1

Assume I ask someone to create a filter in their Gmail account that automatically forwards certain emails to my inbox. If the original email was protected with DMARC, would the forwarded email also be protected? Or does it lose the protection once it's forwarded? Does the response vary for other email providers (such as Microsoft, Apple and Yahoo Mail)?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Bradford Griggs
  • 141
  • 4

2 Answers2

3

This depends on how exactly forwarding is done and DMARC is setup by the sender and checked by the recipients MTA. DMARC can be based on SPF or DKIM. SPF relies solely on the senders MTA source IP address, which will not be retained when forwarding. DKIM instead uses a cryptographic signature which will be retained and still work if the forwarding includes the mail as it is without any kind of changes regarding headers, encoding etc. This is often the case with redistributing but is not the case with inline forwarding.

In short: one cannot rely on it.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • @ _Steffen Ullrich Thanks for your reply. So automatic email forwards based on preset filters would be considered 'redistributing' and should retain DMARC protection (assuming protection was setup using DKIM)? Are you aware if this varies for different email providers (Gmail, Outlook and Yahoo)? Thanks! – Bradford Griggs Aug 10 '21 at 16:02
  • @BradfordGriggs: this is likely true for other email providers too. But no general statement can be made about this, i.e. one need to actually check. – Steffen Ullrich Aug 10 '21 at 17:34
1

DMARC depends on SPF (authorization of the sending IP address) and DKIM (authorization of cryptographic keys whose signatures prove legitimacy). If neither SPF nor DKIM pass, DMARC can instruct a spam filter to reject the message.

There are three ways you can forward an email:

  1. Forward as an attachment (like reporting spam to SpamCop)
  2. Inline forward (no headers are preserved, body changes too)
  3. Use a forwarding service (like a new Bcc)

Regardless of how you forward an email, the sending IP will change, nearly always breaking SPF. Because of this, you cannot verify a DMARC policy trigger on the original message.

If you forward manually (as an attachment or inline), you're composing a new message. The DMARC protections from the forwarded message are therefore irrelevant.

If you use a forwarding service that does not modify any body content or any of the DKIM-signed headers, it should be able to pass DKIM and therefore DMARC, but only for DMARC configurations that do not depend on SPF.

If you're using an email forwarding service that implements Authenticated Received Chain (ARC), you could set up your spam filters to traverse it and trust its DMARC data. ARC is a simple mechanism in which a receiving server verifies the DMARC results and signs them. If you trust the ARC server, you can extend that to trust its DMARC results and then configure your server to key on them. (More practically, you could just ask the forwarding service to implement p=reject on their end so it's not forwarded to you).

Adam Katz
  • 9,718
  • 2
  • 22
  • 44
  • @ _Adam Katz. Thanks for your reply. In short, unless a forwarding service employs Authenticated Received Chain (ARC), DMARC cannot possibly be forwarded regardless of whether it depends on SPF or DKIM. If the service does employ ARC it can include a signed message declaring the DMARC results. Are you aware whether Gmail / Outlook employ Authenticated Received Chain (ARC) when forwarding emails? Does it matter whether the emails were forwarded inline or using automatic preset filters as suggested by @Steffen Ullrich? Thanks! – Bradford Griggs Aug 10 '21 at 17:14
  • @ _Adam Katz Also, do you disagree with the [conclusion of this article](https://easydmarc.com/blog/email-forwarding-and-dmarc-dkim-spf/)? It states that "DKIM: Email forwarding does not affect DKIM, as long as you have not altered the content and the structure of the original Email" and that "forwarding does not impact the DKIM Signature." Whether this would apply to Gmail and Outlook depends on whether they keep the original signature intact. But it looks like it is _possible_ to forward DMARC that relies on DKIM.. – Bradford Griggs Aug 10 '21 at 17:22
  • @ Adam Katz Please see [this FAQ from DMARC Wiki](https://dmarc.org/wiki/FAQ): "_However there is no reason for DKIM to fail. For DKIM not to fail, you must ensure that your mail server does not drastically modify the message. Typically, the only modification that preserves DKIM is to add new email headers to the messages without touching the subject or the body of the message. Headers protected by DKIM should not be modified in any way, and the message should not be converted from one encoding to another_" – Bradford Griggs Aug 10 '21 at 17:26
  • Sorry, I've blurred the line between an email forwarding service and manually forwarded emails (inline or as an attachment). As you quoted, a forwarding service that doesn't modify the message will probably not affect DKIM but it will absolutely affect SPF. Manually forwarded emails will _always_ break both DKIM and SPF (and will lack ARC data). GMail definitely uses ARC in addition to DMARC. I can't recall if Yahoo and MS do (ARC is a draft). I have updated my answer. – Adam Katz Aug 10 '21 at 17:50