How does DKIM survive forwarding?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
DKIM signs a message's headers and body at the point of sending. It creates a hash of that content and encrypts it with a private key. The receiving server fetches the corresponding public key from DNS and checks if the hash still matches.
So when does DKIM survive forwarding? When nothing in the signed content changes. If the forwarder just passes the message along without touching the headers or body, the hash is still valid when it arrives downstream. That's "transparent forwarding," and DKIM usually survives it fine.
Here's where it breaks: most mailing lists and many mail forwarding setups do modify the message. They add subject tags like [List Name], insert footers, modify the MIME structure, or strip attachments. Any change to the signed content invalidates the DKIM signature. The hash no longer matches. DKIM fails.
There are two canonicalization algorithms DKIM uses that affect this somewhat. relaxed canonicalization tolerates minor whitespace changes. simple is more brittle and breaks on almost any modification. Most senders use relaxed/relaxed (one setting for headers, one for body), but even that can't absorb a footer injection or a rewritten subject line.
This is why ARC (Authenticated Received Chain) exists. It lets intermediaries like mailing list servers record the authentication state they observed before modifying the message, so downstream servers have something to go on. Without ARC, forwarded messages often fail DMARC even if they were originally legitimate.
You can check your DKIM setup and see which canonicalization you're using with our free Review My Emails DKIM Record Lookup.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.