DMARC Failing on Forwarded Emails — Why and How to Fix It
Why Does DMARC Fail When Emails Are Forwarded?
DMARC fails on forwarded emails because SPF checks the IP address of the server that delivered the message — and after forwarding, that is the forwarding server, not the original sender. Since the forwarding server's IP is not listed in the original sender's SPF record, SPF fails. If DKIM also breaks (which can happen if the forwarding service modifies the message), DMARC has no passing, aligned authentication — and it fails.
This is one of the most frustrating DMARC issues because it affects legitimate email and there is no single perfect fix.
How Email Forwarding Breaks Authentication
Here is what happens step by step:
- You send an email from
you@yourdomain.com - SPF passes, DKIM passes — everything is fine
- The recipient has a forwarding rule:
user@university.edu→user@gmail.com - The university mail server forwards your email to Gmail
- Gmail receives the email from the university's IP address, not yours
- Gmail checks SPF: the university's IP is not in
yourdomain.com's SPF record → SPF fails - If the university server modified the message (added a footer, changed headers), DKIM may also fail
- Neither SPF nor DKIM align → DMARC fails
Original path: you → recipient's server (SPF passes ✓)
Forwarded path: you → recipient → Gmail (SPF fails ✗)
What Survives Forwarding?
| Mechanism | Survives Forwarding? | Notes |
|---|---|---|
| SPF | No | The forwarding server's IP replaces the original sender's IP |
| DKIM | Usually yes | Survives if the message is forwarded without modification |
| DKIM | No | Breaks if the forwarder adds footers, modifies headers, or re-encodes the message |
| ARC | Yes (if supported) | Preserves the original authentication chain |
DKIM is your best defense against forwarding-related DMARC failures. If your DKIM signature survives the forwarding process (which it will in most cases), DMARC can pass via DKIM alignment even when SPF fails.
What Can You Do About It?
As the Sender
1. Make sure DKIM is always configured correctly. This is the single most important thing. DKIM signatures travel with the message and are your best chance at surviving forwarding.
2. Use relaxed alignment. Set adkim=r in your DMARC record so that subdomains are accepted:
v=DMARC1; p=quarantine; adkim=r; rua=mailto:dmarc@yourdomain.com
3. Monitor your DMARC reports. Forwarding-related failures will show up as failures from IP addresses you do not recognize, but with legitimate From headers. Understanding the volume helps you decide whether to adjust your policy.
4. Consider p=quarantine instead of p=reject if forwarding is a significant issue. Quarantine sends failing emails to spam rather than blocking them entirely, which is less disruptive for forwarded mail.
As the Forwarder / Recipient
1. Implement ARC (Authenticated Received Chain). ARC is a protocol specifically designed to solve the forwarding problem. It preserves the original authentication results and allows the final destination to evaluate whether the forwarding chain is trustworthy.
2. Use SRS (Sender Rewriting Scheme). SRS rewrites the envelope sender to the forwarding domain, which fixes SPF at the cost of changing the Return-Path. This does not fix DMARC alignment directly, but it prevents SPF hard failures.
3. Avoid modifying forwarded messages. Adding footers, disclaimers, or modifying headers will break DKIM signatures.
Understanding ARC (Authenticated Received Chain)
ARC is the industry's answer to the forwarding problem. It works like this:
- The first server receives the email and records the authentication results (SPF, DKIM, DMARC)
- It seals those results with its own cryptographic signature
- Each subsequent server in the forwarding chain adds its own seal
- The final destination can verify the entire chain and trust the original results
Major email providers like Gmail, Microsoft, and Yahoo support ARC. If you are running your own mail server, consider implementing ARC to improve deliverability for forwarded messages.
How to Identify Forwarding Failures in DMARC Reports
In your DMARC aggregate reports, forwarding failures typically look like this:
- Source IP does not belong to you or any of your authorized senders
- SPF result: fail
- DKIM result: pass (if the message was not modified) or fail (if it was)
- DMARC result: fail
- Volume: relatively low compared to your total sends
The source IPs will often belong to universities, ISPs, or mail hosting providers that offer forwarding services. You can look up the IPs to confirm.
FAQ
Should I lower my DMARC policy because of forwarding failures?
Not necessarily. If the forwarding failures represent a small percentage of your total email, keeping p=reject is still the right choice — the security benefits outweigh the minor deliverability impact on forwarded mail. If forwarding is a significant portion of your audience (e.g., you send to many university addresses), consider p=quarantine.
Will ARC completely fix the forwarding problem?
ARC helps significantly, but it is not universally adopted. The final receiving server must support ARC and must trust the forwarding server's ARC signature. Major providers like Gmail and Outlook support ARC, but smaller mail servers may not.
Does SPF ever pass after forwarding?
Only if the forwarding server is listed in the sender's SPF record, which is rare. Some forwarding services use SRS (Sender Rewriting Scheme) which rewrites the Return-Path, but this changes the domain so SPF alignment still fails even if SPF authentication passes for the new domain.