How does email forwarding affect authentication results?

The Domain-Based Message Authentication, Reporting, and Conformance (DMARC) authentication standard utilizes both Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to help determine the legitimacy of an email message. When authentication checks fail, mailbox providers may perceive the email message to be spam and block the email message or place the email in to the spam folder. And the process of forwarding an email can cause your authentication to fail.

Email forwarding's effect on authentication results

The SPF authentication check almost always fails during email forwarding. The SPF authentication check fails because the forwarded message is sent from a new IP address that is most likely not included in the original sender’s SPF record.

DKIM signatures are not typically impacted by email forwarding. However, this is dependent upon the forwarding entity not altering the message headers or altering the message body.

Common DKIM failures caused by forwarding include:

  • Modifying the MIME boundaries by the forwarding entity.
  • Anti-virus or anti-spam programs modifying the body of the message.
  • Expanding the message recipient using Lightweight Directory Access Protocol (LDAP) by the forwarding entity.
  • Re-encoding the message by the forwarding entity.

Since DMARC only requires that you pass authentication verification and align domains for either SPF or DKIM, any messages that are DKIM neutral and rely on SPF authentication will most likely fail DMARC when forwarded. This ensures that if one authentication method does not pass verification due to forwarding, the other authentication method that does pass verification results in a passed DMARC verification. 

Therefore, Return Path recommends passing and aligning for both SPF and DKIM on all email traffic. Beside these possible message alterations that could cause DKIM to fail, DKIM is the most likely authentication method to not be impacted by forwarding.

Mailbox provider overrides
Mailbox providers that participate in the DMARC standard do reserve the right to override any sender’s DMARC record policy of reject or quarantine (p=reject, p=quarantine). This happens if their heuristics identify a message that failed authentication but is believed to be legitimate. 

If a mailbox provider has a message that failed DMARC but they are highly confident it is a legitimate forward, they will override the policy and deliver the message.

Was this article helpful?
3 out of 3 found this helpful
Have more questions? Submit a request