When you resend a received email to one or more people, it is known as email forwarding. Email forwarding can redirect an email going to a certain address to one or more other addresses. Also, emails going to several different addresses can converge via forwarding to end up in a single inbox.
However, when you forward an email, it can cause some problems with email authentication. SPF usually breaks or fails in this scenario as the email’s IP does not match with that of SPF records. Email forwarding does not affect DKIM as long as you do not modify the email’s body content and the structure.
Sender Policy Framework (SPF) can only discover the email ID that is used by the sender and the IP records associated with it. If the DNS record matches on the receiving end, it authenticates the email else it is rejected.
For example: If you send your email from specific IP (10.0.0.0) and use a specific mail server (Outlook) for your domain, then the SPF record will be:
v=spf1 ip4:10.0.0.0 include:_spf.protection.outlook.com -all
Each email has an attached header that includes the RETURN-PATH value of the domain. As the email reaches the recipient, the receiving server checks this RETURN-PATH value and extracts the sender domain’s SPF record. The receiving server tries to verify the domain’s IP address with that of the SPF record. If both matches, the receiving server authenticates the email domain.
The SPF authentication check almost always fails during email forwarding because the forwarded message is sent from a new IP address that is most likely not included in the original sender’s SPF record.
DKIM signatures are not typically affected by email forwarding. However, it is dependent upon the forwarding entity not altering the message headers or the message body. Common DKIM failures caused by email forwarding are the result of:
Modifying the MIME boundaries by the forwarding entity
Anti-virus or anti-spam programs modify the body of the message
Expanding the message recipient using Lightweight Directory Access Protocol (LDAP) by the forwarding entity
Re-encoding the message by the forwarding entity
Since DMARC only requires that you pass authentication verification and align domains for either SPF or DKIM, any messages that are DKIM-neutral and rely on SPF authentication will most likely fail DMARC authentication when forwarded. This ensures that if one authentication method does not pass verification due to forwarding, the other authentication method that does pass verification results in a passed DMARC verification. Therefore, RETURN-PATH recommends passing and aligning for both SPF and DKIM on all email traffic.
Following are some measures that can ensure SPF and DKIM authentication in case of forwarded emails:
RETURN-PATH or original sender ID is saved.
RETURN-PATH or original sender ID is changed with the forwarder email address. In this scenario, even if the DKIM signature breaks or changes, the recipient server can still identify it as forwarder or apparent.