DMARCTrust
· 4 min read

Forwarding & mailing lists: Why DMARC breaks and why you can’t ‘just fix it’

Forwarding and discussion lists are a classic DMARC pain point: SPF usually breaks, DKIM sometimes breaks, and then users blame the receiving org. We explain why this is structural, and how ARC and SRS attempt to fix it.

DT
Marc, Owner

Be me. You have set up DMARC. You are monitoring your reports. Everything looks green, except for one annoying cluster of failures coming from Google, Outlook, or university servers.

You investigate. It wasn't you sending those emails.

It was your user sending an email to a mailing list. Or an old alumni address forwarding to Gmail. Or a client forwarding your invoice to their accountant.

And DMARC failed. Why? Because forwarding breaks email authentication by design.

1. “Forwarding Breaks SPF” — The Failure Mode That Never Dies

Let’s trace the path of a forwarded email:

  1. You send an email to [email protected].
  2. Your Server connects to the university server. The university checks SPF. It sees your IP. SPF Pass.
  3. But Alice has set up auto-forwarding to her personal [email protected].
  4. University Server connects to Gmail to deliver the message.
  5. Gmail checks SPF. It looks at the IP address sending the mail. It sees the University's IP.
  6. Gmail checks your SPF record. Does the University's IP have permission to send mail for yourdomain.com? No.

Result: SPF fails. And if you don’t have a valid DKIM signature that survives the journey, DMARC fails too.

2. Mailing Lists: The Double Whammy

Mailing lists (Google Groups, Mailman) are even worse. They don't just forward; they modify, by design.

  • Subject Tagging: [Marketing-Group] Re: Weekly update
  • Footer Appending: "To unsubscribe from this group..."

As soon as the mailing list software edits the body or the subject line, the DKIM signature breaks. The "wax seal" is broken.

So now:

  • SPF Fails (because the IP is the mailing list server).
  • DKIM Fails (because the content was modified).
  • DMARC Fails (because both failed).

This is why "DMARC-aware" mailing lists now often rewrite the From: header to be the list itself (e.g., [email protected]) rather than the original sender, to avoid DMARC rejection.

3. The Alphabet Soup: ARC and SRS

Can you fix this? Mostly, no. It's up to the intermediaries.

SRS (Sender Rewriting Scheme)

This tries to fix SPF. The forwarding server rewrites the Return-Path to its own domain. So when Gmail checks SPF, it checks the forwarder's domain, not yours. This helps SPF pass, but it breaks SPF alignment for DMARC.

ARC (Authenticated Received Chain)

This is the modern solution. It allows intermediaries (like Google or Microsoft) to "vouch" for the authentication.

Basically, the University server says to Gmail: "Hey, I checked DMARC when I received this, and it passed. Here is my seal (ARC Seal) proving it."

If Gmail trusts the University, it will accept the email even if DMARC fails locally.

4. "Unauthenticated email is not accepted" and what to tell your users

If you have moved to p=reject, your users might get bounce messages when emailing lists or alumni addresses.

The hard truth: You cannot fix this in your DNS. The forwarding server is misconfigured (not using ARC or SRS properly), but you did everything the right way in your DNS setup.

What to say: "The error is occurring at the forwarding server. They are forwarding email without preserving the authentication headers (ARC). Our strict security policy prevents unauthorized servers from sending mail as us."

5. 2025 Reality: Why Enforcement Makes This Pain Visible

As you move towards enforcement (p=reject), these forwarding failures stop being silent statistics and start being missing emails.

This is why monitoring is crucial. You need to distinguish between "actual spoofing" and "broken forwarding chains." In our monitoring guide, we talk about how to spot these patterns (like "forwarder-rewrite" artifacts) in your reports.

FAQ: Quick Answers

Does forwarding affect DMARC?

Yes. Forwarding almost always breaks SPF. If DKIM also breaks (due to content modification), DMARC will fail.

Can I whitelist forwarders?

No. You cannot add every university and ISP in the world to your SPF record. That would be insecure and hit the 10-lookup limit instantly. Sorry about that.

Why do lists break DMARC?

Mailing lists often modify the email subject or body (footers), which invalidates the DKIM signature.

Read Next

View all posts
dmarc ·

ESPs, subdomains, and the “Can’t get DKIM to align w/ DMARC” rabbit hole

A recurring forum storyline: you set up an ESP, authentication tools say it’s fine, yet DMARC alignment is still broken. This usually comes down to how the ESP signs DKIM (d=), whether you’re using a custom sending domain, and whether you should isolate with a sending subdomain.

DT
DMARCTrust
4 min read
dmarc ·

DMARC, SPF, DKIM… and the thing everyone misses: Alignment

Forum threads keep repeating the same confusion: “SPF and DKIM pass, so why does DMARC fail?” The missing mental model is DMARC alignment. We explain aspf/adkim, organizational vs strict alignment, and why you likely rely on DKIM alignment more than you think.

DT
DMARCTrust
5 min read