How does DKIM survive forwarding?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

DKIM signs a message's headers and body at the point of sending. It creates a hash of that content and encrypts it with a private key. The receiving server fetches the corresponding public key from DNS and checks if the hash still matches.

So when does DKIM survive forwarding? When nothing in the signed content changes. If the forwarder just passes the message along without touching the headers or body, the hash is still valid when it arrives downstream. That's "transparent forwarding," and DKIM usually survives it fine.

Here's where it breaks: most mailing lists and many mail forwarding setups do modify the message. They add subject tags like [List Name], insert footers, modify the MIME structure, or strip attachments. Any change to the signed content invalidates the DKIM signature. The hash no longer matches. DKIM fails.

There are two canonicalization algorithms DKIM uses that affect this somewhat. relaxed canonicalization tolerates minor whitespace changes. simple is more brittle and breaks on almost any modification. Most senders use relaxed/relaxed (one setting for headers, one for body), but even that can't absorb a footer injection or a rewritten subject line.

This is why ARC (Authenticated Received Chain) exists. It lets intermediaries like mailing list servers record the authentication state they observed before modifying the message, so downstream servers have something to go on. Without ARC, forwarded messages often fail DMARC even if they were originally legitimate.

You can check your DKIM setup and see which canonicalization you're using with our free Review My Emails DKIM Record Lookup.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Debug my DKIM forwarding failures

My emails are being forwarded via {forwarding_type} (mailing list / alias / auto-forward) and I'm seeing DKIM failures downstream. My messages are signed with {dkim_domain} and I use {canonicalization} canonicalization. Can you help me understand whether the DKIM failure is caused by message modification, and whether ARC is being applied by the intermediary?

Edit the yellow boxes, then send to the AI of your choice.