DKIM and SPF fail-unaligned due to outlook.com forwarding

Hi guys,

I’ve noted that the majority of my e-mails have been forwarded by “*.outlook.com” and after the forwarding DKIM and SPF shows status “fail-unaligned” and my messages have been marked as Quarantine. I see also that during forwarding outlook.com is changing the DKIM and SPF domain to recipient’s outlook account domain, which I believe causes the quarantine policy to be applied.

Can you please advise me, what can I do in order to make outlook.com to preserve my DKIM and SPF?

Kind Regards,
Nikolay Zhelev

Hi Nikolay,

Short answer, nothing as it is mostly not up to you. The effect forwarding has on an email can be hard to predict. The majority of forwarding will occur with some sort of address rewriting on the return-path, which will most often cause alignment failure with SPF. This is to be expected. All you can do, is to ensure your own systems are properly configured with both SPF and DKIM. DKIM can especially be helpful with forwarding, but there are instances where it could be stripped out.

If you have both DKIM and SPF configured and aligned with your From: header in a DMARC compliant manner, then the forwarder and how it is performing the forwarding will ultimately determine if the authentication will survive the forwarding. For instance, Outlook mailbox rule redirect action will typically save the original DKIM signature, and assuming no changes are made to the DKIM signed content of the mail, will be delivered with DMARC verdict of pass. However, any changes to the body or subject, such as tagging, disclaimer, banners etc, would break it.

In the end, there is no easy answer. Ensuring your systems are properly configured is the best and in many case only step realistically available to you. In case of known forwarders (i.e business partner with whom you have a critical relationship) then it makes sense to reach out to point out the issue.

I hope this helps.

Ash @ dmarcian

Hi Ash,

Thank you very much for your complete reply. I’m doing my best to keep my domain properly configured. If you have time, would you be able to perform a quick check on my records. I’ll send the address on PM.
Also I have critical relationship with my business partners and I’ll try to reach them to communicate this issue.
Kind Regards,
Nikolay