Forwarding & DMARC

A brief overview of the challenges and solutions for email forwarding with DMARC

What is DMARC Forwarding?

DMARC forwarding is the practice of sending an email message that has been authenticated by DMARC from one address to another. DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, is a protocol that helps email senders and receivers to verify the authenticity and integrity of email messages. DMARC uses two existing mechanisms, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), to check if an email message matches the sender's domain and has not been tampered with in transit. DMARC also provides a way for senders to specify how receivers should handle messages that fail these checks, and to receive feedback reports on the authentication results.

How Forwarding Affects DMARC?

Forwarding can affect DMARC in different ways, depending on the type and purpose of forwarding. Forwarding can be useful for various purposes, such as sharing information, redirecting messages to a different account, or filtering spam. However, forwarding can also cause problems for email authentication, especially when DMARC is involved. Some of the common problems are:

• Breaking the DKIM signature. DKIM is a mechanism that allows senders to digitally sign their messages with a cryptographic key that can be verified by the receivers. However, when a message is forwarded, it may undergo changes that affect its content, such as adding a header, changing the subject line, or wrapping the message in another envelope. These changes can invalidate the DKIM signature, which indicates that the message has been altered in transit.
• Failing the SPF check. SPF is a mechanism that allows senders to specify which domains or IP addresses are authorized to send email on behalf of their domain. However, when a message is forwarded, it may be sent to a domain that is not included in the sender's SPF record. This can cause the SPF check to fail, which indicates that the message is not from a legitimate source.
• Triggering the DMARC policy. DMARC is a mechanism that allows senders to define a policy for how receivers should handle messages that fail the DKIM or SPF checks. The policy can be one of the following: none, which means no action is taken; quarantine, which means the message is marked as suspicious and moved to a separate folder; or reject, which means the message is rejected and not delivered. However, when a message is forwarded, it may fail the DKIM or SPF checks due to the reasons mentioned above, and thus trigger the DMARC policy. Depending on the policy, the message may be quarantined, rejected, or delivered with a warning.

How Forwarding Affects SPF?

As mentioned above, forwarding can cause the SPF check to fail, if the message is forwarded to a domain that is not authorized by the sender's SPF record. SPF is a mechanism that allows senders to specify which domains or IP addresses are allowed to send email on behalf of their domain. SPF works by comparing the envelope sender of the message, which is the address that appears in the SMTP protocol, with the SPF record of the sender's domain, which is a DNS text record that lists the authorized domains or IP addresses. If the envelope sender matches one of the authorized domains or IP addresses, the SPF check passes. If not, the SPF check fails.

However, when a message is forwarded, the envelope sender may be changed by the forwarding service, to reflect the address of the forwarder, rather than the original sender. For example, if Alice sends a message to Bob, and Bob forwards it to Charlie, the envelope sender may be changed from alice@example.com to bob@forwarder.com. This can cause the SPF check to fail, because bob@forwarder.com is not authorized by Alice's SPF record.

How Forwarding Affects DKIM?

As mentioned above, forwarding can break the DKIM signature, if the message is modified by the forwarding service, in a way that affects its content. DKIM is a mechanism that allows senders to digitally sign their messages with a cryptographic key that can be verified by the receivers. DKIM works by creating a hash of the message content, which is a unique string that represents the message, and appending it to the message header as a DKIM signature. The receivers can then use the public key of the sender's domain, which is published in a DNS record, to verify the DKIM signature and the hash. If the hash matches the message content, the DKIM signature is valid. If not, the DKIM signature is invalid.

What Can You Do to Have Forwarded Mails Pass DMARC?

However, when a message is forwarded, the message content may be changed by the forwarding service, in a way that affects the hash. For example, the forwarding service may add a header, a signature, a disclaimer, or a footer to the message, or change the encoding or the format of the message. These changes can alter the hash of the message, and thus invalidate the DKIM signature.

There are several possible solutions for having forwarded mails pass DMARC, depending on the type and purpose of forwarding. Some of the common solutions are:

• Use ARC (Authenticated Received Chain). ARC is a protocol that allows intermediate servers, such as forwarders, to preserve the authentication results of the original message and pass them along to the final receiver. ARC adds a new header to the message that contains the authentication information and a signature that proves the chain of custody. The final receiver can then use the ARC header to validate the message, even if the DKIM signature or the SPF check fails.
• Use SRS (Sender Rewriting Scheme). SRS is a technique that rewrites the sender's address when forwarding a message, so that the SPF check can pass. SRS replaces the original sender's domain with the forwarder's domain, and adds a tag that indicates the original sender. The final receiver can then use the tag to identify the original sender, and apply the appropriate DMARC policy.
• Use BIMI (Brand Indicators for Message Identification). BIMI is a protocol that allows senders to associate their domain with a visual brand indicator, such as a logo, that can be displayed by the receivers. BIMI requires the sender to have a valid DMARC record and a verified logo. BIMI can help receivers to recognize the sender's identity and reputation, and to distinguish between legitimate and fraudulent messages.

Limitations of DMARC and Forwarding

While the solutions mentioned above can help to improve the compatibility of DMARC and forwarding, they are not perfect and may have some limitations. Some of the possible limitations are:

• SRS may cause confusion or distrust among the receivers, who may not recognize the rewritten sender's address or the tag that indicates the original sender. SRS may also cause problems for reply-to or bounce messages, which may not reach the original sender.
• ARC is not widely supported by all email providers and clients, and may not work in some scenarios, such as when the message is forwarded multiple times or when the ARC header is removed or modified by the intermediate servers.
• BIMI is not a guarantee of authenticity or trustworthiness, and may be spoofed or abused by malicious actors who obtain a valid DMARC record and a verified logo. BIMI may also be ignored or overridden by the receivers, who may have their own preferences or policies for displaying brand indicators.

DMARC is a protocol that helps to improve the security and reliability of email communication. However, it can also pose challenges for forwarding, which is a common and useful feature of email. To overcome these challenges, senders and receivers can use various methods to ensure that the forwarded messages are authenticated and delivered correctly. By doing so, they can enhance the user experience and the email ecosystem.

Need Help?