Summary
DMARC significantly impacts email forwarding and deliverability. Forwarded emails commonly fail SPF and DKIM authentication checks, primarily because the forwarding server isn't authorized to send on behalf of the original domain or because the SPF domain isn't updated. This leads to deliverability issues, especially when strict DMARC policies ('reject' or 'quarantine') are in place. While DMARC is designed to prevent spoofing, these policies can inadvertently block legitimate forwarded emails. Experts and documentation recommend using less restrictive policies (like 'p=none'), employing authenticated mailing lists, considering ARC to preserve authentication results, and using subdomains for varied DMARC policies. Additionally, it's important to note that DMARC mainly protects against direct domain spoofing, not all forms of email fraud.
Key findings
- Forwarding Failures: Forwarded emails often fail SPF and DKIM checks due to unauthorized forwarding servers and unupdated SPF domains.
- Policy Impact: Strict DMARC policies ('reject', 'quarantine') can negatively affect deliverability of forwarded emails.
- Security vs. Deliverability: Balancing security against spoofing with ensuring deliverability of legitimate forwarded emails is crucial.
- Limited Protection: DMARC primarily protects against direct domain spoofing and is not a comprehensive solution for all email fraud.
- ARC Potential: ARC (Authenticated Received Chain) is an emerging technology that could improve DMARC's handling of forwarded emails.
Key considerations
- Policy Selection: Choose DMARC policies carefully, considering the potential impact on legitimate email forwarding.
- Subdomain Strategy: Use subdomains to implement different DMARC policies for various email types.
- ARC Adoption: Monitor the development and adoption of ARC to improve handling of forwarded emails.
- Alternative Methods: Employ authenticated mailing lists to help prevent DMARC failures.
- Holistic Security: Implement additional security measures to combat various forms of email fraud beyond direct domain spoofing.
What email marketers say
11 marketer opinions
DMARC significantly impacts email forwarding and deliverability, particularly when strict policies like 'reject' or 'quarantine' are implemented. Forwarded emails often fail SPF and DKIM checks because the forwarding server is not authorized to send on behalf of the original domain. This can lead to emails being rejected or marked as spam. While a 'reject' policy enhances security against spoofing, it can negatively affect deliverability in forwarding scenarios. It's crucial to balance security with deliverability, with some experts suggesting using a 'none' policy or implementing ARC to mitigate these issues.
Key opinions
- DMARC Impact: DMARC policies, especially 'p=reject,' can cause forwarded emails to fail authentication checks, leading to rejection by receiving mail servers.
- Authentication Failure: Forwarding alters email headers, invalidating SPF and DKIM signatures, causing authentication failure.
- Security vs. Deliverability: A 'reject' policy enhances security against spoofing but can negatively impact deliverability when forwarding is involved.
- Forwarding Servers: Forwarding servers are often not authorized to send emails on behalf of the original domain.
Key considerations
- DMARC Policy Selection: Carefully consider the DMARC policy ('none,' 'quarantine,' or 'reject') to balance security needs with the potential impact on legitimate email forwarding.
- ARC Implementation: Explore using Authenticated Received Chain (ARC) to preserve authentication results through forwarding and improve deliverability.
- SPF and DKIM Alignment: Ensure SPF and DKIM records are properly configured and aligned to minimize authentication failures.
- Monitoring and Reporting: Monitor DMARC reports to identify and address any deliverability issues related to email forwarding.
- Alternative solutions: Consider if a less strict policy of 'p=none' is enough to start with
Marketer view
Marketer from Email Geeks clarifies that Laura Atkins means to not have DMARC policies of quarantine or reject, just have p=none.
17 Nov 2023 - Email Geeks
Marketer view
Email marketer from EmailSecurityForum shares that implementing DMARC with a 'reject' policy can cause significant issues with email forwarding. Forwarded emails often fail SPF and DKIM checks, resulting in messages being rejected by receiving servers, impacting deliverability for forwarded messages.
12 Sep 2022 - EmailSecurityForum
What the experts say
6 expert opinions
DMARC significantly affects email forwarding. Forwarded emails often fail SPF checks, leading to deliverability issues, especially with 'reject' or 'quarantine' policies. This occurs because the SPF domain isn't always updated during forwarding. Experts recommend using less restrictive policies, like 'p=none,' for important emails and considering ARC to help validate authentication results during forwarding. DMARC primarily protects against direct domain spoofing and is ineffective against invoice fraud using third-party financial services.
Key opinions
- SPF Failures: Forwarded emails commonly fail SPF checks, triggering DMARC rejections.
- Policy Recommendations: Restrictive DMARC policies ('reject,' 'quarantine') should be avoided for emails where forwarding is crucial.
- Limited Scope of DMARC: DMARC mainly defends against direct domain spoofing, not all forms of email fraud.
- Potential of ARC: ARC is an emerging technology that may improve DMARC's compatibility with email forwarding.
Key considerations
- DMARC Policy Selection: Choose DMARC policies carefully, considering the impact on legitimate forwarding.
- Subdomain Usage: Use subdomains for different email types to apply varying DMARC policies as needed.
- ARC Adoption: Monitor and prepare for the wider adoption of ARC to improve deliverability of forwarded emails.
- Invoice Fraud Protection: Implement additional security measures to prevent invoice fraud, as DMARC alone is insufficient.
Expert view
Expert from Email Geeks clarifies that p=reject only works for direct domain spoofing and won't stop invoice fraud if financial services use their own domains.
5 Jun 2021 - Email Geeks
Expert view
Expert from Spam Resource explains that DMARC can cause problems with forwarding because forwarded mail often fails SPF checks, particularly if the forwarder doesn't rewrite the envelope sender. This leads to DMARC rejections if the DMARC policy is set to 'reject' or 'quarantine'.
27 Mar 2022 - Spam Resource
What the documentation says
5 technical articles
DMARC, designed to prevent email spoofing, significantly impacts email forwarding by causing authentication failures when SPF and DKIM records no longer align due to forwarding. This leads to legitimate emails being flagged as spam or rejected, especially with strict DMARC policies. Documentation recommends using authenticated mailing lists, trusted forwarders, and implementing ARC to preserve authentication results and mitigate deliverability issues.
Key findings
- Authentication Breakage: Forwarding breaks SPF and DKIM authentication, leading to DMARC failures.
- Spoofing Prevention: DMARC is primarily designed to prevent email spoofing and unauthorized use.
- Deliverability Problems: DMARC can cause legitimate, forwarded emails to be rejected or flagged as spam.
Key considerations
- ARC Implementation: Implement ARC to preserve authentication results during forwarding.
- Trusted Forwarders: Use trusted forwarders to maintain email integrity.
- Authenticated Mailing Lists: Utilize authenticated mailing lists to prevent authentication breaks.
- Policy Implications: Understand the implications of strict DMARC policies on forwarding scenarios.
Technical article
Documentation from Valimail shares that DMARC impacts email forwarding by causing authentication failures when SPF and DKIM records no longer align with the forwarding server. This results in deliverability problems because forwarded emails may be rejected based on DMARC policy.
26 Dec 2022 - Valimail
Technical article
Documentation from Google explains that DMARC can cause legitimate emails, including forwarded messages, to be rejected if the forwarding process breaks SPF or DKIM authentication. They recommend solutions like using authenticated mailing lists or ARC to preserve authentication results.
29 Jun 2021 - Google
How do email forwarding and DMARC policies affect email delivery and reporting?
Can DMARC reports be sent without RUA or RUF addresses?
How does ARC impact email deliverability for DMARC-enforced domains, and what are the best practices for marketers?
How do DMARC policies and RUA/RUF settings inherit or override each other between a domain and its subdomains?
How do Google Groups impact DMARC when forwarding emails from multiple domains?
How can DMARC reports be enriched with user-level data for better domain enforcement?
