Question DMARC p=reject not rejecting spoofed inbound mail (MAILER-DAEMON sender)

[enduser]

Server operating system version

AlmaLinux 9.4

Plesk version and microupdate number

18.0.74

Hi,

I would like to confirm whether the following behavior is expected in Plesk.

Environment:

• Plesk version: 18.0.74
• Plesk mail server (Postfix)
• “Enable DMARC to check incoming mail” is enabled
• Domain abc.com has DMARC: "v=DMARC1; p=reject;"

We received the following spoofed inbound email, which was accepted and delivered, even though SPF and DKIM both fail and DMARC policy is p=reject:

Return-Path: <MAILER-DAEMON>
Delivered-To: peter@abc.com
Received: from [10.88.0.3] (70.143.139.34.bc.googleusercontent.com [34.139.143.70])
    by mail.abc.com (Postfix) with ESMTP id 295D24054E
    for <peter@abc.com>; Sun, 21 Dec 2025 04:09:05 +0800 (HKT)
Authentication-Results: abc.com;
        spf=none (sender IP is 34.139.143.70) smtp.mailfrom= smtp.helo=[10.88.0.3]
Received-SPF: none (abc.com: no valid SPF record)
Content-Type: multipart/related; boundary="===============7775878507290848036=="
MIME-Version: 1.0
From: "abc ." <no-reply@abc.com>
To: peter@abc.com
Subject: =?UTF-8?B?56uL5Y2z5pu05paw5q2k55S15a2Q6YKu5Lu25biQ5oi3Lg==?=

Observations:

• SPF = none
• No DKIM signature
• Header From domain = abc.com
• DMARC policy = p=reject
• Message still delivered

It appears DMARC was not enforced for this message (no dmarc=fail / reject), possibly because the envelope sender is MAILER-DAEMON (null sender).

Questions:

1. Is this behavior expected by design in Plesk?
2. Does Plesk intentionally bypass DMARC enforcement for inbound mail with null sender / MAILER-DAEMON?