I have questions about Forwarders.
I read several documents about impacts of forwarding emails in DMARC. And learned that in order to survive mail forwarding, DKIM must be implemented on sending side.
But our several mail servers don’t support DKIM. Currently our DMARC policy is set to none.
If I changed it to quarantine, will it really cause many of those non-DKIM mails goes to SPAM box?
I heard from someone who is familiar with DMARC, he is saying “it depends on receiving side, because many of them add their one rules”. He also recommended to implement DKIM as much as I can.
And at same time he said I should expect small percentage of forwarded emails go to SPAM box.
My second question is, is there anything to improve this?
You are correct regarding DKIM. It is the single most useful action you can take to give forwarding a better chance to pass. With that being said, I strongly recommend you use the “Compliance Filter” in the detail viewer and choose “Impact of Policy”. This result will filter out DMARC checks where the receiver has stated they performed an override, which is common when an email is forwarded, fails DMARC, but would otherwise have passed. An override means even with a policy of quarantine or reject, they would have accepted the mail regardless of a fail DMARC verdict.
Some tips regarding recipient of your emails that do forwarding.
Deploy DKIM wherever possible
Ensure you have the latest contact information for who you send mail to
Clean and update marketing lists
For those receivers who reach out, tell them forwarding is not recommended
Thanks for exact answer!
In CSV file downloaded from detail viewer I noticed “local_policy”. That must be it!
I guess that’s what my friend’s was referring as “own policy”.
Anyway, I try to implement DKIM as much as possible, because that policy might be changed in the future.
Thanks again for your concise answer!
Hi Asher,
I have another question regarding forwarders. From forwarders tab, I can see source but there are source of forwarding servers, right? Those are not the source of original servers where email comes from.
Here is what I did to find out the source.
I downloaded CSV file from detail viewer result, filtered only for forwarders.
In CSV file, I made a filter rule to only filter “#SPF_Mail_From” that are different from #PTR column.
Because nobody seems to answer this question, I did test on this on my own. Here is the answer to my questions.
The source IP of forwarders is IP address of forwarding email servers, not original sender’s IP.
SPF Mail from domain is extracted from “mail from” or envelope from email address.
It’s a bit confusing to see as “source IP” in forwarders , because it’s not really original sender’s IP address.
The question now is “How can I find original sender’s domain?”
I think it’s not always possible to find it, but it SPF mail from and DKIM domain might have original sender’s domain. SPF mail from can be easily forged, so we can’t trust 100%. Also in many cases, DKIM domain is set to default domain of email sending platform. This makes it difficult to track down.
Please correct me if my understanding is not correct, or any comments on this are appreciated!