Chat +1-888-563-5277 [email protected]

Email forwarding and DMARC DKIM SPF

Usually, you can see some problems with email authentication protocols during the email forwarding. To prevent cybercriminals from sending emails that look like they are coming from your domain you have to use email authentication mechanisms such as DMARC, DKIM, and SPF. Email authentication secures your domain and at the same time increases your domain reputation so your emails end up in the Inbox instead of Spambox.

Email Authentication Protocols: SPF DKIM and Email Forwarding

Here are the protocols for email authentication:

SPF (Sender Policy Framework)  is a TXT record in your DNS and basically shows sources that are authorized to send emails on behalf of your domain.
For example, if you send emails from the server  130.130.130.130 and you use G Suite for your domain your SPF record will look like this:

v=spf1 ip4:130.130.130.130/32 include:_spf.google.com -all

This means that emails coming only from the server with the IP address 130.130.130.130 and from the G Suite will pass SPF check for your domain. The receiver mail server reads your SPF record every time it receives mail from you and marks them as either SPF pass or fail. 

You can check results in the EasyDMARC dashboard: SPF-check-results-on-EasyDMARC-dashboardIt is also possible to see SPF check results (pass or fail) by looking at the received email header in mail client: SPF-check-pass-on-the-received-email-header-on-GmailReceiving mail server performs SPF validation, during the email transition, by checking if the MAIL FROM address domain contains the sender’s IP address. (Process is described in the RFC 7208). This mechanism fails during the email forwarding process and will be described later in this article.

DKIM (Domain Keys Identified Mail) – uses a cryptographic signature mechanism to check and validate email authentication and integrity. The mail server puts the encrypted hash of the message body in the email header and then sends it out. Receivers can retrieve the public key from the sender’s domain DNS and perform validation. DKIM public key is a TXT record published in the domain  DNS zone and looks like this:

v=DKIM1; k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAeSn0k+xBRnQgu2+94pt
A6c7l/3N3B Oa1nF+0Fb2gBZg30g+NmMuGRRAKiQfr9ZHHScUsATjF2OevxcjBkDeF4OrVGNs/taCjr
Uwi0H nlVepBzdJ57a2DkPrdfxRYOAn1x1U9cr10eBTg3dUrenux3SkEwd/8eOOgeLqUUe1pQwIDAQAB

The following diagram shows how DKIM works:How-DKIM-works-for-domain-protection

 DKIM check results are visible in the EasyDMARC’s dashboard:DKIM-check-results-on-EasyDMARC-dashboardand also you can check them with your email client, by looking at the email header:DKIM-check-pass-in-client's-email-headerYou can refer to RFC 6376 for DKIM details and specifications.

The fact remains that DKIM is the part of the email header, therefore it works even when a message has been forwarded.

Forwarding cases and how they affect your Email Authentication (SPF/DKIM) results

SPF: When it comes to Forwarding, SPF Authentication checks will mostly fail, this is logical since a new entity, not included in the original sender’s SPF Record, send the forwarded email.

DKIM: Email forwarding does not affect DKIM, as long as you have not altered the content and the structure of the original Email.Email-Forwarding-and-DKIM

Why passing and aligning both SPF and DKIM are vital to achieving full DMARC Compliance

As per DMARC specs, you need either SPF or DKIM to pass authentication.
But, because of SPF limitations as discussed above, any sources that rely only on SPF, and are DKIM neutral will instantly fail DMARC checks when forwarded.
Whereas, forwarding does not impact the DKIM Signature.
This is why EasyDMARC always advises reaching full DMARC Compliance by authenticating both SPF and DKIM on all legitimate sending sources.

Common DKIM Failures resulting from Forwarding

Message-Forwarding systems Modifying Email content
Modifications caused by Malware scanning and Antivirus solutions
ReSenders and Gateways

Common Forwarding, Indirect Mailflows, Mailing lists are described in RFC 7960

How to identify mail forwarders

When you look at aggregate reports in EasyDMARC, under the “DMARC compliant” tab you will definitely see many sources, unfamiliar to you. You will also notice that all those unfamiliar sources are passing the DKIM check but failing the SPF check.Email-forwarding-failing-SPF-checkThese are forwarded emails, i.e. emails which were sent by you / your domain and were automatically forwarded by the recipient mail server to another mail recipient. That is due to the forwarding rule set in the particular mailbox. So what happens when you auto-forward an email in this way?

Emails generated from Email providers’ mailboxes have the same sender address in Header From and Return-path (Mail From). Some Email providers (e.g. Outlook/Hotmail, iCloud, MailRu) preserve the original sender’s Return-path (Mail From) address when forward. Others (e.g Gmail/G Suite, O365 Exchange, Yahoo, Yandex mail) substitute original sender’s Return-path (Mail From) address with the email address of their own domain.
When the recipient’s mail server (mailbox) auto-forwards an email, that came from your server to another destination mail server (mailbox), it actually retransmits your email via his own IP address, so the destination mail server sees the IP address of the forwarding server in the header of an email coming from you.

SPF mechanism was historically designed for checking a domain in Return-path (Mail From) address and not for a domain in Header From address, which remains persistent while auto-forwarded. Thus, for forwarded emails, we can have 2 different cases primarily.

Reasons for SPF DKIM pass/fail in the Email Forwarding Process

Case 1. Return-path email address or original sender is preserved (e.g. Outlook/Hotmail, iCloud, MailRu)

Email-Forwarding-SPF-fail-DKIM-passSince the Return-path address in forwarded mail is preserved, the SPF Authentication Result column shows Header From domain alignment with Return-path (Mail From) domain.
SPF check performs against the SPF record of the Return-path (Mail From) domain. It fails because the Return-path (Mail From) address’ domain SPF record does not include the IP address of the forwarding server. So, for this case, you will see aligned / fail.

Case 2. Return-path email address or original sender is substituted with forwarder’s email address (e.g Gmail/G Suite, O365 Exchange, Yahoo, Yandex mail)Email-Forwarding-with-SPF-DKIM-pass Since the forwarding server’s email substitutes Return-path address in a forwarded mail, the SPF Authentication Result column shows Header From domain misalignment with Return-path (Mail From) domain.
SPF check performs against the SPF record of the Return-path (Mail From) domain and it passes because the Return-path (Mail From) address’ domain SPF record includes the IP address of the forwarding server. So, for this case, you will see unaligned / pass.
Besides “pass”, in the SPF Authentication Result column you may also see other values – none, neutral, fail, etc – which indicates that the forwarding domain’s SPF record needs proper configuration.

To be precise, there could also be a 3rd case for forwarded emails, which we describe below.

Case 3. Such emails appear in the “Non-compliant Sources” tab. In these emails, the DKIM signature integrity broke on the way to the final destination, but the recipient server still identified them as either obvious or sure forwarder (see 2 screenshots below).Override-ForwardedIf you have set your domain’s DMARC policy to “reject”, the actual policy applied to such emails normally downgrades to “quarantine.”Override-local-policyIf you have set your domain’s DMARC policy to “quarantine”, the actual policy applied to such emails normally downgrades to “none”.

Sign Up to automatically analyze and process your DMARC records

 

Protect your account with 2-Factor Authentication

Two-factor authentication (also known as 2FA) is a method of electronic authentication, which adds an extra layer of security to your account in case your password is stolen. After you set up authentication in EasyDMARC, you’ll sign in to your account in two steps using: Step...

Read More

How to Implement DMARC with EasyDMARC

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a policy that protects organizations from Business Email Compromise attacks and allows them to receive DMARC reports from mail service providers.  Also, DMARC is an email authentication protocol, that is designed to give email domain owners...

Read More

How does DMARC work: why you should use DMARC?

Protecting your email domain can do more than just prevent hackers from sending embarrassing emails on your behalf. It can also help you build a trusted relationship with business partners and employees by assuring their information is secure. Research shows that phishing attacks are...

Read More