Email forwarding breaks DMARC because SPF checks the forwarding server's IP, not the original sender's IP, causing SPF alignment failure. DKIM may survive if the forwarder doesn't modify the message body. When both fail, DMARC fails. ARC (Authenticated Received Chain) is the protocol designed to solve this by preserving authentication results through forwarding hops.
DMARC and Email Forwarding: Why Forwarded Mail Fails
The Forwarding Problem
When someone forwards your email — through Gmail forwarding, university email aliases, or corporate mail routing — this happens:
- Your server sends to
[email protected] - The university forwards it to
[email protected] - Gmail sees the message arriving from the university's IP
SPF breaks because SPF checks the sending IP against your SPF record. The university's IP isn't in your SPF record. SPF fails or doesn't align.
DKIM usually survives because DKIM is attached to the message content, not the sending IP. As long as the forwarder doesn't modify the body or signed headers, DKIM passes.
DMARC needs one to align. If DKIM passes and aligns, DMARC passes even though SPF failed. But if the forwarder modifies the body (breaking DKIM) and SPF fails (new IP), DMARC fails entirely.
What Breaks DKIM During Forwarding
Not all forwarding is equal:
| Forwarding Type | SPF | DKIM | DMARC |
|---|---|---|---|
| Simple redirect (no modification) | Fail | Pass | Pass (via DKIM) |
| Adds footer or disclaimer | Fail | Fail | Fail |
| Rewrites URLs | Fail | Fail | Fail |
| Mailing list with footer | Fail | Fail | Fail |
| SRS forwarding (rewrites envelope) | May pass | Pass | Depends |
Practitioner note: The forwarding cases that cause the most DMARC failures are corporate disclaimer footers and mailing list software. Both modify the message body after your server signed it. I see this in every DMARC aggregate report I review — there's always a percentage of failures from forwarding.
ARC: The Real Solution
ARC (Authenticated Received Chain) was designed specifically for this problem. Here's how it works:
- Your server sends an authenticated message (SPF pass, DKIM pass)
- The forwarding server receives it and records the authentication results
- The forwarder adds ARC headers: ARC-Authentication-Results, ARC-Message-Signature, ARC-Seal
- The final receiver checks the ARC chain to see the original authentication state
Gmail, Microsoft, and Yahoo all support ARC validation. When they see a trusted ARC chain showing the message originally passed DMARC, they can accept it despite the forwarding-induced failures.
What You Should Do
Don't weaken your DMARC policy. Moving from p=reject back to p=none because of forwarding failures defeats the entire purpose.
Do ensure DKIM is configured. DKIM is your forwarding lifeline. If the message body isn't modified, DKIM survives and DMARC passes via DKIM alignment.
Do use custom DKIM, not just SPF. If you're relying on SPF alone for DMARC alignment, every forwarded message will fail. Set up DKIM for every sending service.
Practitioner note: When I advance a client to p=reject, I always warn them: you'll see legitimate forwarding failures in your reports. This is expected. The volume should be small (typically 2-5% of total mail). If it's higher, investigate whether a major mailing list or forwarding path needs attention.
Monitoring Forwarding Failures
Your DMARC aggregate reports will show forwarding failures. Look for:
- IPs you don't recognize sending your domain's email
- Messages that fail SPF but pass DKIM (healthy forwarding)
- Messages that fail both SPF and DKIM (problematic forwarding)
The second category is fine — DMARC passes via DKIM. The third category needs investigation.
If forwarding failures are causing problems for your organization after advancing to p=reject, I can analyze your reports and identify solutions.
Sources
- RFC 7489: Domain-based Message Authentication (DMARC)
- RFC 8617: The Authenticated Received Chain (ARC) Protocol
- Google: ARC email authentication
- dmarcian: DMARC and email forwarding
v1.0 · April 2026
Frequently Asked Questions
Why does forwarding break DMARC?
Forwarding changes the sending IP, which breaks SPF. If the forwarder also modifies the body (adding footers, rewriting), DKIM breaks too. With both SPF and DKIM failing to align, DMARC fails.
Does DKIM survive email forwarding?
Usually yes, as long as the forwarder doesn't modify the message body or signed headers. DKIM is content-based, not IP-based, so simple forwarding preserves the signature.
How does ARC fix forwarding?
ARC lets intermediaries (forwarders) seal the original authentication results. Receiving servers can check the ARC chain to see that the message originally passed authentication before forwarding.
Should I lower my DMARC policy because of forwarding?
No. Don't weaken your policy for forwarding. Instead, rely on DKIM alignment and ARC support, which are the correct solutions.
Which forwarding services support ARC?
Google Workspace, Microsoft 365, and most major forwarding services now add ARC headers. Smaller or legacy forwarding services may not.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.