How does DMARC impact email forwarding and deliverability?

Key findings

• Authentication breakdown: Email forwarding frequently causes SPF authentication to fail because the forwarding server's IP address doesn't match the original sender's SPF record. DKIM can also break if the message headers or body are modified during forwarding.
• DMARC policy impact: When DMARC is enforced with a p=quarantine or p=reject policy, emails that fail DMARC authentication due to forwarding may be marked as spam or rejected outright, even if they are legitimate. This is a common challenge that can lead to deliverability issues, as outlined in our guide on how to handle DMARC failures when email is forwarded.
• Trade-off between security and deliverability: While stricter DMARC policies (like p=reject) offer enhanced protection against spoofing and phishing, they inherently increase the risk of legitimate forwarded emails failing delivery. This balancing act is a significant consideration for senders.
• Limited control over forwarding: Senders have little to no control over how recipient mail servers handle forwarded emails, making it difficult to guarantee DMARC alignment once a message leaves the initial recipient's inbox.

Key considerations

• Monitoring DMARC reports: Regularly analyzing DMARC aggregate reports is essential to identify legitimate forwarded email streams that are failing authentication. This data helps in making informed decisions about DMARC policy adjustments. Our article on understanding and troubleshooting DMARC reports provides further insight.
• Phased DMARC rollout: Starting with a p=none policy (monitoring only) allows you to gather data on forwarding impacts without affecting deliverability. Gradually moving to stricter policies like quarantine or reject should only occur after thoroughly assessing these reports and addressing any identified issues. Learn more about safely transitioning your DMARC policy.
• ARC (Authenticated Received Chain): While not universally adopted, ARC is designed to preserve authentication results across forwarding hops, mitigating DMARC failures. It aims to provide a reliable way for recipient servers to validate emails that have been forwarded. For more information, you can read the Authenticated Received Chain specification.
• Subdomain strategy: Using distinct subdomains for different sending purposes (e.g., transactional, marketing) can allow for more granular DMARC policies. This approach can help isolate the impact of forwarding issues to specific types of email traffic, reducing overall deliverability risk.

Key opinions

• Deliverability concerns with strict policies: Many marketers are hesitant to move to p=reject due to fears that legitimate emails, especially those being forwarded, will not land. They prioritize getting messages to the inbox over full DMARC enforcement.
• Conflicting advice: Marketers sometimes receive conflicting guidance from different sources, such as their ESPs or even major mailbox providers, regarding the optimal DMARC policy, which can be confusing and lead to uncertainty about best practices.
• Desire for granular control: There's a strong desire among marketers for more flexible DMARC policies that could apply differently to various email streams, like those sent through ESPs (e.g., Klaviyo) versus internal communications.
• Security vs. deliverability balance: Marketers acknowledge the trade-off between stopping spoofing and ensuring legitimate emails are delivered, often viewing DMARC's primary benefit as security rather than purely deliverability, though it can impact both.
• Anecdotal evidence of positive impact: Some marketers report moving to p=reject to signal good intent to ISPs and have observed anecdotal improvements in their mail stream, even without direct spoofing issues.

Key considerations

• Evaluating risk tolerance: Marketers must assess their organization's tolerance for legitimate email delivery failures against the need for strong anti-spoofing measures. A p=none policy allows monitoring without impact.
• Aligning with new requirements: With major mailbox providers like Gmail and Yahoo implementing stricter authentication requirements, marketers need to ensure their DMARC setup, including how it interacts with forwarding, meets these new standards to avoid deliverability penalties, as discussed in our guide on complying with outlook's new sender requirements.
• Domain and subdomain strategy: Considering a strategy that involves using different subdomains for various sending platforms or email types can help manage DMARC policies more effectively, isolating potential forwarding issues to specific subdomains rather than the entire primary domain.
• Monitoring third-party senders: Closely monitor DMARC reports for emails sent via third-party services, ensuring they achieve DMARC alignment, even if forwarding is not directly involved, as misconfigurations here can also cause failures.

Key opinions

• Forwarding causes DMARC failures: Experts confirm that email forwarding is a primary reason for DMARC authentication failures, especially when the SPF domain remains unchanged by the forwarding server or if DKIM is broken during transit.
• DMARC policy choice is crucial: Moving to a p=reject policy will lead to the rejection of legitimate emails that fail DMARC due to forwarding, making p=none a safer initial approach for monitoring.
• Security vs. deliverability trade-off: Many experts view p=reject primarily as a security measure against spoofing rather than a direct deliverability enhancement, noting that it can sometimes hurt deliverability by blocking legitimate forwarded mail.
• Subdomains for granular control: Using distinct subdomains for different email streams (e.g., marketing vs. transactional) is advised as it allows for varied DMARC policies, which can help manage the impact of forwarding issues more effectively.
• Limitations of p=reject: Even a p=reject policy only protects against direct domain spoofing, and vulnerabilities can persist if third-party services don't allow customers to use their own domains for authentication.

Key considerations

• Careful policy application: Experts recommend not using restrictive DMARC policies (quarantine or reject) for mail that is critical to reach recipients, especially when DMARC reports show significant forwarding activity causing failures. This is a crucial step to troubleshoot DMARC failures.
• Understanding p=none: It's important to recognize that p=none is a valid and proper DMARC policy, especially during the initial phase of deployment, as it enables monitoring without affecting delivery outcomes. Read more in our simple DMARC examples.
• Leveraging ARC where possible: While not a universal solution, implementing ARC can help preserve authentication results for forwarded emails, thereby improving DMARC pass rates in environments that support it. Learn how to implement ARC.
• Proactive spoofing defense: Given the evolving nature of spoofing attacks, experts advise that proper authentication configurations combined with p=reject can be highly effective in stopping direct domain spoofing and related fraud.

Key findings

• SPF breaks on forwarding: Standard email forwarding, particularly simple forwarding, changes the Return-Path (envelope sender) to that of the forwarding server, causing SPF checks to fail against the original sending domain. This is a well-documented issue that often leads to DMARC non-compliance.
• DKIM modifications: While DKIM is more resilient to forwarding than SPF, changes to email headers or the body content during forwarding can invalidate the DKIM signature, leading to authentication failure. This might include adding disclaimers or altering formatting.
• Alignment requirement: DMARC requires either SPF or DKIM to pass authentication and align with the domain in the From: header. Forwarding often breaks this alignment, triggering DMARC policies set to quarantine or reject, leading to reduced deliverability, as elaborated in how DMARC policies affect email delivery.

Key considerations

• ARC as a solution: Documentation often proposes ARC as a protocol designed to explicitly carry authentication results across mail relays, allowing downstream recipients to validate a message's authenticity despite changes introduced by intermediate forwarding servers. This aims to bridge the gap in DMARC validation for forwarded emails.
• Careful policy deployment: It is widely recommended that organizations begin DMARC implementation with a p=none policy to collect data and understand the impact of forwarding on their legitimate email streams before moving to more restrictive policies. This allows for observation without impacting deliverability.
• Impact on specific services: Some technical documentation specifically addresses how DMARC policies, especially p=reject, can impact internal email deliverability when using services like G Suite aliases and forwarding, highlighting the need for careful configuration.
• Mailbox provider expectations: Recent changes by major mailbox providers, such as Gmail and Yahoo, emphasize the importance of DMARC alignment, even though forwarding continues to be a challenge. Senders are expected to manage their domain's authentication diligently to ensure messages reach the inbox.