How does email forwarding break SPF?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
SPF checks one thing: is the IP address that handed off this email on the approved list for your domain? You publish that list in DNS. Any server not on it fails the check.
Here's where forwarding causes trouble. Say captain@deepcurrent.io sends you an email. It arrives fine. But you've got auto-forwarding set up to another inbox, so your mail server passes the message along. At that next destination, the receiving server runs an SPF check. The IP it sees isn't the original deepcurrent.io server. It's your forwarding service's server. And that forwarder's IP isn't in deepcurrent.io's SPF record. SPF fails.
This isn't a bug. SPF is working exactly as designed. It validates the last server to hand off the message, not the one that sent it originally. Forwarding swaps in a new server at the last hop, so the check breaks.
You can't patch this by listing more IPs in your record. You can't predict every forwarder your recipients might use, and trying to include them all would blow past the 10-lookup limit fast. That's why DKIM exists alongside SPF. DKIM signs the message content itself and survives simple forwarding as long as the message isn't modified. For cases where forwarding breaks both, ARC lets legitimate forwarders carry the original auth results through the chain.
Want to see what's currently authorized in your SPF record? Our free SPF checker shows exactly what you've published and flags anything that looks off.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.