if you look at the email headers. What is this dmarc=bestguesspass that is sometimes seen in the Authentication-Results headers?

Maybe something like this:

From: Joe User <joe@contoso.com>
Authentication-Results: spf=pass (sender IP is 1.2.3.4)  
  smtp.mailfrom=example.com; dkim=pass (signature was verified)
  header.d=example.com; dmarc=bestguesspass action=none 
  header.from=example.com;

What is this and what does it mean? The DMARC best guess pass is unique to Exchange Online Protection. It means that the domain in the From: address does not have a DMARC record but it would have passed DMARC if it did. This is only for the case where it would have passed DMARC, there is nothing for the negative case where it would have failed.

In this case, example.com passed SPF and DKIM and has no DMARC record, but you can see that the From: domain contoso.com aligns with both the SPF and DKIM verified domains (it only needs to align with one of those, just like regular DMARC).

It doesn’t mean that example.com is a good sender or a bad sender, it just means that what shows up in the From: address in your mail client aligns with the domain that was verified. I like to think of it as “This domain is doing the right things. When does it plan to set up DMARC for real?”

It can be useful for creating Transport rules to allow email from a domain. Rather than allowing a sender of example.com, you might create a Transport rule that looks for the Authentication-Results header with the text dmarc=bestguesspass action=none header.from=example.com. In this way, you know you are always trusting the domain rather than a spoofed domain. You can also create a rule that looks for just the normal DMARC result dmarc=pass action=none header.from=example.com.

Not every domain publishes DMARC records. For the ones that don’t but would align with a domain that authenticates, this result will let you know.


Related links:

Comments (2)

  1. DKIM says:

    Mr. Zink – do you have an update on when outbound DKIM signing is due to be released onto Office 365?

    I've seen it on the roadmap but wanted a broad indication of when it's expected to be released, e.g. Q3/Q4 2015 or 2016.

  2. tzink says:

    @DKIM: As you say, it's on our roadmap. We don't have a solid release date but it is more likely to be in Q3 or Q4 of 2015.

Skip to main content