Domain-Based Message Authentication, Reporting, and Conformance (DMARC) authentication use two protocols SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to help determine the legitimacy of an email message.
SPF and DKIM (if configured properly) authenticate emails sent directly from the sending server to the receiving server and typically successfully determine whether they are authorized or not. That is not the case, however, if the email is routed through an intermediary mail server before being delivered to the recipient, as in the case of forwarded mails. This blog post aims to walk you through how email forwarding affects DMARC authentication results.
First of all, it’s crucial to understand that there are two types of forwarding: manual forward, which has no impact on the authentication results as it adopts the SPF & DKIM of the intermediary server, or automatic forward, which can compromise the authentication process if the domain doesn’t have the record for the intermediary sending source in their SPF.
Email forwarding’s impact on SPF authentication
In the forwarding scenario, SPF authentication always fails as it takes the IP of the intermediatory server, and the IP address of the intermediary server doesn’t match that of the sending server, or this new IP address is usually not included within the original server’s SPF record.
Email forwarding’s impact on DKIM authentication
When you forward an email, DKIM will not be affected, if the content and structure of the original email remain intact.
Causes of DKIM failures during the auto-forwarding:
- Message-Forwarding systems Changing the content of emails
- Modifications brought on by malware scanning and antivirus software
Since DMARC requires that you pass authentication verification and align domains for either SPF or DKIM, any emails that are DKIM neutral and rely on SPF authentication will most likely fail DMARC when auto forwarded.
Hence, It is suggested to set DKIM even though SPF is already set.
This is why, ProDMARC recommends you to immediately opt for full DMARC Compliance by verifying both SPF and DKIM for all genuine sending sources.
In certain cases, If the forwarding entity alters or re-encodes the content of the mail, both SPF and DKIM will fail. ProDMARC can help you identify these and will display them in the aggregate report so you can take necessary steps towards achieving DMARC compliance.
In order to track your email domains with full data on email sending sources, email authentication outcomes, geolocations of fraudulent IP addresses, and the overall performance of your emails, sign up for a 15-day free trial Today!
Leave a Reply