Why are internal emails flagged as impersonation when using a 3rd party provider even with SPF and DKIM verification?

Email marketer from EmailGeeks forum responds that internal email systems may flag emails from third-party providers as impersonation if the internal system is configured to treat all emails that originate outside of the organization's network as suspicious. Review your internal email system's configurations and adjust the settings to trust emails coming from your authenticated third-party provider.

Marketer from Email Geeks shares that if you’ve just now started authenticating your mail with SPF and DKIM and DMARC, this is the first that Google has seen mail that’s associated with these newly authenticating identifiers. These newly authenticated identifiers have not yet established any kind of reputation at Google, but they will establish a reputation over time as more and more mail associated with those authenticated identifiers is sent to Google. Once those reputations are established, then the authentication will ensure that you get the deliverability you deserve.

Email marketer from StackExchange responds that internal emails forwarded through external services may fail SPF checks due to the forwarding server not being authorized in the SPF record. Configure your email servers to handle forwarded emails correctly to avoid this issue.

Email marketer from Mail Server Forum explains that the email message passing through multiple servers ('hops') can affect authentication results. If an email goes through a server that modifies the headers or content after SPF/DKIM validation, this can invalidate the authentication. It's important to ensure that all servers in the email path are configured to maintain the integrity of the email.

Email marketer from Reddit answers that one reason emails are still flagged as impersonation even with SPF/DKIM set up is because of restrictive internal email policies and filtering rules. The receiving mail server may have strict rules in place to identify and flag emails as impersonation based on certain patterns or characteristics, regardless of the authentication protocols. You should adjust your filters.

Email marketer from Reddit explains that a common issue in Office 365 is that the internal filtering settings are set to be very aggressive. Office 365's anti-phishing policies can sometimes misinterpret legitimate emails as phishing attempts, especially if they are coming from a third-party service. Review and adjust your Office 365 anti-phishing settings to allow emails from your third-party provider.

Email marketer from Superuser answers internal emails can be marked as impersonation because the internal mail server sees the email coming from an external source (the third-party provider) that it doesn't recognize as a legitimate sender for your domain. The mail server uses anti-spoofing filters to detect and block these emails, considering them as potential phishing attempts.

Email marketer from Mailjet shares that email deliverability problems can arise with SPF and DKIM if the IP address of the sending server isn't correctly added to the SPF record or if the DKIM signature is invalid. They also suggest that a mismatch between the 'From' address and the domain used to sign the email can trigger impersonation flags.

Email marketer from EmailDeliverabilityBlog shares that even with SPF and DKIM in place, your email domain or IP address might have a low reputation. Some internal systems flag emails from domains or IPs with a poor reputation, regardless of authentication. You can improve your reputation by consistently sending high-quality emails and ensuring low complaint rates.

Email marketer from Quora answers, if your emails are being flagged as impersonation, your internal policies or filtering rules might be too strict. This is often the case when dealing with external providers, as internal systems may not recognize them as valid senders. Review and adjust these policies to recognize and trust emails from your third-party provider.

Email marketer from EmailMarketingForum explains that a common problem is incorrect SPF and DMARC configuration. Even if SPF and DKIM are set up, DMARC policies can cause emails to be flagged if the DMARC policy is set to reject or quarantine emails that fail SPF or DKIM checks. Ensure that your DMARC policy is properly configured and that your third-party provider is aligned with your DMARC policy.

Expert from Email Geeks notes that the external authentication looks good, but there’s an internal handoff at messagelabs/Microsoft that’s breaking things, but is unsure how much of an issue that is.

Expert from SpamResource answers that emails from a 3rd party can be flagged even with SPF/DKIM, due to internal policies overriding authentication protocols. These policies identify emails as impersonation based on sender patterns, regardless of authentication. Review internal filters.

Expert from Word to the Wise explains that DMARC, even with SPF and DKIM, can cause internal emails to be flagged if the DMARC policy is set too strictly (e.g., p=reject). This policy might instruct receiving servers to reject emails that appear to be from your domain but fail authentication, even if they're legitimate internal emails sent via a third-party provider. You should review your DMARC policy to ensure it is aligned with your email sending practices.

Expert from Email Geeks explains that if you’re sending “from” your domain via an external 3rd party provider to recipients in that domain that’s exactly what simple mail security setups consider impersonation. He also suggests that the final answer might be that the "enterprise filter gonna enterprise filter".

Documentation from DMARC.org answers that internal spoofing can happen when organizational policies are not correctly configured to handle email from internal senders that are routed through external providers. It is important that your internal authentication configurations are correctly set up.

Documentation from Google Workspace Admin Help explains that internal spoofing can occur if inbound mail isn't properly authenticated. This documentation also explains how to make sure mail is authenticated, including setting up SPF, DKIM, and DMARC records, as well as adjusting settings for inbound mail in the Google Admin console to detect and manage spoofing attempts.

Documentation from Microsoft Learn explains that even with SPF and DKIM configured correctly, internal emails can be flagged as impersonation if the receiving mail server's configuration is too strict or if there are conflicting email authentication settings within the organization's email environment.