How should I roll out DMARC enforcement while considering forwarded emails and DKIM issues?
Michael Ko
Co-founder & CEO, Suped
Published 11 Aug 2025
Updated 16 Aug 2025
8 min read
Rolling out DMARC enforcement is a critical step for protecting your domain from spoofing and phishing attacks. However, it is not a set-it-and-forget-it process. Many organizations encounter challenges, particularly concerning email forwarding and issues with DKIM. Achieving full DMARC enforcement, especially a reject policy, requires careful planning and a phased approach to avoid legitimate emails from being blocked.
When you begin enforcing DMARC, it relies on two foundational authentication protocols: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). For an email to pass DMARC, at least one of these protocols must align with the 'From' domain visible to the recipient. This alignment principle is where complications often arise, especially with various email setups and forwarding services. A common challenge is ensuring your email service providers and any third-party senders are correctly configured.
The goal is to move from a monitoring-only policy (p=none) to an enforcing one (p=quarantine or p=reject). This transition needs to be gradual. Skipping steps can lead to significant email deliverability issues, where perfectly legitimate emails are mistakenly flagged as fraudulent and sent to spam folders, or even outright rejected. Understanding these potential pitfalls is key to a smooth DMARC implementation and maintaining your sender reputation.
DMARC works by establishing a policy that tells receiving mail servers how to handle emails that claim to be from your domain but fail SPF or DKIM authentication. This policy is published as a DNS TXT record for your domain. For DMARC to pass, either SPF or DKIM must pass and also align with the domain in the RFC5322.From header (the visible 'From' address). If both fail or do not align, the DMARC policy comes into play. You can learn more about these fundamentals in this simple guide to DMARC, SPF, and DKIM.
Policy
Description
Impact on deliverability
p=none
Monitoring mode. No enforcement. Receive DMARC reports to identify legitimate and fraudulent sources.
No direct impact on email deliverability, but does not prevent spoofing.
p=quarantine
Receiving servers are instructed to place unauthenticated emails into the recipient's spam or junk folder.
Significantly reduces spoofing impact by quarantining suspicious emails, but some legitimate emails might be affected.
p=reject
Receiving servers are instructed to outright reject (bounce) unauthenticated emails. This is the strongest policy.
Eliminates spoofed emails from reaching inboxes but carries the highest risk of blocking legitimate mail if misconfigured.
A crucial aspect of DMARC is the domain alignment requirement. SPF alignment occurs when the domain in the Return-Path header (also known as the MailFrom or Envelope-From) matches the domain in the From header. DKIM alignment requires the domain in the 'd=' tag of the DKIM signature to match the From header domain. If an email is forwarded, the Return-Path can change, breaking SPF alignment. DKIM can also break if the email content is modified during forwarding. These breakages are why email forwarding can break DMARC, leading to legitimate messages failing authentication.
The phased DMARC rollout strategy
The safest way to roll out DMARC enforcement is through a carefully managed, phased approach. Starting with a p=none policy allows you to gather DMARC reports without impacting your email flow. These reports provide invaluable insight into all sources sending email on behalf of your domain, including legitimate third-party services and potential spoofing attempts. During this phase, you identify all sending sources and work to ensure they are properly authenticated with SPF and DKIM.
Phased DMARC deployment
Moving directly to a p=reject policy can severely disrupt your email deliverability if not all legitimate sending sources are properly authenticated. It is highly recommended to transition through p=quarantine first, or use the pct= tag to gradually increase enforcement. This allows you to monitor the impact and address any unforeseen issues before full enforcement.
After a thorough monitoring period with p=none, you can gradually increase the enforcement level. The next step is usually p=quarantine, which instructs recipient servers to move emails failing DMARC to the spam folder. This allows you to catch any remaining legitimate emails that are not yet DMARC compliant without outright rejecting them. Only once you are confident that all legitimate traffic passes DMARC consistently should you consider moving to a p=reject policy. This phased rollout helps you mitigate risks and ensures that your email deliverability remains high throughout the process.
You can also use the `pct=` tag in your DMARC record to roll out enforcement gradually, starting with a small percentage of your mail stream. For example, `p=quarantine; pct=10;` would only quarantine 10% of failing emails, allowing you to observe the impact before increasing the percentage. This method is particularly useful for organizations with complex email infrastructures or those sending a very high volume of emails. This DMARC rollout best practice helps in catching issues when only a small portion of mail is affected.
Handling email forwarding and DKIM challenges
Email forwarding is a notorious challenge for DMARC enforcement. When an email is forwarded, especially automatically, its SPF authentication often breaks because the Return-Path (envelope sender) changes to the forwarding server's domain. If the message content is also altered, DKIM authentication can also break. This means even legitimate forwarded emails might fail DMARC checks at the final destination, potentially leading to them being blocked or quarantined under an enforcing policy. This is a common concern for organizations. Fortunately, there are ways to handle DMARC failures when email is forwarded.
Common DKIM issues
Generic signing domain: Emails sent via third-party providers sometimes use a generic DKIM signing domain (e.g., gappssmtp.com for Google Workspace) instead of your own domain, breaking DKIM alignment.
Content modification: Changes to the email body or headers during transit can invalidate the DKIM signature.
Missing or incorrect records: DKIM records (TXT records) may be missing or incorrectly published in your DNS.
Solutions for DKIM
Custom DKIM signing: Configure your email service providers (ESPs) to use your domain for DKIM signing. For Google Workspace, enable a custom DKIM key.
ARC protocol: ARC (Authenticated Received Chain) is an email authentication system that preserves authentication results across forwarding hops. While senders don't implement ARC, it is supported by major mailbox providers. This helps mitigate DMARC failures for forwarded emails where both providers support ARC. To learn more, read our guide on how to implement ARC.
Verify DKIM records: Regularly check your DKIM DNS records for correctness and proper publication.
Example DMARC record with percentage enforcementDNS
While you cannot control how recipient servers handle forwarded emails, implementing DMARC still provides significant protection against direct domain spoofing. It is about balancing security with deliverability. If you have a legitimate forwarding source that consistently fails DMARC, you might need to adjust your approach or accept that those specific forwarded emails might not always reach the inbox under a strict enforcement policy. Regularly checking your DMARC reports from Google and Yahoo is essential for understanding your email ecosystem. Remember, even with DMARC enforced, it doesn't mean every spoofed message will reach inboxes, as other filters are also at play.
Continuous monitoring and troubleshooting
The DMARC deployment process doesn't end once you've moved to p=quarantine or p=reject. Continuous monitoring of your DMARC reports is crucial for maintaining email security and deliverability. These reports will highlight any new sending sources, changes in authentication failures, or ongoing issues with forwarded emails. Regularly analyzing them allows you to identify and troubleshoot issues proactively, preventing them from escalating into major deliverability problems. Effective monitoring is key to troubleshooting DMARC failures.
Unexpected sources: If you notice email sources in your DMARC reports that you don't recognize, investigate them. They could be legitimate third-party services you forgot about, or indicators of malicious spoofing. Contacting the source if it seems legitimate can help clarify.
DKIM alignment failures: Persistent DKIM failures for a known sender usually point to misconfiguration on your end or with your ESP. Confirm that the DKIM record is correctly set up for your domain and that the service is signing with your domain.
Forwarded email anomalies: While some DMARC failures for forwarded emails are expected, a sudden surge or consistent failures from a particular recipient domain might indicate specific issues worth investigating, especially if it leads to legitimate mail being blocklisted (or blacklisted).
Leveraging DMARC aggregate reports (RUA) is the cornerstone of this ongoing monitoring. These XML reports, sent to the email address specified in your DMARC record, provide a comprehensive overview of all email traffic claiming to be from your domain. They detail which emails passed or failed DMARC, why they failed (SPF, DKIM, or both), and from which sending sources. This data is essential for identifying key considerations and challenges during implementation and beyond.
Views from the trenches
Best practices
Always begin your DMARC journey with a `p=none` policy to understand your email ecosystem without disrupting deliverability.
Ensure all legitimate email sending sources are properly configured with both SPF and DKIM for your domain.
Utilize the `pct=` tag to incrementally increase DMARC enforcement, moving from 1% to 5% to 10% and so on.
Common pitfalls
Jumping straight to `p=reject` can block legitimate emails, especially those forwarded or from misconfigured services.
Ignoring DMARC reports means you miss critical insights into email spoofing and deliverability issues.
Overlooking DKIM alignment issues, particularly with third-party senders, leads to widespread DMARC failures.
Expert tips
Prioritize fixing all DKIM issues before moving to a strict DMARC enforcement policy, as DKIM failures are a major factor in DMARC failures.
If encountering DMARC failures with Google Calendar invites, ensure you have a custom DKIM signature for your Google Workspace domain. Google Calendar invites primarily break SPF alignment, but a correctly configured DKIM should ensure DMARC passes.
DMARC will inherently fail if a message is automatically forwarded and its content is modified. This is a design characteristic of DMARC. Recognize that ARC protocol can help, but only between ARC-aware providers.
Expert view
Expert from Email Geeks says most unknown sources in DMARC reports are due to legitimate forwarding, where a recipient domain automatically forwards an email, breaking SPF and potentially DKIM alignment.
2021-09-16 - Email Geeks
Expert view
Expert from Email Geeks says DMARC is designed to fail if a message is automatically forwarded, which breaks SPF alignment, or modified, breaking DKIM alignment. Accepting this is part of DMARC deployment.
2021-09-16 - Email Geeks
Final thoughts on DMARC enforcement
Rolling out DMARC enforcement requires a strategic and patient approach, especially when accounting for email forwarding and potential DKIM issues. The phased deployment from p=none to p=quarantine, and then to p=reject, combined with meticulous monitoring of DMARC reports, is key to minimizing disruptions. Addressing DKIM alignment issues, particularly with third-party senders and understanding the limitations of DMARC with email forwarding, are critical steps in this journey.
Ultimately, a successful DMARC rollout not only enhances your email security by protecting your domain from spoofing and phishing, but also strengthens your sender reputation, leading to better email deliverability. While challenges may arise, such as legitimate emails landing on a blocklist or blacklist, a structured approach ensures you can navigate these complexities and achieve a robust email authentication posture. Remember that consistency and attention to detail are your best allies in this process.
Google Workspace) instead of your own domain, breaking DKIM alignment.
Google Workspace, enable a custom DKIM key.
