How does DMARC impact email forwarding and deliverability?

Summary

DMARC significantly impacts email forwarding and deliverability. Forwarded emails commonly fail SPF and DKIM authentication checks, primarily because the forwarding server isn't authorized to send on behalf of the original domain or because the SPF domain isn't updated. This leads to deliverability issues, especially when strict DMARC policies ('reject' or 'quarantine') are in place. While DMARC is designed to prevent spoofing, these policies can inadvertently block legitimate forwarded emails. Experts and documentation recommend using less restrictive policies (like 'p=none'), employing authenticated mailing lists, considering ARC to preserve authentication results, and using subdomains for varied DMARC policies. Additionally, it's important to note that DMARC mainly protects against direct domain spoofing, not all forms of email fraud.

Key findings

  • Forwarding Failures: Forwarded emails often fail SPF and DKIM checks due to unauthorized forwarding servers and unupdated SPF domains.
  • Policy Impact: Strict DMARC policies ('reject', 'quarantine') can negatively affect deliverability of forwarded emails.
  • Security vs. Deliverability: Balancing security against spoofing with ensuring deliverability of legitimate forwarded emails is crucial.
  • Limited Protection: DMARC primarily protects against direct domain spoofing and is not a comprehensive solution for all email fraud.
  • ARC Potential: ARC (Authenticated Received Chain) is an emerging technology that could improve DMARC's handling of forwarded emails.

Key considerations

  • Policy Selection: Choose DMARC policies carefully, considering the potential impact on legitimate email forwarding.
  • Subdomain Strategy: Use subdomains to implement different DMARC policies for various email types.
  • ARC Adoption: Monitor the development and adoption of ARC to improve handling of forwarded emails.
  • Alternative Methods: Employ authenticated mailing lists to help prevent DMARC failures.
  • Holistic Security: Implement additional security measures to combat various forms of email fraud beyond direct domain spoofing.

What email marketers say
11Marketer opinions

DMARC significantly impacts email forwarding and deliverability, particularly when strict policies like 'reject' or 'quarantine' are implemented. Forwarded emails often fail SPF and DKIM checks because the forwarding server is not authorized to send on behalf of the original domain. This can lead to emails being rejected or marked as spam. While a 'reject' policy enhances security against spoofing, it can negatively affect deliverability in forwarding scenarios. It's crucial to balance security with deliverability, with some experts suggesting using a 'none' policy or implementing ARC to mitigate these issues.

Key opinions

  • DMARC Impact: DMARC policies, especially 'p=reject,' can cause forwarded emails to fail authentication checks, leading to rejection by receiving mail servers.
  • Authentication Failure: Forwarding alters email headers, invalidating SPF and DKIM signatures, causing authentication failure.
  • Security vs. Deliverability: A 'reject' policy enhances security against spoofing but can negatively impact deliverability when forwarding is involved.
  • Forwarding Servers: Forwarding servers are often not authorized to send emails on behalf of the original domain.

Key considerations

  • DMARC Policy Selection: Carefully consider the DMARC policy ('none,' 'quarantine,' or 'reject') to balance security needs with the potential impact on legitimate email forwarding.
  • ARC Implementation: Explore using Authenticated Received Chain (ARC) to preserve authentication results through forwarding and improve deliverability.
  • SPF and DKIM Alignment: Ensure SPF and DKIM records are properly configured and aligned to minimize authentication failures.
  • Monitoring and Reporting: Monitor DMARC reports to identify and address any deliverability issues related to email forwarding.
  • Alternative solutions: Consider if a less strict policy of 'p=none' is enough to start with
Marketer view

Marketer from Email Geeks clarifies that Laura Atkins means to not have DMARC policies of quarantine or reject, just have p=none.

February 2025 - Email Geeks
Marketer view

Email marketer from EmailSecurityForum shares that implementing DMARC with a 'reject' policy can cause significant issues with email forwarding. Forwarded emails often fail SPF and DKIM checks, resulting in messages being rejected by receiving servers, impacting deliverability for forwarded messages.

July 2022 - EmailSecurityForum
Marketer view

Marketer from Email Geeks shares his take is that p=reject is more a security setting to stop spoofing vs deliverability, and it can hurt deliverability in some cases. He says its a balancing act between stopping spoofing or getting your emails delivered.

March 2022 - Email Geeks
Marketer view

Email marketer from Reddit explains that if a domain has a strict DMARC policy (p=reject), forwarded emails will likely fail authentication and be rejected. This happens because forwarding breaks the original SPF and DKIM signatures.

April 2023 - Reddit
Marketer view

Email marketer from Mailjet explains that DMARC policies, especially 'p=reject,' can cause forwarded emails to fail authentication checks and be rejected by receiving mail servers. This is because forwarding often alters the email's headers, invalidating SPF and DKIM signatures.

August 2023 - Mailjet
Marketer view

Email marketer from SparkPost explains that DMARC with a policy of 'reject' or 'quarantine' can significantly affect email forwarding. When an email is forwarded, the SPF and DKIM records are likely to be broken, causing the email to fail authentication and be rejected by the recipient's mail server.

October 2022 - SparkPost
Marketer view

Email marketer from EasyDMARC shares that DMARC can negatively impact email forwarding because when an email is forwarded, the SPF and DKIM records may no longer align with the forwarding server, leading to authentication failure and potential rejection by the recipient's server.

July 2022 - EasyDMARC
Marketer view

Marketer from Email Geeks states that setting a reject policy can also help deliverability, though, if spoofing is hurting your delivery.

November 2024 - Email Geeks
Marketer view

Email marketer from Quora user shares that DMARC can negatively affect email forwarding because forwarded emails often fail SPF and DKIM checks. This is due to the forwarding server not being authorized to send emails on behalf of the original domain, leading to potential delivery issues if DMARC policy is strict.

April 2021 - Quora
Marketer view

Email marketer from StackOverflow answers that DMARC can affect email forwarding by causing forwarded messages to fail SPF and DKIM authentication. This is because the forwarding server is not authorized to send emails on behalf of the original domain, leading to potential deliverability issues if the DMARC policy is set to reject.

September 2021 - StackOverflow
Marketer view

Email marketer from Postmark explains that DMARC policies, particularly those set to 'quarantine' or 'reject,' can interfere with email forwarding. When an email is forwarded, it often fails SPF and DKIM checks because the forwarding server isn't authorized, leading to deliverability issues.

September 2022 - Postmark

What the experts say
6Expert opinions

DMARC significantly affects email forwarding. Forwarded emails often fail SPF checks, leading to deliverability issues, especially with 'reject' or 'quarantine' policies. This occurs because the SPF domain isn't always updated during forwarding. Experts recommend using less restrictive policies, like 'p=none,' for important emails and considering ARC to help validate authentication results during forwarding. DMARC primarily protects against direct domain spoofing and is ineffective against invoice fraud using third-party financial services.

Key opinions

  • SPF Failures: Forwarded emails commonly fail SPF checks, triggering DMARC rejections.
  • Policy Recommendations: Restrictive DMARC policies ('reject,' 'quarantine') should be avoided for emails where forwarding is crucial.
  • Limited Scope of DMARC: DMARC mainly defends against direct domain spoofing, not all forms of email fraud.
  • Potential of ARC: ARC is an emerging technology that may improve DMARC's compatibility with email forwarding.

Key considerations

  • DMARC Policy Selection: Choose DMARC policies carefully, considering the impact on legitimate forwarding.
  • Subdomain Usage: Use subdomains for different email types to apply varying DMARC policies as needed.
  • ARC Adoption: Monitor and prepare for the wider adoption of ARC to improve deliverability of forwarded emails.
  • Invoice Fraud Protection: Implement additional security measures to prevent invoice fraud, as DMARC alone is insufficient.
Expert view

Expert from Email Geeks clarifies that p=reject only works for direct domain spoofing and won't stop invoice fraud if financial services use their own domains.

April 2023 - Email Geeks
Expert view

Expert from Spam Resource explains that DMARC can cause problems with forwarding because forwarded mail often fails SPF checks, particularly if the forwarder doesn't rewrite the envelope sender. This leads to DMARC rejections if the DMARC policy is set to 'reject' or 'quarantine'.

February 2022 - Spam Resource
Expert view

Expert from Word to the Wise explains that technologies like ARC are being developed to try to help with forwarding issues. ARC lets forwarders validate the original authentication results so that when the mail gets to Gmail, they trust the authentication even though it doesn't come directly from the original sender. So ARC has a chance to make forwarding work better with DMARC.

April 2021 - Word to the Wise
Expert view

Expert from Email Geeks explains that forwarded emails might fail DMARC checks because the SPF domain isn't always changed during forwarding, and she is not sure why they chose to do it that way.

December 2022 - Email Geeks
Expert view

Expert from Email Geeks suggests not using restrictive DMARC policies for mail that you actually care about reaching your recipients, especially when forwarding is involved.

February 2022 - Email Geeks
Expert view

Expert from Email Geeks suggests using a subdomain in the 5322.from for those emails if you want to have a different DMARC policy applied to just Klaviyo emails.

April 2024 - Email Geeks

What the documentation says
5Technical articles

DMARC, designed to prevent email spoofing, significantly impacts email forwarding by causing authentication failures when SPF and DKIM records no longer align due to forwarding. This leads to legitimate emails being flagged as spam or rejected, especially with strict DMARC policies. Documentation recommends using authenticated mailing lists, trusted forwarders, and implementing ARC to preserve authentication results and mitigate deliverability issues.

Key findings

  • Authentication Breakage: Forwarding breaks SPF and DKIM authentication, leading to DMARC failures.
  • Spoofing Prevention: DMARC is primarily designed to prevent email spoofing and unauthorized use.
  • Deliverability Problems: DMARC can cause legitimate, forwarded emails to be rejected or flagged as spam.

Key considerations

  • ARC Implementation: Implement ARC to preserve authentication results during forwarding.
  • Trusted Forwarders: Use trusted forwarders to maintain email integrity.
  • Authenticated Mailing Lists: Utilize authenticated mailing lists to prevent authentication breaks.
  • Policy Implications: Understand the implications of strict DMARC policies on forwarding scenarios.
Technical article

Documentation from Valimail shares that DMARC impacts email forwarding by causing authentication failures when SPF and DKIM records no longer align with the forwarding server. This results in deliverability problems because forwarded emails may be rejected based on DMARC policy.

October 2023 - Valimail
Technical article

Documentation from Google explains that DMARC can cause legitimate emails, including forwarded messages, to be rejected if the forwarding process breaks SPF or DKIM authentication. They recommend solutions like using authenticated mailing lists or ARC to preserve authentication results.

December 2023 - Google
Technical article

Documentation from Microsoft explains that DMARC is designed to prevent email spoofing. Forwarding can be impacted if it breaks the DMARC checks, potentially causing legitimate emails to be flagged as spam or rejected. They suggest using trusted forwarders and implementing ARC.

October 2021 - Microsoft
Technical article

Documentation from DMARC.org explains that DMARC is intended to protect your domain from unauthorized use, like spoofing, and unintended use such as forwarding which can break authentication. Forwarding breaks DMARC because the source authentication no longer matches the recipient.

December 2022 - DMARC.org
Technical article

Documentation from IETF RFC 7489 describes DMARC's interaction with forwarding. When an email is forwarded, the original SPF and DKIM records are often invalidated, leading to DMARC failures if the forwarding server isn't authorized. This can cause deliverability problems, especially with strict DMARC policies.

January 2025 - ietf.org