How Does Email Forwarding Break DMARC?
Emails are forwarded more often than we realize, and while DKIM isn’t affected by email forwarding, SPF and DMARC may break. For SPF, you create a list of senders officially authorized to send emails on your behalf. When an email is forwarded, the initial recipient becomes the sender; so, if the initial recipient’s IP address isn’t part of the sending domain’s SPF record, SPF will break. This happens because the Return-Path header and From domains aren’t the same.
Email forwarding and integration of third-party vendor security services’ outbound SMTP servers adversely impact DMARC authentication in several ways.
Email Forwarding and DMARC
The email security services of vendors act as intermediary SMTP servers and examine emails for spam, phishing, ransomware, spyware, etc., while also archiving, encrypting, or modifying messages for security purposes.
Outbound SMTP servers send or resend emails after processing. When a message is forwarded through services like this, its SPF alignment is highly likely to fail. This may happen as the service is used by an intermediary like a mailing list or the recipient’s domain, as the outbound SMTP server isn’t a part of the sender’s SPF record.
This whole exercise breaks DMARC as the protocol requires either SPF or DKIM checks to pass with proper alignment.
What Can Senders Do?
It’s suggested to set your DMARC records on either a ‘quarantine’ or ‘reject’ policy for security purposes; however, on forwarding, they may affect genuine conversations by landing them in spam folders or rejecting them due to improper alignment.
While there is no ideal solution for this problem, you can still work on it. DMARC requires either SPF or DKIM to pass, not both. So, you need to deploy both of these protocols in order to stop email forwarding from breaking DMARC.
Another way is policy overriding by mailbox providers like Gmail and Outlook.
Imagine you enforce a strict policy of rejecting emails that fail DMARC authentication, which occurs when both DKIM and SPF validations fail. However, if the recipient possesses additional verification mechanisms that confirm the authenticity of the message, they may choose to disregard your DMARC policy and accept the email, regardless of DMARC alignment.
Put simply, if the email service provider recognizes that an email has been forwarded, they might opt to bypass your DMARC regulations and deliver your emails regardless.
Image sourced from getdevdone.com
You may think that we can resolve this issue by implying p=none or the ‘none’ policy, but that isn’t suggested. A DMARC record with p=none is equivalent to having no DMARC in place. It’s a monitoring policy that doesn’t offer protection from phishing and spoofing.
You can also fix this issue by using .arc or the Authenticated Received Chain protocol, which lets intermediaries sign messages and saves authentication results when SPF and DKIM fail.
We emphasize communicating with third-party service providers about how they should manage forwarded emails and if there’s a way to minimize DMARC failures.
It’s all the more important now to grasp how email forwarding and third-party security services influence DMARC to ensure both email deliverability and security are maintained effectively. So, if you are still struggling with this, feel free to reach out to us for assistance.
