It's a perplexing scenario many email senders encounter: you've diligently configured your DMARC, SPF, and DKIM records, verified that DMARC passes, yet Gmail still displays a 'via' tag next to your sender name. This can be quite confusing, as the 'via' tag often implies an email is being sent on behalf of another domain, typically when authentication fails or is misconfigured. So, why does it appear even when everything seems to be in order?
The presence of a 'via' tag in Gmail indicates that the email's 'From:' address (the one recipients see) differs from the domain that actually signed or authenticated the email. While DMARC ensures alignment between these domains for policy enforcement, Gmail's display logic is often more conservative and aims for maximum transparency to the end user.
It's important to understand that the 'via' tag doesn't necessarily mean your email will land in spam or that your deliverability is compromised. Rather, Gmail uses it to inform the recipient when an email originates from a domain different from the visible 'From:' address, even if that difference is technically allowed by DMARC's relaxed alignment. It’s a part of Gmail's ongoing efforts to combat phishing and spoofing by providing extra context to users.
The 'via' tag in Gmail appears when an email is sent through a third-party service, and there's a discrepancy between the domain in the visible 'From:' header and the domain responsible for sending or authenticating the message. This often happens even if your DMARC record is correctly set up and passing because Gmail's internal display logic has stricter criteria than DMARC's technical passing requirements.
For example, if you send an email from yourname@yourdomain.com using an Email Service Provider (ESP) like Mailgun or SendGrid, the actual sending domain might be a subdomain like mg.yourdomain.com or sends.yourdomain.com. Even if DKIM or SPF aligns with yourdomain.com under a relaxed DMARC policy, Gmail might still display yourdomain.com via mg.yourdomain.com to show the true path.
The key concept here is the distinction between DMARC's definition of alignment and Gmail's user interface choice. DMARC simply requires that the authenticating domain (either SPF's Return-Path or DKIM's d= domain) be organizationally aligned with the From: header domain. If they share the same organizational domain (e.g., yourdomain.com), DMARC passes. However, Gmail may still add 'via' if the specific subdomains don't match exactly. If you are struggling with this issue, you can explore options on how to remove the 'via' message.
DMARC alignment and its nuances
DMARC (Domain-based Message Authentication, Reporting, and Conformance) relies on SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to verify email authenticity. For a message to pass DMARC, it must pass either SPF or DKIM authentication, AND the authenticated domain must align with the 'From:' domain. There are two types of alignment: strict and relaxed.
Under relaxed alignment, the authenticating domain and the 'From:' domain only need to share the same organizational domain. For instance, mail.yourdomain.com would align with yourdomain.com. Most ESPs utilize relaxed alignment. However, Gmail's display can still be triggered if the 'From:' domain and the authenticating domain are not an exact match, even if they pass DMARC's relaxed alignment rules. This is where the 'via' tag can appear unexpectedly.
Under strict alignment, the domains must match exactly. For example, if your 'From:' address is yourname@yourdomain.com, then the SPF Return-Path or DKIM d= domain must also be yourdomain.com. If you specifically set your DMARC policy to require strict alignment (which is less common with ESPs), and an email authenticates with a subdomain, it would typically fail DMARC. However, the 'via' tag can still appear even with passing DMARC due to how Gmail handles domain transparency. It's crucial to understand the basics of DMARC and alignment to troubleshoot these issues effectively.
Alignment Type
SPF Alignment
DKIM Alignment
DMARC Pass Condition
Relaxed
Return-Path domain shares organizational domain with From: domain.
DKIM d= domain shares organizational domain with From: domain.
Either SPF or DKIM passes with organizational alignment.
Strict
Return-Path domain matches exactly From: domain.
DKIM d= domain matches exactly From: domain.
Either SPF or DKIM passes with exact domain alignment.
This subtle difference in how DMARC defines alignment versus Gmail's display criteria is often the root cause of the 'via' tag. While DMARC is satisfied, Gmail prioritizes informing the user about the actual sending infrastructure. This is also a reason Gmail might reject emails if DMARC is not properly aligned or configured, even if you think you're doing everything right.
The role of the sender header
Beyond DMARC alignment, the presence of a Sender: header in your email can also trigger the 'via' display in Gmail. The Sender: header specifies the address of the actual sender who caused the message to be sent, on behalf of the address in the From: header. This is a common practice for ESPs and bulk mailers.
Even if your DMARC, SPF, and DKIM records are perfectly aligned and passing for the From: domain, if there's a Sender: header present with a different domain, Gmail might choose to display the domain from the Sender: header as the 'via' domain. This is especially true if the Sender: domain doesn't perfectly match the From: domain, even if they're organizationally aligned. This aligns with Gmail's goal of providing the fullest picture of the email's origin to its users.
Example: Sender header causing 'via' display
Consider an email with the following headers:
Email Headerstext
From: Your Name <yourname@yourdomain.com>
Sender: mg.mailgun.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yourdomain.com; s=mg; ...
Authentication-Results: mx.google.com; ... dmarc=pass (p=none dis=none) header.from=yourdomain.com
In this scenario, even though DMARC passes for yourdomain.com via DKIM, Gmail might still display Your Name <yourname@yourdomain.com> via mg.mailgun.org because of the Sender: header using a different subdomain.
Other potential factors and troubleshooting
While alignment and the Sender: header are primary reasons for the 'via' tag, other factors can sometimes contribute or create similar confusion. Email authentication is a complex system, and a single passing DMARC result doesn't guarantee a completely unflagged display in all email clients.
One such factor, though less direct in causing 'via', is email forwarding. When an email is forwarded, the authentication results can be altered, potentially breaking SPF or DKIM. ARC (Authenticated Received Chain) helps to preserve these results across hops, but not all systems implement ARC consistently. In some rare cases, the 'via' tag might even be a temporary display bug on Gmail's side, as some users have reported seeing it inconsistently even for seemingly perfectly authenticated messages.
Troubleshooting the 'via' tag
Inspect Headers: Always review the full email headers in Gmail to confirm SPF, DKIM, and DMARC pass status and examine the Return-Path, DKIM d=, and Sender: domains. This detailed inspection can help you understand how email authentication is working.
Review ESP Settings: Ensure your ESP is configured to use your domain (or a subdomain you control) for both SPF and DKIM authentication. Some ESPs default to using their own domains, which can trigger the 'via' tag.
Consider DMARC Policy: While a p=none policy still results in DMARC pass, it signals a monitoring mode rather than enforcement. Gmail might view this with less implicit trust. Implementing a stricter DMARC policy requires a good understanding of your email flows, so it's wise to read up on how to implement DMARC effectively.
Monitor Google Postmaster Tools: While it won't directly explain the 'via' tag, the DMARC authentication dashboard can show if there are any underlying authentication issues you're missing, even if the Gmail display passes on a single message. See our guide on how Google Postmaster Tools reports DMARC.
Views from the trenches
Best practices
Ensure your 'From:' domain and DKIM 'd=' domain are either identical or share the same organizational domain for relaxed DMARC alignment.
Configure your ESP to use custom return-path domains (bounce domains) that align with your 'From:' domain.
Regularly check your email headers for full authentication results, including SPF, DKIM, and DMARC passes and alignment details.
Use a consistent sending domain or subdomain hierarchy to minimize potential 'via' tag triggers.
Common pitfalls
Relying solely on DMARC 'pass' in reports without checking 'via' tag visibility in major mailbox providers like Gmail.
Ignoring the 'Sender:' header, which can cause 'via' to appear even with passing authentication.
Assuming that relaxed DMARC alignment will always prevent the 'via' tag in all email clients.
Not configuring custom DKIM signing domains with your ESP, leading to ESP's domain showing in authentication.
Expert tips
Run test emails through various email clients and services to observe how the 'From:' address is displayed and if a 'via' tag appears.
If using a third-party sender, ensure they support branding for both SPF (Return-Path) and DKIM (d= domain) to perfectly align with your 'From:' domain.
The 'via' tag does not necessarily impact deliverability, but can affect brand perception, so decide if eliminating it is crucial for your specific use case.
Stay updated on mailbox provider display changes, as these can evolve independently of authentication standards.
Expert view
Expert from Email Geeks says the 'via' tag can appear if the From: address domain and the DKIM signing domain (d= tag) are not perfectly aligned, even if they share the same organizational domain. This is because Gmail highlights the actual authentication source.
2024-02-01 - Email Geeks
Expert view
Expert from Email Geeks says that sometimes the appearance of a 'via' tag, even with relaxed aligned messages, might indicate a temporary display bug within Gmail itself, as similar messages do not consistently show the tag.
2024-02-01 - Email Geeks
Key takeaways
The 'via' tag in Gmail, even when DMARC passes, is a feature designed for transparency rather than an indicator of failed authentication. It primarily arises from the subtle differences between the visible 'From:' address and the authenticating domains (SPF Return-Path or DKIM d=) or the presence of a Sender: header.
While it can be aesthetically unpleasing and sometimes lead to user confusion, it generally doesn't impact your email deliverability or sender reputation if your core authentication (SPF, DKIM, DMARC) is correctly configured and passing. The best approach is to ensure your authentication is robust and consistent across all sending platforms, minimizing any discrepancies that might trigger Gmail's transparency indicators.
Gmail still displays a 'via' tag next to your sender name. This can be quite confusing, as the 'via' tag often implies an email is being sent on behalf of another domain, typically when authentication fails or is misconfigured. So, why does it appear even when everything seems to be in order?
Mailgun or 
SendGrid, the actual sending domain might be a subdomain like mg.yourdomain.com or sends.yourdomain.com. Even if DKIM or SPF aligns with yourdomain.com under a relaxed DMARC policy, Gmail might still display yourdomain.com via mg.yourdomain.com to show the true path.
