Why does SPF validation often fail with email forwarding?

SPF validation checks the sending IP address against the SPF record of the MAIL FROM domain. When an email is forwarded, the forwarding server's IP becomes the new sending IP. Since this IP isn't typically authorized in the original sender's SPF record, the SPF check fails. This is a common occurrence and explains why SPF fails for forwarded emails .

Does DKIM always survive email forwarding without issues?

DKIM signatures are designed to verify the integrity of an email's content and certain headers. Unlike SPF, DKIM generally survives forwarding because the signature remains valid as long as the signed parts of the email are not modified by the forwarding server. However, if the forwarding service adds disclaimers, alters subject lines, or makes other changes to the signed content, the DKIM signature will break, leading to DKIM authentication failure .

How does DMARC validation react to forwarded emails?

DMARC requires either SPF or DKIM to pass authentication and align with the Header From domain. For forwarded emails, since SPF often fails, DMARC primarily relies on DKIM to pass and align. If DKIM also fails due to message modification, the DMARC check will fail, and the email may be quarantined or rejected based on the sender's DMARC policy. This is why email forwarding impacts DMARC .

What is ARC and how does it help with email forwarding?

ARC (Authenticated Received Chain) is a protocol that allows mail servers to preserve email authentication results, including SPF and DKIM, across multiple hops (like forwarding). Each server in the forwarding chain adds an ARC seal, which includes the original authentication status and a new signature. This enables the final receiving server to verify the email's authenticity, even if intermediate forwarding breaks standard SPF or DKIM validation. Implementing ARC can help prevent DMARC failures due to forwarding .

What should I do if my DMARC reports show failures for forwarded emails?

If your DMARC reports show failures for what you know are legitimate forwarded emails, the first step is to check if DKIM is passing and aligning. If not, investigate if the forwarding service is modifying the email content. For senders, consider a gradual DMARC policy rollout, starting with p=none , and use DMARC aggregate reports to understand forwarding patterns. Advocate for the use of ARC by forwarding services, as it's the most robust solution for preserving authentication.

How does email forwarding affect SPF, DKIM, and DMARC validation? - Technical - Email deliverability - Knowledge base

Email forwarding is a common practice, allowing messages sent to one address to be automatically redirected to another. While incredibly convenient, it introduces complexities for email authentication protocols like SPF, DKIM, and DMARC. These protocols are designed to verify sender identity and prevent spoofing, but the act of forwarding can inadvertently disrupt their validation processes, leading to legitimate emails failing authentication checks and potentially being sent to spam or blocked.

Understanding how email forwarding interacts with these authentication standards is crucial for maintaining good deliverability. We’ve seen countless scenarios where seemingly benign forwarding setups cause major headaches for senders, especially when DMARC policies are set to enforce quarantine or rejection. The challenge lies in the fact that forwarding often alters certain aspects of an email that SPF and DKIM rely upon for verification.

My goal here is to explain the mechanics behind these interactions, shedding light on why forwarded emails sometimes fail authentication and what steps can be taken to mitigate these issues. We will delve into how each protocol is affected and explore strategies to ensure your emails reach their intended inboxes, even when forwarded.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

How email forwarding impacts SPF

SPF (Sender Policy Framework) works by allowing a domain owner to specify which IP addresses are authorized to send email on their behalf. Receiving mail servers then check the MAIL FROM domain's SPF record against the IP address of the server sending the email. If the IP isn't listed, SPF fails. This is where forwarding becomes problematic, as it introduces an intermediary server.

When an email is forwarded, the forwarding server essentially becomes the new sender in the eyes of the next hop. The MAIL FROM address typically remains that of the original sender, but the IP address from which the email is now being delivered is the forwarding server's IP, not the original sender's. Since the forwarding server's IP is almost certainly not authorized in the original sender's SPF record, the SPF check will fail. This is a common reason for SPF verification failures with forwarded messages.

Some forwarding services attempt to address this by using Sender Rewriting Scheme (SRS). SRS rewrites the MAIL FROM address to reflect the forwarding server's domain, thereby allowing SPF to pass. However, SRS is not universally adopted, and even when used, it doesn't solve potential DMARC alignment issues because the Header From address, visible to the recipient, remains the original sender's domain. Microsoft has highlighted that SRS usage can help maintain SPF pass results for forwarded emails, as detailed in their blog on Outlook's new sender requirements.

How email forwarding affects DKIM

DKIM (DomainKeys Identified Mail) works differently from SPF. It uses a cryptographic signature embedded in the email's header, signed by the sender's private key. This signature is calculated based on specific parts of the email's headers and body. Receiving servers use the sender's public key (published in their DNS) to verify the signature, ensuring the email hasn't been tampered with in transit and truly originated from the claimed domain.

One of DKIM's key advantages is its resilience to forwarding. Because the signature verifies the content and specific headers, DKIM generally survives forwarding as long as the email's signed parts remain unchanged. This is why many forwarded emails can still pass DKIM validation, even if their SPF fails. However, issues can arise if the forwarding service modifies the email body or signed headers, for example, by adding disclaimers, footers, or altering subject lines, leading to a DKIM body hash mismatch and subsequent failure.

While DKIM is more robust than SPF in the face of forwarding, it's not foolproof. The integrity of the signature relies on the email remaining largely intact. Forwarding services that strictly adhere to maintaining message integrity are less likely to break DKIM. For senders, ensuring your DKIM records are correctly set up and that your sending practices minimize message alterations is paramount to ensuring your emails maintain authentication upon forwarding.

Original email

SPF validation: Passes if sending IP is authorized by the MAIL FROM domain.
DKIM validation: Passes if the signature is valid and matches the signed content.
DMARC status: Likely passes if SPF or DKIM align with the Header From domain.

Forwarded email

SPF validation: Likely fails, as the forwarding server's IP is not in the original SPF record.
DKIM validation: Generally passes, unless the forwarding server modifies signed content.
DMARC status: Passes if DKIM aligns, even if SPF fails. Fails if both SPF and DKIM fail authentication.

The DMARC challenge with forwarding

DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on SPF and DKIM by requiring at least one of them to pass authentication and align with the Header From domain. This alignment is key. As we've seen, SPF commonly breaks during forwarding. This means DMARC validation for forwarded emails heavily relies on DKIM passing and aligning.

If DKIM survives forwarding and aligns with the Header From domain, the email will pass DMARC, even if SPF fails. This is a common scenario and highlights why having both SPF and DKIM properly configured is a best practice. However, if both SPF and DKIM fail (e.g., due to content modification by the forwarding server), then the DMARC check for that forwarded email will also fail. The impact of such a failure depends on the sender's DMARC policy.

When an email fails DMARC authentication, the receiving server consults the sender's DMARC policy (p=none, p=quarantine, or p=reject). A p=reject policy can lead to legitimate forwarded emails being blocked or sent to spam, affecting deliverability and user experience. This is a critical consideration for organizations deploying stricter DMARC policies, particularly those with users who frequently forward emails. Google also outlines the importance of DKIM setup to pass DMARC in their guidelines for forwarding email to Gmail.

DMARC and forwarding scenarios

DMARC’s effectiveness against spoofing can sometimes inadvertently penalize legitimate forwarded emails. When both SPF and DKIM authentication (and their respective alignments) fail because of the forwarding process, a DMARC policy of 'reject' means that the email will not be delivered. This is a common challenge for domain owners and email administrators to consider when implementing DMARC policies.

Solutions and best practices

Given the complexities introduced by email forwarding, what can senders do to ensure their emails continue to validate SPF, DKIM, and DMARC? The primary solution involves implementing ARC (Authenticated Received Chain). ARC allows mail servers to preserve email authentication results across multiple forwarding hops. Each hop adds an ARC seal, which includes the original authentication results and a new signature, allowing the final recipient to verify the email's authenticity despite intermediate changes.

For senders, robust DKIM implementation is vital, as it's the authentication method most likely to survive forwarding. When deploying DMARC, particularly with p=quarantine or p=reject policies, it's essential to monitor DMARC reports closely. These reports provide invaluable insight into how your emails are being authenticated by various receivers, including those that are being forwarded, allowing you to identify potential issues and adjust your strategy. If you're observing an increase in DMARC failures for emails originating from known legitimate sources, especially from Enterprise Outlook services, it is likely due to forwarding behavior.

Views from the trenches

Best practices

Always implement both SPF and DKIM for your sending domains to maximize authentication coverage.

Monitor your DMARC aggregate reports regularly to identify sources of legitimate failures, which often include forwarded emails.

When forwarding emails, ensure your forwarding service supports ARC to preserve authentication results across hops.

For senders with strict DMARC policies, consider a phased rollout (e.g., from p=none to p=quarantine) while observing forwarded email impact.

Common pitfalls

Relying solely on SPF for authentication, as it frequently breaks with email forwarding.

Not monitoring DMARC reports, leading to undetected deliverability issues for forwarded messages.

Implementing a strict DMARC reject policy without understanding its impact on legitimate forwarded emails.

Forwarding services that modify email headers or body, which can break DKIM signatures.

Expert tips

DKIM is your strongest ally against forwarding issues because its signature generally survives intact unless the message content is altered.

DMARC will pass if either SPF or DKIM align, so a robust DKIM setup can compensate for SPF failures during forwarding.

Be aware of how different mail services handle forwarded emails, especially how they might modify headers or body, affecting authentication.

If legitimate emails are being rejected due to DMARC policies after forwarding, investigate if the forwarding service uses ARC or if it's modifying the message significantly.

Expert view

Expert from Email Geeks says DMARC only needs an aligned SPF or DKIM to pass, but depending on the forwarding method, either or both can break.

2023-06-14 - Email Geeks

Marketer view

Marketer from Email Geeks says they are seeing both SPF and DKIM failing for unknown IP addresses that are not theirs, yet the DKIM, SPF, and Header From fields look like their legitimate emails.

2023-06-14 - Email Geeks

Navigating the forwarded email landscape

Email forwarding, while convenient for recipients, presents a significant challenge to SPF, DKIM, and DMARC validation. SPF is particularly vulnerable due to changes in the sending IP address during the forwarding process. DKIM is more resilient, often surviving forwarding unless the message content or signed headers are modified. DMARC's success for forwarded emails hinges on DKIM passing and aligning, as SPF is likely to fail.

For optimal deliverability, senders should prioritize strong DKIM implementation and actively monitor their DMARC reports to identify and address issues related to forwarded mail. Techniques like ARC are emerging to help preserve authentication across hops, offering a more robust future for email forwarding in a DMARC-enforced world. Staying informed about these mechanisms and their interactions is key to ensuring your emails consistently reach the inbox.