Based on an old forum thread I found I gather that the DMARC check does not take into account if the last hop is from an Incoming Gateway and so it is possible that when using an Incoming Gateway the DMARC check will result in a fail. There is very little logging so I am not really able to conclusively prove or disprove this.

 

In the same forum thread it was recommended to add the gateway as a "Bypass Gateway" in the AntiSpam settings, but this causes DMARC to be completely bypassed for all mail from such IPs. This is obvously not optimal because one should not have to forgo the DMARC check just because of their internal network structure.

 

I believe the optimal solution would be for Incoming Gateway to be considered by the DMARC check by looking at each Received header until the first one that is not an Incoming Gateway is found and applying the DMARC check (and all other IP-based spam filters) to that IP. If it does not already work this way then I would call this a pretty serious bug.

 

As it stands it is very poorly documented what the difference is between Incoming Gateway (Backup MX), Incoming Gateway (Domain Forward) and Bypass Gateway with respect to spam filtering, DMARC, greylisting, etc...