How to handle DMARC failures when email is forwarded by recipients?

Summary

Handling DMARC failures due to email forwarding requires a multi-faceted approach encompassing technical solutions, policy adjustments, and user education. A foundational step is to implement and rigorously maintain SPF, DKIM, and DMARC across all email domains to establish a baseline level of authentication and security. Starting with a DMARC policy of 'p=none' allows for monitoring and analysis of email streams without rejecting legitimate emails, enabling the identification of forwarding patterns and authentication issues. The Authenticated Received Chain (ARC) protocol emerges as a pivotal technology, preserving authentication results across intermediaries and thus validating the original authentication even after forwarding, though it's not a complete solution. Recipient education on proper forwarding techniques, such as forwarding as attachments, and offering alternative communication methods like SMS notifications mitigate authentication failures. Other technical considerations include SPF flattening to avoid exceeding lookup limits, and configuring trusted forwarders in Microsoft 365. Regular audits of email infrastructure, coupled with reviewing DMARC reports, ensure ongoing effectiveness.

Key findings

  • SPF, DKIM, DMARC: Implementing and maintaining SPF, DKIM, and DMARC is fundamental for email authentication and security.
  • ARC Protocol: ARC helps preserve authentication through forwarding chains, but is not a complete solution in itself.
  • Monitoring DMARC: Using 'p=none' DMARC policy initially helps monitor and analyze forwarding issues.
  • Recipient Education: Educating users on correct forwarding methods reduces authentication failures.
  • Alternative Channels: Using alternative channels like SMS for critical communications bypasses email authentication.
  • Regular Audits: Regular infrastructure audits and reviewing DMARC reports ensure continued effectiveness.

Key considerations

  • Phased Implementation: Implement DMARC in phases, starting with monitoring, to understand email ecosystem fully.
  • Configuration Complexity: Proper configuration of SPF, DKIM, DMARC, and ARC is essential for optimal results.
  • SPF Limitations: SPF alone is often insufficient for handling forwarding scenarios; consider complementary mechanisms.
  • Proactive Approach: Treat authentication failures as an opportunity to investigate and improve security posture.
  • Targeted Outreach: Where possible, undertake targeted outreach to those forwarding email incorrectly.
  • Importance of BIMI: BIMI should be used to show your company logo to users

What email marketers say
13Marketer opinions

When handling DMARC failures due to email forwarding, several strategies can be employed. A common starting point is to implement a DMARC policy of 'p=none' to monitor email streams without rejecting emails. Analyzing DMARC reports is crucial to identify forwarding patterns and potential authentication issues. Recipient education is vital, encouraging them to forward emails as attachments or use methods that preserve headers. Alternative communication channels like SMS or web-based alerts can bypass email authentication problems altogether. On the technical side, ARC (Authenticated Received Chain) can help preserve authentication across multiple hops, and DKIM signing ensures email integrity. SPF flattening can prevent SPF record lookup limits. Regular infrastructure audits and a combination of SPF, DKIM, and DMARC are recommended to enhance overall email deliverability.

Key opinions

  • Monitoring DMARC: Using a 'p=none' DMARC policy for monitoring helps identify forwarding issues without immediate rejections.
  • Recipient Education: Educating recipients on proper forwarding methods (as attachments) reduces authentication failures.
  • Alternative Channels: Employing SMS or web alerts bypasses email authentication problems for critical communications.
  • ARC Implementation: ARC (Authenticated Received Chain) can preserve authentication results across multiple email hops.
  • DKIM Signing: DKIM ensures email integrity and allows recipients to verify authenticity.
  • SPF Flattening: SPF flattening prevents exceeding SPF record lookup limits, maintaining validity.

Key considerations

  • DMARC Reports: Regularly review DMARC reports to understand forwarding patterns and authentication failures.
  • Infrastructure Audits: Conduct regular audits to identify and fix misconfigurations affecting email authentication.
  • Combined Authentication: Use a combination of SPF, DKIM, and DMARC for comprehensive email authentication.
  • Technical limitations: Outside of p=quarantine, there are few technical solutions.
  • Targeted Outreach: If possible, undertake targeted outreach to the biggest offenders, asking them to add you to their safe senders list.
Marketer view

Email marketer from Valimail Blog suggests using a DMARC policy of 'p=none' to monitor email streams without rejecting legitimate emails that fail authentication due to forwarding. Analyze DMARC reports to identify forwarding patterns and adjust configurations or contact frequent forwarders.

March 2025 - Valimail Blog
Marketer view

Email marketer from Reddit suggests starting with a DMARC policy of 'p=none' and gradually moving to 'p=quarantine' or 'p=reject' as you gain confidence in your email authentication setup. Monitor DMARC reports to identify and address any issues with forwarding or other authentication failures.

December 2021 - Reddit
Marketer view

Marketer from Email Geeks suggests that outside of setting the policy to p=quarantine instead of p=reject, there isn't a technical solution. Also they suggest sending a broadcast email to all contacts.

August 2024 - Email Geeks
Marketer view

Email marketer from SparkPost Blog advises using SPF flattening techniques to avoid exceeding the SPF record lookup limit. This can help ensure that your SPF record remains valid and that legitimate emails pass authentication.

June 2023 - SparkPost Blog
Marketer view

Email marketer from Small Business Forum suggests that, in scenarios where forwarded emails are critical, consider using alternative communication methods such as SMS notifications or web-based alerts to bypass email authentication issues.

November 2022 - Small Business Forum
Marketer view

Email marketer from MXToolbox suggests performing regular audits of your email infrastructure to identify and address any misconfigurations or vulnerabilities that may impact email authentication. This includes reviewing SPF records, DKIM settings, and DMARC policies.

December 2022 - MXToolbox
Marketer view

Email marketer from Email Marketing Forum shares that educating recipients on how to properly forward emails (e.g., as attachments or using forwarding features that preserve headers) can help mitigate DMARC failures. Provide clear instructions and resources to guide users.

March 2022 - Email Marketing Forum
Marketer view

Marketer from Email Geeks suggests that if changing the mail flow is not possible, targeted outreach to recipients to add the sender to their allow-list could help. They also suggest a secondary channel (PagerDuty, Signal, web-push, etc.) might mitigate the problem.

January 2024 - Email Geeks
Marketer view

Email marketer from StackOverflow suggests exploring ARC (Authenticated Received Chain) to preserve authentication results across multiple hops. This can help ensure that forwarded emails are still authenticated, even after passing through multiple servers.

September 2022 - StackOverflow
Marketer view

Email marketer from Mailjet explains to educate recipients about the importance of not forwarding emails, or provide instructions on how to forward emails without breaking authentication (e.g., forwarding as attachments). Also, consider offering alternative communication methods that bypass email altogether.

July 2022 - Mailjet
Marketer view

Email marketer from Reddit recommends using a combination of SPF, DKIM, and DMARC to mitigate forwarding issues. Additionally, they suggest working with ISPs to establish trusted relationships and improve email deliverability.

June 2022 - Reddit
Marketer view

Email marketer from SendGrid suggests implementing DKIM (DomainKeys Identified Mail) signing to add a digital signature to your emails. This can help ensure that the content of your email is not altered during transit and that recipients can verify its authenticity.

November 2021 - SendGrid
Marketer view

Email marketer from MarketingProfs highlights the importance of regularly reviewing DMARC reports to identify any issues with email authentication. These reports can provide valuable insights into forwarding patterns, authentication failures, and potential spoofing attempts.

January 2024 - MarketingProfs

What the experts say
3Expert opinions

Experts emphasize the importance of comprehensive email authentication using SPF, DKIM, and DMARC across all email domains to prevent phishing. While ARC (Authenticated Received Chain) helps preserve authentication across forwarding chains, it's not a complete solution and requires careful investigation. Forwarding can also complicate List-Unsubscribe header handling, potentially causing unintended unsubscribes when authentication breaks, requiring careful configuration and an understanding of forwarding scenarios. BIMI (Brand Indicators for Message Identification) should be used to show your company logo.

Key opinions

  • Comprehensive Authentication: SPF, DKIM, and DMARC are essential for securing email domains against phishing.
  • ARC Limitations: ARC helps preserve authentication, but it's not a complete solution for all forwarding scenarios.
  • List-Unsubscribe Complications: Forwarding can break List-Unsubscribe, leading to unintended unsubscribes.
  • Importance of BIMI: BIMI should be used to show your company logo to users

Key considerations

  • Forwarding Scenarios: Carefully consider how forwarding impacts authentication results and List-Unsubscribe handling.
  • Configuration Complexity: Proper configuration is crucial for managing forwarding complexities.
  • Investigation of issues: Treating authentication as a reason to investigate issues and using tools like ARC is crucial.
Expert view

Expert from Word to the Wise, Laura Atkins, explains that ARC (Authenticated Received Chain) is helpful but not a complete solution. She suggests that senders using authentication shouldn't see forwarding as a problem, but rather a reason to investigate and consider tools like ARC to help preserve authentication results.

July 2021 - Word to the Wise
Expert view

Expert from Word to the Wise, Laura Atkins, discusses the complications that forwarding can introduce with List-Unsubscribe headers, potentially causing unintended unsubscribes when forwarding breaks authentication. Proper handling requires careful configuration and understanding of forwarding scenarios.

February 2022 - Word to the Wise
Expert view

Expert from Spam Resource, Scott Richter, explains the need to implement SPF, DKIM and DMARC across all your email domains. He also explains how DMARC can help to protect your domain from being used in phishing attacks. He also suggest using BIMI to show your company logo to users

November 2021 - Spam Resource

What the documentation says
4Technical articles

Documentation highlights several approaches to handle DMARC failures due to forwarding. ARC (Authenticated Received Chain) is recommended for preserving authentication across intermediaries, allowing validation of original authentication. DMARC implementation should be phased, starting with a monitoring-only policy ('p=none') before moving to enforcement. SPF records need accurate configuration, including all legitimate sending sources. Microsoft 365 offers trusted forwarder configurations to maintain authentication for forwarded emails.

Key findings

  • ARC Protocol: ARC preserves authentication results across forwarding hops, aiding validation.
  • Phased DMARC: A phased DMARC rollout, starting with monitoring, helps identify and resolve issues.
  • SPF Configuration: Accurate SPF records are necessary but insufficient for handling forwarding alone.
  • Trusted Forwarders: Microsoft 365 allows configuration of trusted forwarders to preserve authentication.

Key considerations

  • Scope of ARC: Understand the limitations of ARC and when it's most effective.
  • Policy Enforcement: Carefully plan DMARC policy enforcement to minimize disruption to legitimate email flow.
  • SPF Sufficiency: Recognize that SPF alone might not handle all forwarding scenarios; consider complementary mechanisms.
  • Microsoft 365 Configuration: Properly configure trusted forwarders within Microsoft 365 for optimal results.
Technical article

Documentation from DMARC.org advises implementing DMARC in phases, starting with a monitoring-only policy ('p=none') and progressing to enforcement policies ('p=quarantine' or 'p=reject') as you gain visibility into your email ecosystem and resolve any authentication issues.

July 2023 - DMARC.org
Technical article

Documentation from Microsoft Docs recommends that configuring trusted forwarders in Microsoft 365 can help preserve authentication results for forwarded emails. This involves setting up specific rules and policies to recognize and trust legitimate forwarding sources.

November 2023 - Microsoft Docs
Technical article

Documentation from Google Workspace Admin Help explains that the Authenticated Received Chain (ARC) protocol preserves email authentication results across intermediaries, which can help in forwarded email scenarios. Implementing ARC can allow receiving mail servers to validate the original authentication even after forwarding.

January 2025 - Google Workspace Admin Help
Technical article

Documentation from RFC Editor explains how to configure SPF records to authorize sending sources. Ensure your SPF record includes all legitimate sending sources, including those used by third-party services. Note that SPF alone is often insufficient to handle forwarding scenarios.

August 2021 - RFC Editor