Email authentication

How to get email forwarders DMARC compliant?

Email forwarding within DMARC is a bit of an edgecase.

What are forwarders?

There are two types of forwarding, manual forwarding and automatic forwarding. Manual forwarding does not give any authentication issues, automatic forwarding does.

Can forwarders be influenced?

It is not possible to stop sources from forwarding emails. Once an email is sent, it is not possible to have an influence on how the recipient handles an email.

How to improve the alignment of forwarded emails?

Senders are not able to authenticate sources that forward their emails. To improve the DMARC alignment of sources forwarding emails on behalf of an organization, the legitimate sending sources of the organization have to be authenticated with an aligning DKIM signature.

Unlike SPF, DKIM is designed to survive automatic forwarding. The DKIM signature (d=) is attached to the body of an email, while SPF is attached to the ‘Return-Path header’ of an email. With automatic forwarding, in general, the body of the email is not touched. Therefore, DKIM can survive automatic forwarding.

To conclude:

  • Senders are not able to authenticate sources that forward their emails.
  • To improve the alignment of forwarders, senders have to authenticate their legitimate sending sources with DKIM

 
More detailed information can be found in our article about What is forwarding within DMARC?