Email forwarding and DMARC


Are your incoming emails not showing compliance with the DMARC reports and facing alignment issues?

There are chances that they have been forwarded from any other resource, compromising your email security. Emails can be forwarded either manually or automatically, but automatic forwarding usually causes complexities.

A favorable Email forwarded range usually lies between 0.5% to 2%. A good Forward Rate usually means there are few bounced emails.

This article will help you understand how email forwarding works and how it is related to email authentication with DMARC.

Understanding email forwarding

Email forwarding redirects emails coming from one source to another source. This feature when enabled, automatically or manually forward from the original email address to the recipient’s email address. This usually is helpful in managing the flow of incoming emails as it saves time.

It works using the email servers to redirect messages. After the email forwarding feature is set up, the person can specify both the email addresses of the original source and the target address. The email servers after receiving the emails from the source email address forward them to the target addresses, already added before.

Types of email forwarding

Here are the three basic ways to forward Emails.

Manual forwarding

To forward an email manually, determine the specific message you want to forward to the recipient and send it to their address. You can even personalize the message by adding the context of your choice. It is better to do this if you want to add or remove content from the email before forwarding it.

Automatic forwarding

In automatic email forwarding, emails are self-redirected once received at the mailbox. This can help forward emails to multiple sources in one go. It helps prevent any important email from reaching all the designated clients.

Conditional forwarding

In conditional forwarding, users can set criteria that need to be fulfilled before that email is forwarded. The criteria could include the emails coming from a specific source (Email address). 

DMARC and its components

DMARC is an email authentication protocol. With this, domain owners can protect their domains from unauthorized sources. It addresses the issues of email spoofing. Moreover, it allows domain owners to create a list of mail servers. Only these mail servers will be allowed to send emails. 

DMARC also enhances email security. It combines Sender Policy Framework and DomainKeys Identified Mail to do so. This allows email owners to protect their domains. It enhances the security as well as functionality of the mail delivery system.

How DMARC works

DMARC integrates SPF and DKIM with the policy layer to enhance email security. SPF setup allows domain owners to specify unauthorized mail servers. Whereas, DKIM adds a digital signature to verify that the incoming emails are authentic and integral.

Whenever an email claims to be from a domain with a DMARC policy, the receiver’s server checks if it has passed SPF and DKIM checks. SPF domain is checked for server authorization and DKIM signature is checked for any modifications needed. If both checks are passed, the email is delivered. However, for email forwarding, it becomes a bit complicated to pass these checks, especially the SPF one.

How does email forwarding affect DMARC?

Email forwarding usually affects DMARC compliance. It usually doesn’t happen with manual forwarding. Automatic email forwarding can complicate the process. DMARC works with the proper functioning of SPF and DKIM. Therefore failure of any of these authentication protocols can affect the DMARC compliance as a whole.

As SPF works as a path-based authentication tool, it doesn’t validate the forwarded emails and marks them illegitimate. If the emails fail to pass through DKIM check later on, it can completely fail DMARC compliance.

Effects of email forwarding on SPF and DKIM

The SPF specifies which servers can send emails on behalf of the domain. It needs a proper Return-path domain. However, the issue arises when the intermediary server alters the Return-Path domain of the forwarded emails. It leads to the failure of the email delivery as the forwarding server is not authorized in the original sender’s SPF record.

DKIM gives a digital cryptographic signature to verify an email’s legitimacy. Forwarded emails can maintain DKIM validity of their content and certain headers remain unchanged. It is less difficult to pass the DKIM security check as compared to the SPF. However, the problem can arise when forwarding servers alter email content by adding information. It leads to DKIM validation failures and security risks. 

Setting up email forwarding with DMARC compliance

Several steps can help your forwarded emails comply with DMARC standards. Here are some of them.

Add DKIM signature

As SPF is less reliable for email forwarding, it is better to ensure that all your emails are DKIM-signed through your domain.  It can help your emails pass DMARC checks so that the forwarding process doesn’t alter the messages. PowerDMARC allows the owners to keep their DMARC protocol updated.

Implement “p=quarantine” in your DMARC policy

Keeping the DMARC policies updated is the key. An effective way to do this is to set up your DMARC policy to “p=quarantine”. Setting up this feature helps emails that have failed the authentication process fall into the recipient’s spam folder. It ensures the delivery of the emails, even if they are found in the spam folder.

Configure Authenticated Received Chain (ARC)

ARC helps manage the complexities of email forwarding in terms of cybersecurity. With this, the intermediary hosts can maintain a record of authentication checks by forwarding the authentication results to the next server. If the important forwarded email fails the DMARC check, the recipient can refer to the ARC record to validate the email again.


Email forwarding whether manual or automatic, complicates the DMARC authentication process. The intermediary services often alter the original sender’s information, making the verification of emails a difficult task. Organizations can configure their forwarding servers by adding DKIM signatures.

Additionally, DMARC policies must be updated to balance the security and deliverability of emails. Authentication issues must be carefully handled by the active policies.