How Email Forwarding Breaks Authentication — and What You Can Do About It

Name: DMARC Analyzer Pro
Availability: InStock
Author: DMARC Analyzer Pro

January 5, 2025 · DMARC Analyzer Pro

Email forwarding is one of the biggest challenges for SPF and DMARC. Learn why it breaks authentication and how ARC and DKIM can help.

You've done everything right — SPF is configured, DKIM is signing, DMARC is enforced — and yet some of your legitimate emails are still failing authentication. The culprit is almost always email forwarding.

Why forwarding breaks SPF

When a message is forwarded from one server to another, the forwarding server's IP address replaces the original server's in the SMTP envelope. Since SPF validates the connecting server's IP against the sender's SPF record, the forwarded message will fail SPF because the forwarding server isn't authorised to send on your behalf.

This is a fundamental limitation of SPF by design. It authenticates the server, not the message — and forwarding changes the server.

Mailing lists make it worse

Mailing lists typically rewrite the envelope sender, modify subject lines, and add footers. Each of these changes can break both SPF and DKIM. The subject line modification alone is enough to invalidate a DKIM signature if the Subject header was included in the signed headers.

ARC — Authenticated Received Chain

ARC (RFC 8617) was developed specifically to address the forwarding problem. When an intermediary server (like a forwarding service or mailing list) receives a message, it can record the original authentication results in a set of ARC headers before any modifications are made.

Downstream receivers can then look at these ARC headers to see what the authentication status was before forwarding occurred. If they trust the intermediary, they can use the ARC results to make a more informed delivery decision, even when SPF and DKIM have technically failed.

ARC adoption is growing steadily. Google, Microsoft, and other major providers already validate ARC headers, and many intermediaries are adding ARC signing to their forwarding infrastructure.

Practical recommendations

Make sure DKIM is always in place — it's your best defence against forwarding-related failures. Configure your DKIM signatures to include headers that are unlikely to be modified by intermediaries.

Monitor your DMARC reports for patterns of forwarding-related failures. Common indicators include failures from well-known forwarding services, university mail systems, and mailing list processors. These are usually benign and shouldn't alarm you, but they're worth tracking.

If you're running a forwarding service yourself, implement ARC signing to preserve authentication for messages you forward. This benefits the entire email ecosystem and improves deliverability for the messages passing through your systems.