How to handle DMARC failures when email is forwarded by recipients?
Summary
What email marketers say13Marketer opinions
Email marketer from Valimail Blog suggests using a DMARC policy of 'p=none' to monitor email streams without rejecting legitimate emails that fail authentication due to forwarding. Analyze DMARC reports to identify forwarding patterns and adjust configurations or contact frequent forwarders.
Email marketer from Reddit suggests starting with a DMARC policy of 'p=none' and gradually moving to 'p=quarantine' or 'p=reject' as you gain confidence in your email authentication setup. Monitor DMARC reports to identify and address any issues with forwarding or other authentication failures.
Marketer from Email Geeks suggests that outside of setting the policy to p=quarantine instead of p=reject, there isn't a technical solution. Also they suggest sending a broadcast email to all contacts.
Email marketer from SparkPost Blog advises using SPF flattening techniques to avoid exceeding the SPF record lookup limit. This can help ensure that your SPF record remains valid and that legitimate emails pass authentication.
Email marketer from Small Business Forum suggests that, in scenarios where forwarded emails are critical, consider using alternative communication methods such as SMS notifications or web-based alerts to bypass email authentication issues.
Email marketer from MXToolbox suggests performing regular audits of your email infrastructure to identify and address any misconfigurations or vulnerabilities that may impact email authentication. This includes reviewing SPF records, DKIM settings, and DMARC policies.
Email marketer from Email Marketing Forum shares that educating recipients on how to properly forward emails (e.g., as attachments or using forwarding features that preserve headers) can help mitigate DMARC failures. Provide clear instructions and resources to guide users.
Marketer from Email Geeks suggests that if changing the mail flow is not possible, targeted outreach to recipients to add the sender to their allow-list could help. They also suggest a secondary channel (PagerDuty, Signal, web-push, etc.) might mitigate the problem.
Email marketer from StackOverflow suggests exploring ARC (Authenticated Received Chain) to preserve authentication results across multiple hops. This can help ensure that forwarded emails are still authenticated, even after passing through multiple servers.
Email marketer from Mailjet explains to educate recipients about the importance of not forwarding emails, or provide instructions on how to forward emails without breaking authentication (e.g., forwarding as attachments). Also, consider offering alternative communication methods that bypass email altogether.
Email marketer from Reddit recommends using a combination of SPF, DKIM, and DMARC to mitigate forwarding issues. Additionally, they suggest working with ISPs to establish trusted relationships and improve email deliverability.
Email marketer from SendGrid suggests implementing DKIM (DomainKeys Identified Mail) signing to add a digital signature to your emails. This can help ensure that the content of your email is not altered during transit and that recipients can verify its authenticity.
Email marketer from MarketingProfs highlights the importance of regularly reviewing DMARC reports to identify any issues with email authentication. These reports can provide valuable insights into forwarding patterns, authentication failures, and potential spoofing attempts.
What the experts say3Expert opinions
Expert from Word to the Wise, Laura Atkins, explains that ARC (Authenticated Received Chain) is helpful but not a complete solution. She suggests that senders using authentication shouldn't see forwarding as a problem, but rather a reason to investigate and consider tools like ARC to help preserve authentication results.
Expert from Word to the Wise, Laura Atkins, discusses the complications that forwarding can introduce with List-Unsubscribe headers, potentially causing unintended unsubscribes when forwarding breaks authentication. Proper handling requires careful configuration and understanding of forwarding scenarios.
Expert from Spam Resource, Scott Richter, explains the need to implement SPF, DKIM and DMARC across all your email domains. He also explains how DMARC can help to protect your domain from being used in phishing attacks. He also suggest using BIMI to show your company logo to users
What the documentation says4Technical articles
Documentation from DMARC.org advises implementing DMARC in phases, starting with a monitoring-only policy ('p=none') and progressing to enforcement policies ('p=quarantine' or 'p=reject') as you gain visibility into your email ecosystem and resolve any authentication issues.
Documentation from Microsoft Docs recommends that configuring trusted forwarders in Microsoft 365 can help preserve authentication results for forwarded emails. This involves setting up specific rules and policies to recognize and trust legitimate forwarding sources.
Documentation from Google Workspace Admin Help explains that the Authenticated Received Chain (ARC) protocol preserves email authentication results across intermediaries, which can help in forwarded email scenarios. Implementing ARC can allow receiving mail servers to validate the original authentication even after forwarding.
Documentation from RFC Editor explains how to configure SPF records to authorize sending sources. Ensure your SPF record includes all legitimate sending sources, including those used by third-party services. Note that SPF alone is often insufficient to handle forwarding scenarios.