["48432.js","47514.js","14759.js"]
["48418.css","16238.css","15731.css","15730.css","15516.css","14755.css","14756.css"]
["14757.html"]
  • Log In
  • Sign Up
  • Contact Us
PowerDMARC
  • Features
    • PowerDMARC
    • Hosted DKIM
    • PowerSPF
    • PowerBIMI
    • PowerMTA-STS
    • PowerTLS-RPT
    • PowerAlerts
  • Services
    • Deployment Services
    • Managed Services
    • Support Services
    • Service Benefits
  • Pricing
  • Power Toolbox
  • Partners
    • Reseller Program
    • MSSP Program
    • Technology Partners
    • Industry Partners
    • Find a partner
    • Become a Partner
  • Resources
    • What is DMARC? – A Detailed Guide
    • Datasheets
    • Case Studies
    • DMARC in Your Country
    • DMARC by Industry
    • Support
    • Blog
    • DMARC Training
  • About
    • Our company
    • Clients
    • Contact us
    • Book a demo
    • Events
  • Menu Menu

Email Forwarding and Its Impact on DMARC Authentication-Results

Blogs
email forwarding

When an email is sent from the sending server, directly to the receiving server, SPF and DKIM  (if set up correctly) authenticate the email normally and usually effectively validate it as legitimate or unauthorized. However, that is not the case if the email passes through an intermediary mail server before it gets delivered to the recipient, such as in the case of forwarded messages. This blog is intended to take you through the impact of email forwarding on DMARC authentication-results.

As we already know, DMARC makes use of two standard email authentication protocols, namely SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), to validate inbound messages. Let’s discuss them in brief to get a better understanding of how they function before hopping on to how forwarding can affect them.

Sender Policy Framework

SPF is present in your DNS as a TXT record, displaying all the valid sources that are authorized to send emails from your domain. Every email that leaves your domain has an IP address that identifies your server and the email service provider used by your domain that is enlisted within your DNS as an SPF record. The receiver’s mail server validates the email against your SPF record to authenticate it and accordingly marks the email as SPF pass or fail.

DomainKeys Identified Mail

DKIM is a standard email authentication protocol that assigns a cryptographic signature, created using a private key, to validate emails in the receiving server, wherein the receiver can retrieve the public key from the sender’s DNS to authenticate the messages. Much like SPF, the DKIM public key also exists as a TXT record in the DNS of the domain owner.

The Impact of Email Forwarding on Your DMARC Authentication Results

During email forwarding the email passes through an intermediary server before it ultimately gets delivered to the receiving server. Firstly it is important to realize that email forwarding can be done in two ways- either emails can be manually forwarded, which does not affect the authentication results, or it can be automatically forwarded, in which case the authentication procedure does take a hit if the domain doesn’t have the record for the intermediary sending source in their SPF.

Naturally, usually during email forwarding SPF check fails since the IP address of the intermediary server doesn’t match that of the sending server, and this new IP address is usually not included within the original server’s SPF record. On the contrary, forwarding emails usually don’t impact DKIM email authentication, unless the intermediary server or the forwarding entity makes certain alterations in the content of the message.

Note that for an email to pass DMARC authentication, the email would be required to pass either SPF or DKIM authentication and alignment. As we know that SPF inevitably fails during email forwarding, if in case the sending source is DKIM neutral and solely relies on SPF for validation, the forwarded email will be rendered illegitimate during DMARC authentication.

The solution? Simple. You should immediately opt for full DMARC compliance at your organization by aligning and authenticating all inbound messages against both SPF and DKIM!

Achieving DMARC Compliance with PowerDMARC

It is important to note that in order to achieve DMARC compliance, emails need to be authenticated against either SPF or DKIM or both. However, unless the forwarded messages get validated against DKIM, and rely on only SPF for authentication, DMARC will inevitably fail as discussed in our previous section. This is why PowerDMARC helps you achieve complete DMARC compliance by effectively aligning and authenticating emails against both SPF and DKIM authentication protocols. In this way, even if authentic forwarded messages fail SPF, the DKIM signature can be used to validate it as legitimate and the email passes DMARC authentication, subsequently landing into the receiver’s inbox.

Exceptional Cases: DKIM Fail and How to Resolve It?

In certain cases, the forwarding entity may alter the mail body by making adjustments in MIME boundaries, implementation of anti-virus programs, or re-encoding the message. In such cases, both SPF and DKIM authentication fails and legitimate emails do not get delivered.

email forwarding

Incase both SPF and DKIM fail, PowerDMARC is able to identify and display that in our detailed aggregate views and protocols like Authenticated Received Chain can be leveraged by mail servers to authenticate such emails. In ARC, Authentication-Results header can be passed onto the next ‘hop’ in the line of the message delivery, to effectively mitigate authentication issues while email forwarding.

In case of a forwarded message, when the receiver’s email server receives a message that had failed DMARC authentication, it tries to validate the email for a second time, against the provided Authenticated Received Chain for the email by extracting the ARC Authentication-Results of the initial hop, to check whether it was validated to be legitimate before the intermediary server forwarded it to the receiving server.

So sign up with PowerDMARC today, and achieve DMARC compliance at your organization!

email forwarding

  • About
  • Latest Posts
Ahona Rudra
Digital Marketing & Content Writer Manager at PowerDMARC
Ahona works as a Digital Marketing and Content Writer Manager at PowerDMARC. She is a passionate writer, blogger, and marketing specialist in cybersecurity and information technology.
Latest posts by Ahona Rudra (see all)
  • What is a Phishing Email? Stay Alert and Avoid Falling Into the Trap! - May 31, 2023
  • Fix “DKIM none message not signed”- Troubleshooting Guide - May 31, 2023
  • Fix SPF Permerror: Overcome Too Many DNS Lookups - May 30, 2023
December 30, 2020/by Ahona Rudra
Tags: DMARC, email forwarding
Share this entry
  • Share on Facebook
  • Share on Twitter
  • Share on WhatsApp
  • Share on LinkedIn
  • Share by Mail
You might also like
brand image blogThis is What Email Phishing Can Do to Your Brand Image
stop spoofing blog5 Steps to Prevent Email Spoofing
How to Stop Emails to Go to Junk FolderHow to Stop My Emails from Going to the Junk Folder?
spoofing trends 2021 blogHow to Effectively Prevent Email Spoofing in 2021?
ali saqibPowerDMARC welcomes Dr. Saqib Ali into New Advisory Board Member Role
powerdmarc huntmetrics blog postValue-added resale partner Huntmetrics

Secure Your Email

Stop Email Spoofing and Improve Email Deliverability

15-day Free trial!


Categories

  • Blogs
  • News
  • Press Releases

Latest Blogs

  • phishing email
    What is a Phishing Email? Stay Alert and Avoid Falling Into the Trap!May 31, 2023 - 9:05 pm
  • How to fix “DKIM none message not signed”
    Fix “DKIM none message not signed”- Troubleshooting GuideMay 31, 2023 - 3:35 pm
  • SPF Permerror - Too many DNS lookups
    Fix SPF Permerror: Overcome Too Many DNS LookupsMay 30, 2023 - 5:14 pm
  • Top 5 Cybersecurity Managed Services in 2023
    Top 5 Cybersecurity Managed Services in 2023May 29, 2023 - 10:00 am
logo footer powerdmarc
SOC2 GDPR PowerDMARC GDPR comliant crown commercial service
global cyber alliance certified powerdmarc csa

Knowledge

What is Email Authentication?
What is DMARC?
What is DMARC Policy?
What is SPF?
What is DKIM?
What is BIMI?
What is MTA-STS?
What is TLS-RPT?
What is RUA?
What is RUF?
AntiSpam vs DMARC
DMARC Alignment
DMARC Compliance
DMARC Enforcement
BIMI Implementation Guide
Permerror
MTA-STS & TLS-RPT Implementation Guide

Tools

Free DMARC Record Generator
Free DMARC Record Checker
Free SPF Record Generator
Free SPF Record Lookup
Free DKIM Record Generator
Free DKIM Record Lookup
Free BIMI Record Generator
Free BIMI Record Lookup
Free FCrDNS Record Lookup
Free TLS-RPT Record Checker
Free MTA-STS Record Checker
Free TLS-RPT Record Generator

Product

Product Tour
Features
PowerSPF
PowerBIMI
PowerMTA-STS
PowerTLS-RPT
PowerAlerts
API Documentation
Managed Services
Email Spoofing Protection
Brand Protection
Anti Phishing
DMARC for Office365
DMARC for Google Mail GSuite
DMARC for Zimbra
Free DMARC Training

Try Us

Contact Us
Free Trial
Book Demo
Partnership
Pricing
FAQ
Support
Blog
Events
Feature Request
Change Log
System Status

  • Français
  • Dansk
  • Nederlands
  • Deutsch
  • Русский
  • Polski
  • Español
  • Italiano
  • 日本語
  • 中文 (简体)
  • Português
  • Norsk
  • Svenska
  • 한국어
© PowerDMARC is a registered trademark.
  • Twitter
  • Youtube
  • LinkedIn
  • Facebook
  • Instagram
  • Contact us
  • Terms & Conditions
  • Privacy Policy
  • Cookie Policy
  • Security Policy
  • Compliance
  • GDPR Notice
  • Sitemap
Your Comprehensive Guide to Authenticated Received Chain (ARC) System for D...authentication recieved chainprotect from spoofing blogHow to Select the Best DMARC Software Solution to Protect Your Business from...
Scroll to top
["14758.html"]