Does DMARC break forwarding?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You tighten up your DMARC policy, feel good about it, and then someone on your team says their forwarded emails are bouncing or landing in spam. Sound familiar? DMARC doesn't break forwarding on its own, but it does expose a weakness that was already there.

Here's what actually happens. When an email gets forwarded, the forwarding server re-sends it from a different IP address. That new IP won't be in your SPF record, so SPF alignment fails. If DMARC only has SPF to rely on, the message fails the DMARC check.

DKIM is more resilient, but it's not bulletproof. A forwarding server that modifies the message body or adds a footer will break the DKIM signature entirely. Once that signature is invalid, DKIM can't save you either. If both SPF and DKIM fail alignment, and your policy is p=quarantine or p=reject, the forwarded email gets flagged or dropped.

This is exactly why ARC (Authenticated Received Chain) was created. ARC lets forwarding servers sign and pass along the original authentication results, so the receiving server can see that the message was authenticated before it was forwarded. Think of it as a handoff note that says "this was legitimate when it left the original sender." Mailbox providers like Gmail and Outlook support ARC evaluation, which helps forwarded messages get a fair look. But not every server in the chain supports ARC, so it's not a total fix.

The practical advice if you're hitting forwarding failures:

  • Drop back to p=none temporarily if forwarding failures are causing real delivery problems
  • Check your DMARC aggregate reports to see which forwarding sources are failing and why
  • Make sure DKIM is set up and signing correctly before you tighten policy, because DKIM survives forwarding far better than SPF does
  • Contact the forwarding service or your IT team and ask if they support ARC

The bigger lesson here is that forwarding failures are a sign you should move carefully through policy levels. Start with p=none, read your reports, and only move to p=quarantine or p=reject once you understand every sending path. Rushing to reject without checking your mail flow is the most common way DMARC causes collateral damage.

If you're seeing failures and not sure what's causing them, our free DMARC Parser can help you read your aggregate reports and pinpoint which sources are failing. Or if it's already broken and you need a second pair of eyes, the SOS Hotline is free.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Paste your details above and get a diagnosis

We set up DMARC and now forwarded emails are failing or landing in spam. Based on the details below, help me figure out whether it's an SPF alignment issue, a broken DKIM signature, or something else. Then suggest a step-by-step fix that accounts for our forwarding setup. 1. Current DMARC policy (p=none / p=quarantine / p=reject): 2. Is DKIM set up and signing correctly on the original domain? 3. Which forwarding service or server is involved? 4. What do your DMARC aggregate reports show (if you have them)? 5. Is the forwarding server adding footers or modifying message content?

Edit the yellow boxes, then send to the AI of your choice.