Suped

Will a stricter DMARC policy impact internal email deliverability when using G Suite aliases and email forwarding?

Summary

Moving to a stricter DMARC policy, like p=quarantine or p=reject, can significantly impact internal email deliverability, especially when using G Suite aliases and email forwarding. These configurations often lead to DMARC failures because the forwarded emails or those sent via aliases do not maintain the necessary SPF or DKIM alignment with your primary domain. While a p=none policy allows these emails to pass due to local overrides, stricter policies instruct recipient mail servers to take action against unaligned messages, potentially leading to internal emails being flagged as spam or rejected entirely.

Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

What email marketers say

Email marketers often face the dilemma of balancing security with practicality, especially when internal email configurations like G Suite aliases and forwarding interfere with DMARC authentication. Many express concern that a stricter DMARC policy could inadvertently disrupt internal communications. They highlight the challenge of maintaining DMARC alignment when emails are re-routed or sent from domains not directly under their control, leading to potential deliverability issues for legitimate internal mail.

Marketer view

Email marketer from Email Geeks suggests that their internal emails using G Suite aliases are all being forwarded, causing DKIM unalignment and DMARC failures. They currently rely on a local policy override to ensure delivery.

10 Jun 2024 - Email Geeks

Marketer view

Email marketer from Email Geeks expresses concern that a stricter DMARC policy might disrupt the deliverability of their internal emails due to the current DMARC failures.

10 Jun 2024 - Email Geeks

What the experts say

Deliverability experts largely agree that while a stricter DMARC policy is beneficial for external security, it presents unique challenges for internal email flows, particularly those involving forwarding or aliases. They emphasize that DMARC failures, when a policy is at p=quarantine or p=reject, will likely result in increased rejection rates unless underlying authentication issues are addressed. They advocate for a cautious, data-driven approach, leveraging DMARC reports and gradual policy implementation to mitigate risks.

Expert view

Deliverability expert from Email Geeks indicates that it's very possible internal mail will be rejected once a stricter DMARC policy like p=reject is applied to unaligned DKIM emails, depending on Gmail's internal handling.

10 Jun 2024 - Email Geeks

Expert view

Deliverability expert from Email Geeks notes that while Gmail does perform ARC, which helps with forwarded emails, it might not solve all DMARC alignment issues stemming from G Suite aliases.

10 Jun 2024 - Email Geeks

What the documentation says

Official documentation and technical specifications for DMARC, SPF, and DKIM consistently highlight the importance of domain alignment for successful authentication. When email forwarding or aliases re-write message headers in a way that breaks this alignment, DMARC policies can result in failed authentication. While some receiving mail systems (like Gmail with ARC) attempt to preserve authentication chains, this is not universally guaranteed, making careful configuration essential, especially for internal mail flows that are often taken for granted.

Technical article

Documentation from RFC 7489 (DMARC) states that for an email to pass DMARC, it must pass either SPF or DKIM authentication, and the domain used for that authentication must align with the domain in the From: header.

22 Apr 2017 - RFC 7489

Technical article

Documentation from M3AAWG (Messaging Anti-Abuse Working Group) highlights that email forwarding frequently breaks SPF validation because the original sender's IP address is no longer the last hop, leading to SPF fail results.

05 Sep 2019 - M3AAWG

1 resources

Start improving your email deliverability today

Get started