How does DMARC identify forwarded emails in reports?

DMARC identifies forwarded emails by reporting authentication failures (SPF or DKIM) that occur when an email is re-transmitted by an intermediary server. The DMARC reports will show the IP address of the forwarding server as the source that failed authentication, not your original sending IP. This helps differentiate forwarded mail from direct spoofing attempts.

Will setting a DMARC p=reject policy block all my forwarded emails?

Yes, if your DMARC policy is set to "p=reject", legitimate forwarded emails that fail DMARC authentication (due to SPF or DKIM breakage during forwarding) will be rejected by the receiving server and not delivered. This is why starting with a "p=none" policy to observe is crucial before moving to stricter enforcement.

What is ARC and how does it help with email forwarding?

ARC (Authenticated Received Chain) is an email authentication protocol that preserves original authentication results across forwarding hops. When an email is forwarded, ARC adds a verifiable "seal" that allows receiving servers to validate the original authentication, even if SPF or DKIM would otherwise break due to forwarding.

Why do DMARC reports show unfamiliar IPs for my domain?

Unfamiliar IPs in your DMARC reports for your domain are often legitimate forwarding servers. When an email is forwarded, the final recipient's server sees the forwarding server's IP, not your original sending IP. If that forwarding server isn't authorized in your SPF record, it will result in an SPF failure, captured in the DMARC report.

Is it always a problem if SPF or DKIM fail for a forwarded email?

It's not always a problem. For forwarded emails, SPF is expected to fail. If DKIM remains intact and aligned, DMARC can still pass. If both SPF and DKIM fail, DMARC will fail. The issue arises when DMARC fails, and your domain has a "p=quarantine" or "p=reject" policy, as this can prevent delivery of legitimate mail.

How do email forwarding and DMARC policies affect email delivery and reporting? - Technical - Email deliverability - Knowledge base

Email forwarding is a common practice, allowing individuals and organizations to redirect incoming messages from one email address to another. While incredibly convenient, this seemingly simple action can introduce significant complexities when interacting with DMARC (Domain-based Message Authentication, Reporting, and Conformance) policies. The very mechanisms designed to protect your domain from spoofing and phishing can inadvertently flag legitimate forwarded emails as unauthenticated, impacting their delivery and complicating your DMARC reports.

Understanding how forwarding affects email authentication protocols like SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), and consequently DMARC, is crucial for maintaining good email deliverability and accurately interpreting your DMARC reports. I often see confusion about why DMARC reports show unfamiliar IPs or why seemingly legitimate emails are failing authentication after being forwarded. Let's explore these interactions and how they influence the journey of your emails.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

How email forwarding impacts authentication

When an email is sent, it carries various headers and identifiers. SPF verifies the sending server's IP address against a list authorized by the sender's domain, while DKIM uses a cryptographic signature to ensure the email's content hasn't been tampered with and was sent by an authorized party. DMARC then ties these two authentication methods to the "From" domain visible to the recipient, ensuring alignment.

The challenge arises with email forwarding because it often alters the email's path or content. For instance, when an email is forwarded, it typically passes through an intermediary server. This server, not the original sender's server, then transmits the email to the final recipient. As a result, the SPF check at the final destination will often fail because the IP address of the forwarding server does not match the IP addresses authorized in the original sender's SPF record. This is a common way that email authentication can be broken, as discussed in detail on how email forwarding can break DMARC.

DKIM, on the other hand, is generally more robust to forwarding, as long as the email's headers and body remain unchanged. The digital signature generated by DKIM is designed to withstand changes in the email's transit path. However, if the forwarding process modifies the email content, such as adding a disclaimer or changing headers, the DKIM signature can also be invalidated, leading to a DKIM failure. You can learn more about how email forwarding affects SPF, DKIM, and DMARC validation in our dedicated guide.

DMARC policies and their effect on forwarded emails

DMARC policies (p=none, p=quarantine, p=reject) dictate how a receiving server should handle emails that fail DMARC authentication. The impact on forwarded emails varies significantly depending on the policy you have set for your domain.

If your DMARC policy is set to "p=none", it means you are primarily in monitoring mode. Emails that fail authentication, including those that have been forwarded, will still likely be delivered to the recipient's inbox. The purpose of "p=none" is to gather DMARC reports without impacting email flow. This allows you to identify legitimate sources of email that might be breaking authentication, such as forwarded messages, before you enforce stricter policies. Our guide on simple DMARC examples covers how to start with this policy.

However, when you move to a "p=quarantine" or "p=reject" policy, the stakes become higher. Forwarded emails that fail DMARC checks because their SPF or DKIM (or both) broke during forwarding will then be subject to your domain's policy. A DMARC record with a policy of quarantine or reject means these emails might be moved to spam or blocked entirely. This is why careful monitoring with "p=none" is essential before enforcing stricter policies, as legitimate forwarded emails could be impacted. Our detailed article on DMARC quarantine and reject policies provides further insights.

Policy	Effect on Forwarded Emails	Impact on Deliverability
p=none	No direct enforcement. Emails are usually delivered, but DMARC reports will show authentication failures.	Minimal impact. Primarily for monitoring and data collection.
p=quarantine	Emails failing DMARC may be sent to spam/junk folders or flagged.	Moderate impact. Legitimate forwarded emails may not reach the primary inbox.
p=reject	Emails failing DMARC will be rejected outright and not delivered at all.	High impact. Legitimate forwarded emails will not be delivered, leading to lost communication.

Understanding DMARC reports

When you receive DMARC aggregate reports from mailbox providers like

Yahoo, it's common to see IP addresses and domains that you don't recognize. Often, these are not malicious actors, but rather the IP addresses of intermediary forwarding servers or "vanity domains" used by your customers who forward their email to personal accounts (e.g., example.com forwarding to gmail.com). These entries indicate emails that failed DMARC authentication after being forwarded. It's a normal occurrence and a key reason why you analyze these reports carefully. Our guide on understanding and troubleshooting DMARC reports can help you decipher these.

Decoding DMARC reports for forwarded mail

DMARC reports provide invaluable insight into all email streams using your domain, including those that pass and those that fail authentication. When a forwarded email fails SPF or DKIM alignment, the DMARC report will capture this failure, often listing the IP address of the forwarding server rather than your original sending server. This is exactly what DMARC reports are designed to do: show you mail received with your domain in the "From" address that wasn't authenticated by you, whether it's malicious or due to legitimate forwarding that breaks authentication in transit.

Identifying forwarded traffic in these reports requires careful analysis. You'll typically see distinct patterns: IP addresses not belonging to your authorized sending infrastructure, often associated with major ISPs or email providers, and a high volume of SPF failures with DKIM passes (if DKIM was not broken) or failures. The key is to distinguish between legitimate forwarding activity and actual spoofing attempts. The DMARC Digests support article offers more on this.

Example DMARC aggregate report snippet showing forwarded mailxml

...
<record>
  <row>
    <source_ip>192.0.2.10</source_ip>
    <count>5</count>
    <policy_evaluated>
      <disposition>none</disposition>
      <dkim>pass</dkim>
      <spf>fail</spf>
    </policy_evaluated>
  </row>
  <row>
    <source_ip>203.0.113.50</source_ip>
    <count>12</count>
    <policy_evaluated>
      <disposition>none</disposition>
      <dkim>fail</dkim>
      <spf>fail</spf>
    </policy_evaluated>
  </row>
...
</record>

It's important not to automatically assume that every unauthenticated email in your report is a malicious attempt. A small percentage of unauthenticated emails from your own legitimate sending IPs might indicate a configuration issue, but a larger volume from unfamiliar IPs, especially if associated with known forwarding services or ISPs, points to forwarded mail. Properly decoding these reports is a critical step in understanding your email ecosystem and improving your domain's reputation and deliverability.

Mitigating DMARC failures with forwarding

Given the challenges email forwarding poses to DMARC, what can you do to ensure your legitimate emails still reach their destination? One significant advancement is ARC (Authenticated Received Chain). ARC is designed to preserve email authentication results across multiple hops, including forwarding. When an email is forwarded, an ARC Seal is added to the message, which includes the original authentication results and a chain of custody. The recipient server can then validate this chain, understanding that SPF or DKIM may have legitimately broken due to forwarding, preventing unnecessary DMARC failures. Explore how to implement ARC and its effect on DMARC failures.

While ARC is gaining adoption, it's not universally supported by all email providers or forwarding services. Therefore, it's crucial to continue monitoring your DMARC reports diligently. If you're seeing consistent DMARC failures for legitimate forwarded emails, and you've transitioned to a "p=quarantine" or "p=reject" policy, these messages could be ending up in spam folders or being completely blocked. This can be especially problematic for internal communications or mailing lists. Google also provides specific guidelines for email senders that address DMARC policy enforcement.

Common forwarding challenges

SPF breakage: The forwarding server's IP often doesn't match the original sender's SPF record, causing SPF to fail.
DKIM modification: Any changes to email content or headers during forwarding can invalidate the DKIM signature.
DMARC failures: When SPF and/or DKIM fail, the DMARC check fails, leading to potential quarantine or rejection.

Solutions and best practices

Implement ARC: Authenticated Received Chain helps preserve authentication results across forwarding hops.
Monitor DMARC reports: Regularly analyze aggregate reports to identify and understand legitimate forwarding failures.
Educate users: Inform users about potential issues with personal email forwarding rules and DMARC.

Ultimately, managing DMARC policies in an environment with email forwarding requires a nuanced approach. It’s essential to gather sufficient data through "p=none" before tightening your policy to "p=quarantine" or "p=reject", to avoid unintentionally blocking legitimate mail. If you encounter issues, troubleshooting DMARC failures and their impact on email deliverability is a key skill to develop.

Views from the trenches

Best practices

Always begin DMARC implementation with a p=none policy to gather data on all mail streams, including forwarded emails, without impacting delivery.

Regularly analyze your DMARC aggregate reports to identify legitimate forwarded mail that fails authentication and understand its volume.

Consider implementing ARC (Authenticated Received Chain) if significant volumes of legitimate forwarded emails are consistently failing DMARC.

Common pitfalls

Switching directly to a p=quarantine or p=reject DMARC policy without first monitoring reports can inadvertently block legitimate forwarded emails.

Misinterpreting unfamiliar IP addresses in DMARC reports as malicious traffic when they are actually from intermediate mail servers that have forwarded your emails.

Not accounting for "vanity domains" or personal forwarding rules used by customers, which frequently break email authentication.

Expert tips

Ensure your own IP addresses in DMARC reports for unauthenticated mail are resolved by checking your signing configuration.

A DMARC policy of p=none is ideal for observation and won't typically cause delivery issues for forwarded mail.

For DMARC to pass after forwarding, DKIM must remain intact and align with the 'From' domain if SPF breaks.

Expert view

Expert from Email Geeks says: DMARC reports send you information about mail received with your domain in the From: address that wasn't authenticated by you, which includes instances where authentication is broken in transit.

2020-02-14 - Email Geeks

Expert view

Expert from Email Geeks says: Assuming SPF and DKIM are set up correctly, the majority of what you'll see in DMARC reports consists of legitimate mail with broken authentication or spoofed mail.

2020-02-14 - Email Geeks

Navigating forwarding and DMARC

Email forwarding and DMARC policies are intricately linked, posing unique challenges and opportunities for email deliverability and reporting. While forwarding can cause legitimate emails to fail authentication, careful DMARC policy deployment, vigilant monitoring of reports, and leveraging advancements like ARC can help mitigate these issues. The goal is to maintain robust email security without inadvertently blocking desired communication, ensuring your messages consistently reach their intended audience, regardless of how they are routed.