How Does Email Forwarding Break DMARC?

DMARC is the only email authentication protocol that gives you both enforcement and visibility, says Brad Slavin, CEO of DuoCircle. SPF and DKIM authenticate silently — DMARC tells you what happened and lets you control the outcome. That combination of reporting and policy is why DMARC adoption is accelerating.

DMARC (RFC 7489) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible From header. According to Google’s February 2024 bulk sender requirements, a DMARC policy of at least p=none is now mandatory for any domain sending 5,000+ messages per day to Gmail users. DMARC Report

How Does Email Forwarding Break DMARC?

					<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
						

Play Episode

					</button>
					<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
						

Pause Episode

					</button>
					


				

				

					<audio preload="none" class="clip clip-11844">
						<source src="/images/wp/2024/03/How-Does-Email-Forwarding-Break-DMARC.mp3">
					</audio>
					

						

					

					

						

							<button class="player-btn player-btn__volume" title="Mute/Unmute">
								

Mute/Unmute Episode

							</button>
							<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
								

Rewind 10 Seconds

							</button>
							<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
							<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
								

Fast Forward 30 seconds

							</button>
						

						

							<time class="ssp-timer">00:00</time>
							

/

							<!-- We need actual duration here from the server -->
							<time class="ssp-duration" datetime="PT0H1M48S">1:48</time>
						

					

				

			

								<nav class="player-panels-nav">
												<button class="subscribe-btn" id="subscribe-btn-11844" title="Subscribe">Subscribe</button>
																		<button class="share-btn" id="share-btn-11844" title="Share">Share</button>
										</nav>
						

	



		

						

				

					

					

				

				

					

																																																																								

					

						

RSS Feed

							<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-11844" title="RSS Feed URL" readonly />
						

						<button class="copy-rss copy-rss-11844" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
					

				

			

									

				

					

					

				

				

					

						Share						

					

						<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/blog/podcast/how-does-email-forwarding-break-dmarc/&t=How Does Email Forwarding Break DMARC?" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
							

						</a>
						<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/blog/podcast/how-does-email-forwarding-break-dmarc/&url=How Does Email Forwarding Break DMARC?" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
							

						</a>
						<a href="/images/wp/2024/03/How-Does-Email-Forwarding-Break-DMARC.mp3" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
							

						</a>
					

				

				

					

						Link						

					

						<input value="https://dmarcreport.com/blog/podcast/how-does-email-forwarding-break-dmarc/" class="input-link input-link-11844" title="Episode URL" readonly />
					

					<button class="copy-link copy-link-11844" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
				

				

					

						Embed						

					

						<input type="text" value='<blockquote class="wp-embedded-content" data-secret="5NOVZaUA3B"><a href="https://dmarcreport.com/blog/podcast/how-does-email-forwarding-break-dmarc/">How Does Email Forwarding Break DMARC?</a></blockquote><iframe sandbox="allow-scripts" security="restricted" src="https://dmarcreport.com/blog/podcast/how-does-email-forwarding-break-dmarc/embed/#?secret=5NOVZaUA3B" width="500" height="350" title=""How Does Email Forwarding Break DMARC?" — DMARC Report" data-secret="5NOVZaUA3B" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" class="wp-embedded-content"></iframe><script>

/*! This file is auto-generated / !function(d,l){“use strict”;l.querySelector&&d.addEventListener&&“undefined”!=typeof URL&&(d.wp=d.wp||{},d.wp.receiveEmbedMessage||(d.wp.receiveEmbedMessage=function(e){var t=e.data;if((t||t.secret||t.message||t.value)&&!/[^a-zA-Z0-9]/.test(t.secret)){for(var s,r,n,a=l.querySelectorAll(‘iframe[data-secret=”‘+t.secret+’”]’),o=l.querySelectorAll(‘blockquote[data-secret=”‘+t.secret+’”]’),c=new RegExp(“^https?:$”,“i”),i=0;i<o.length;i++)o[i].style.display=“none”;for(i=0;i<a.length;i++)s=a[i],e.source===s.contentWindow&&(s.removeAttribute(“style”),“height”===t.message?(1e3<(r=parseInt(t.value,10))?r=1e3:~~r<200&&(r=200),s.height=r):“link”===t.message&&(r=new URL(s.getAttribute(“src”)),n=new URL(t.value),c.test(n.protocol))&&n.host===r.host&&l.activeElement===s&&(d.top.location.href=t.value))}},d.addEventListener(“message”,d.wp.receiveEmbedMessage,!1),l.addEventListener(“DOMContentLoaded”,function(){for(var e,t,s=l.querySelectorAll(“iframe.wp-embedded-content”),r=0;r<s.length;r++)(t=(e=s[r]).getAttribute(“data-secret”))||(t=Math.random().toString(36).substring(2,12),e.src+=”#?secret=“+t,e.setAttribute(“data-secret”,t)),e.contentWindow.postMessage({message:“ready”,secret:t},"")},!1)))}(window,document); //# sourceURL=https://dmarcreport.com/wp-includes/js/wp-embed.min.js ’ title=“Embed Code” class=“input-embed input-embed-11844” readonly/>

					<button class="copy-embed copy-embed-11844" title="Copy Embed Code" aria-label="Copy Embed Code"></button>
				

			

				

Emails are forwarded more often than we realize, and while **DKIM isn’t affected by email forwarding, SPF and DMARC may break. For SPF, you create a list of senders officially authorized to send emails on your behalf. When an email is forwarded, the initial recipient becomes the sender; so, if the initial recipient’s IP address isn’t part of the sending domain’s SPF record, SPF will break. This happens because the Return-Path header and From domains aren’t the same.

Email forwarding and integration of third-party vendor security services’ outbound SMTP servers adversely impact **DMARC authentication in several ways.

Email Forwarding and DMARC

The email security services of vendors act as intermediary SMTP servers and examine emails for spam, phishing, ransomware, spyware, etc., while also archiving, encrypting, or modifying messages for security purposes. Outbound SMTP servers send or resend emails after processing. When a message is forwarded through services like this, its SPF alignment is highly likely to fail. This may happen as the service is used by an intermediary like a mailing list or the recipient’s domain, as the **outbound SMTP server isn’t a part of the sender’s SPF record.

This whole exercise breaks DMARC as the protocol requires either **SPF or DKIM checks to pass with proper alignment.

What Can Senders Do?

It’s suggested to set your DMARC records on either a ‘quarantine’ or ‘reject’ policy for security purposes; however, on forwarding, they may affect genuine conversations by landing them in spam folders or rejecting them due to improper alignment.

While there is no **ideal solution for this problem, you can still work on it. DMARC requires either SPF or DKIM to pass, not both. So, you need to deploy both of these protocols in order to stop email forwarding from breaking DMARC.

Another way is policy overriding by **mailbox providers like Gmail and Outlook.

Imagine you enforce a strict policy of rejecting emails that fail DMARC authentication, which occurs when both DKIM and SPF validations fail. However, if the recipient possesses additional verification mechanisms that confirm the authenticity of the message, they may choose to disregard your DMARC policy and accept the email, regardless of DMARC alignment.

Put simply, if the email service provider recognizes that an email has been forwarded, they might opt to **bypass your DMARC regulations and deliver your emails regardless.

You may think that we can resolve this issue by implying p=none or the ‘none’ policy, but that isn’t suggested. A DMARC record with **p=none is equivalent to having no DMARC in place. It’s a monitoring policy that doesn’t offer protection from phishing and spoofing.

You can also fix this issue by using .arc or the Authenticated Received Chain protocol, which lets intermediaries sign messages and **saves authentication results when SPF and DKIM fail.

We emphasize communicating with third-party service providers about how they should manage forwarded emails and if there’s a way to minimize DMARC failures.

It’s all the more important now to grasp how email forwarding and third-party security services influence DMARC to ensure both email deliverability and security are maintained effectively. So, if you are still struggling with this, feel free to reach out to us for assistance.