Back to The Rejected Folder
| 4 min read

Forwarding and mailing lists: why DMARC breaks and why you can't just fix it

Forwarding and discussion lists are a classic DMARC pain point: SPF usually breaks, DKIM sometimes breaks, and then users blame the receiving org. We explain why this is structural, and how ARC and SRS attempt to fix it.

DT
Marc, Owner
Forwarding and mailing lists: why DMARC breaks and why you can't just fix it

Be me. You have set up DMARC. You are monitoring your reports. Everything looks green, except for one annoying cluster of failures coming from Google, Outlook, or university servers.

You investigate. It wasn’t you sending those emails.

It was your user sending an email to a mailing list. Or an old alumni address forwarding to Gmail. Or a client forwarding your invoice to their accountant.

And DMARC failed. Why? Because forwarding breaks email authentication by design.

1. Forwarding breaks SPF, and it always will

Let’s trace the path of a forwarded email:

  1. You send an email to [email protected].
  2. Your server connects to the university server. The university checks SPF. It sees your IP. SPF passes.
  3. But Alice has set up auto-forwarding to her personal [email protected].
  4. The university server connects to Gmail to deliver the message.
  5. Gmail checks SPF. It looks at the IP address sending the mail. It sees the university’s IP.
  6. Gmail checks your SPF record. Does the university’s IP have permission to send mail for yourdomain.com? No.

SPF fails. And if you don’t have a valid DKIM signature that survives the journey, DMARC fails too.

2. Mailing lists make it worse

Mailing lists (Google Groups, Mailman) don’t just forward. They modify the message, by design.

They tag subjects: [Marketing-Group] Re: Weekly update. They append footers: “To unsubscribe from this group…”

As soon as the mailing list software edits the body or the subject line, the DKIM signature breaks. The “wax seal” is broken.

So now SPF fails (because the IP is the mailing list server), DKIM fails (because the content was modified), and DMARC fails (because both failed).

This is why “DMARC-aware” mailing lists now often rewrite the From: header to be the list itself (e.g., [email protected]) rather than the original sender, to avoid DMARC rejection.

3. ARC and SRS: the attempted fixes

Can you fix this? Mostly, no. It’s up to the intermediaries.

SRS (Sender Rewriting Scheme)

This tries to fix SPF. The forwarding server rewrites the Return-Path to its own domain. So when Gmail checks SPF, it checks the forwarder’s domain, not yours. This helps SPF pass, but it breaks SPF alignment for DMARC.

ARC (Authenticated Received Chain)

This is the modern solution. It allows intermediaries (like Google or Microsoft) to “vouch” for the authentication.

Basically, the university server says to Gmail: “Hey, I checked DMARC when I received this, and it passed. Here is my seal (ARC Seal) proving it.”

If Gmail trusts the university, it will accept the email even if DMARC fails locally.

4. What to tell your users when emails bounce

If you have moved to p=reject, your users might get bounce messages when emailing lists or alumni addresses.

The hard truth: you cannot fix this in your DNS. The forwarding server is misconfigured (not using ARC or SRS properly), but you did everything the right way in your DNS setup. If you need help with the DNS configuration, our DMARC generator can help.

What to say: “The error is occurring at the forwarding server. They are forwarding email without preserving the authentication headers (ARC). Our strict security policy prevents unauthorized servers from sending mail as us.”

5. Why enforcement makes this pain visible

As you move towards enforcement (p=reject), these forwarding failures stop being silent statistics and start being missing emails.

This is why monitoring matters. You need to distinguish between actual spoofing and broken forwarding chains. In our monitoring guide, we talk about how to spot these patterns (like “forwarder-rewrite” artifacts) in your reports.

FAQ

Does forwarding affect DMARC?

Yes. Forwarding almost always breaks SPF. If DKIM also breaks (due to content modification), DMARC will fail. Understanding DMARC alignment helps explain why this happens.

Can I whitelist forwarders?

No. You cannot add every university and ISP in the world to your SPF record. That would be insecure and hit the 10-lookup limit instantly. Sorry about that.

Why do lists break DMARC?

Mailing lists often modify the email subject or body (footers), which invalidates the DKIM signature.

Read Next

View all posts
From p=none to p=reject: how to enable DMARC enforcement in 2026
security ·

From p=none to p=reject: how to enable DMARC enforcement in 2026

Forums show the same anxiety pattern: 'I want p=reject, but I'm afraid I'll block legit mail.' The rollout is mostly about gates: inventory done, alignment fixed, SPF lookup limit avoided, and then staged enforcement.

DT
DMARCTrust
3 min read
ESPs, subdomains, and the "can't get DKIM to align w/ DMARC" rabbit hole
dmarc ·

ESPs, subdomains, and the "can't get DKIM to align w/ DMARC" rabbit hole

A recurring forum storyline: you set up an ESP, authentication tools say it's fine, yet DMARC alignment is still broken. This usually comes down to how the ESP signs DKIM (d=), whether you're using a custom sending domain, and whether you should isolate with a sending subdomain.

DT
DMARCTrust
4 min read