Does DKIM break for forwarded emails and mailing lists?

Email authentication isn’t just about preventing spoofing — it’s about trust, says Vasile Diaconu, Operations Lead at DuoCircle. Every email your organization sends either builds trust or erodes it. SPF, DKIM, and DMARC are the foundation of that trust. Without them, receivers have no way to distinguish your legitimate email from an attacker’s.

DKIM (RFC 6376) signs email messages cryptographically, and unlike SPF, the signature survives email forwarding — which is why DMARC alignment via DKIM is more reliable than SPF alignment for forwarded mail. DMARC Report

Does DKIM break for forwarded emails and mailing lists?

					<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
						

Play Episode

					</button>
					<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
						

Pause Episode

					</button>
					


				

				

					<audio preload="none" class="clip clip-14341">
						<source src="/images/wp/2024/07/Does-DKIM-Break-For-Forwarded-Emails-And-Mailing-Lists.mp3">
					</audio>
					

						

					

					

						

							<button class="player-btn player-btn__volume" title="Mute/Unmute">
								

Mute/Unmute Episode

							</button>
							<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
								

Rewind 10 Seconds

							</button>
							<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
							<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
								

Fast Forward 30 seconds

							</button>
						

						

							<time class="ssp-timer">00:00</time>
							

/

							<!-- We need actual duration here from the server -->
							<time class="ssp-duration" datetime="PT0H2M1S">2:01</time>
						

					

				

			

								<nav class="player-panels-nav">
												<button class="subscribe-btn" id="subscribe-btn-14341" title="Subscribe">Subscribe</button>
																		<button class="share-btn" id="share-btn-14341" title="Share">Share</button>
										</nav>
						

	



		

						

				

					

					

				

				

					

																																																																								

					

						

RSS Feed

							<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-14341" title="RSS Feed URL" readonly />
						

						<button class="copy-rss copy-rss-14341" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
					

				

			

									

				

					

					

				

				

					

						Share						

					

						<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/blog/podcast/does-dkim-break-for-forwarded-emails-and-mailing-lists/&t=Does DKIM break for forwarded emails and mailing lists?" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
							

						</a>
						<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/blog/podcast/does-dkim-break-for-forwarded-emails-and-mailing-lists/&url=Does DKIM break for forwarded emails and mailing lists?" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
							

						</a>
						<a href="/images/wp/2024/07/Does-DKIM-Break-For-Forwarded-Emails-And-Mailing-Lists.mp3" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
							

						</a>
					

				

				

					

						Link						

					

						<input value="https://dmarcreport.com/blog/podcast/does-dkim-break-for-forwarded-emails-and-mailing-lists/" class="input-link input-link-14341" title="Episode URL" readonly />
					

					<button class="copy-link copy-link-14341" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
				

				

					

						Embed						

					

						<input type="text" value='<blockquote class="wp-embedded-content" data-secret="xVFHZ5B2iK"><a href="https://dmarcreport.com/blog/podcast/does-dkim-break-for-forwarded-emails-and-mailing-lists/">Does DKIM break for forwarded emails and mailing lists?</a></blockquote><iframe sandbox="allow-scripts" security="restricted" src="https://dmarcreport.com/blog/podcast/does-dkim-break-for-forwarded-emails-and-mailing-lists/embed/#?secret=xVFHZ5B2iK" width="500" height="350" title=""Does DKIM break for forwarded emails and mailing lists?" — DMARC Report" data-secret="xVFHZ5B2iK" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" class="wp-embedded-content"></iframe><script>

/*! This file is auto-generated / !function(d,l){“use strict”;l.querySelector&&d.addEventListener&&“undefined”!=typeof URL&&(d.wp=d.wp||{},d.wp.receiveEmbedMessage||(d.wp.receiveEmbedMessage=function(e){var t=e.data;if((t||t.secret||t.message||t.value)&&!/[^a-zA-Z0-9]/.test(t.secret)){for(var s,r,n,a=l.querySelectorAll(‘iframe[data-secret=”‘+t.secret+’”]’),o=l.querySelectorAll(‘blockquote[data-secret=”‘+t.secret+’”]’),c=new RegExp(“^https?:$”,“i”),i=0;i<o.length;i++)o[i].style.display=“none”;for(i=0;i<a.length;i++)s=a[i],e.source===s.contentWindow&&(s.removeAttribute(“style”),“height”===t.message?(1e3<(r=parseInt(t.value,10))?r=1e3:~~r<200&&(r=200),s.height=r):“link”===t.message&&(r=new URL(s.getAttribute(“src”)),n=new URL(t.value),c.test(n.protocol))&&n.host===r.host&&l.activeElement===s&&(d.top.location.href=t.value))}},d.addEventListener(“message”,d.wp.receiveEmbedMessage,!1),l.addEventListener(“DOMContentLoaded”,function(){for(var e,t,s=l.querySelectorAll(“iframe.wp-embedded-content”),r=0;r<s.length;r++)(t=(e=s[r]).getAttribute(“data-secret”))||(t=Math.random().toString(36).substring(2,12),e.src+=”#?secret=“+t,e.setAttribute(“data-secret”,t)),e.contentWindow.postMessage({message:“ready”,secret:t},"")},!1)))}(window,document); //# sourceURL=https://dmarcreport.com/wp-includes/js/wp-embed.min.js ’ title=“Embed Code” class=“input-embed input-embed-14341” readonly/>

					<button class="copy-embed copy-embed-14341" title="Copy Embed Code" aria-label="Copy Embed Code"></button>
				

			

				

As you know, DKIM catches alterations made to emails during their time in transit. It performs authentication checks by attaching a digital signature to the header of each email that goes from your domain. Upon reception, the receiving server verifies the **sender’s legitimacy using the public key published in the sending domain’s DNS .

However, when someone forwards your emails, or you send them using mailing lists, DKIM breaks. So, let’s see why it happens and if there is a way for you to mitigate it.

How does DKIM work?

There are two major steps in DKIM’s process-

Signing

When someone sends an email from your DKIM-compliant domain , your server generates a DKIM signature using the private key. The signature is attached to the header of the outgoing email**.

Verification

The receiving **mail server retrieves the public key from the sender’s DNS record and uses it to verify the DKIM signature. If the signature matches, DKIM passes, and the recipient’s mailbox considers the message as legitimate.

DKIM and forwarded emails

When an email is forwarded, it typically passes through an intermediary server. Here are the primary ways forwarding can impact DKIM:

Header modifications

Forwarding services may **add or modify email headers. Since DKIM signs the email headers, any changes can invalidate the DKIM signature.

Body modifications

Some **forwarding services modify the body of the email (e.g., adding footers). If the body hash changes, the DKIM signature will no longer match.

Re-signing

Some forwarders may re-sign the email with their own DKIM signature, which can help, but the original signature will still appear broken unless the **intermediary’s changes are carefully managed.

DKIM and mailing lists

The following challenges occur when you send emails to members of a mailing list:

Header and body changes

Mailing lists tend to add list-specific headers (for example, list ID) and footers (for example, an unsubscribe button). T_his modifies both headers and body content, creating problems in the validation process_.

Signature address changes

Some mailing lists make changes to the **sender’s address and replace it with the list’s address. This can cause issues with DKIM if the new address doesn’t align with the domain used for the DKIM signature.

Re-signing by the mailing list

Some mailing lists may re-sign the email with their own DKIM signature. This helps ensure the **email’s integrity from the mailing list to the recipient but does not preserve the original sender’s DKIM signature.

Why DKIM breaks

As explained above, the headers and body content of **emails undergo alterations when they are forwarded or passed through mailing lists. DKIM’s primary purpose is to verify whether email content was altered in transit. If it detects any differences between the email sent originally and the version received by the recipient, the DKIM check fails.

This is exactly what happens when emails are forwarded or passed through mailing lists, causing DKIM to break. In short, modifications can invalidate the DKIM signature, **leading to verification failures.

Mitigation strategies

You can prevent DKIM from breaking by employing these three strategies-

ARC (Authenticated Received Chain)

Authenticated Received Chain allows each intermediary to add their own **authentication results and DKIM signatures, preserving the chain of trust.

Re-signing by Intermediaries

Forwarding services and mailing lists can re-sign emails with their own DKIM keys, ensuring the email remains authenticated, though this does not preserve the original signature.

Use of DMARC

DMARC can specify policies for handling DKIM and SPF failures, allowing **domain owners to specify actions like quarantine or rejecting unauthenticated emails, reducing the impact of broken DKIM signatures.

A useful element of DMARC is its reporting feature, which enables you to **monitor your email activities and detect illegitimate emails. Contact us to outsource your DMARC reporting and monitoring headache.