SPF hard fail vs soft fail with forwarding

Hi All,
I switched to a DMARC reject policy and my SPF hard fail (“-all”).
We send emails from different services, all of them are aligned in my SPF and have a valid DKIM signature.

When we send emails to recipients who forward my emails (from work to personal inbox for example, or mailing list groups, etc.), this breaks my SPF alignment for the DMARC because the recipient re-send my email with his domain as envelope.
However I have no problem as long as I have DKIM, but if I were to lose DKIM (due to altered content in the message body for example) I believe the only one way is ARC (if adopted by the recipient).

The question is: what changes in all this if I have an SPF (on my domain) in hard fail or in soft fail? I think nothing, because when the forward happens it changes the envelope with him domain, but I’m not sure and I would like to understand if this affects anything with the delivery of my message in forwarding cases.

Thanks in advance.

Your assumption is correct. In the overwhelming majority of cases the “all” directive will not matter at all. In fact in most cases your SPF record will not come into play because of SRS (sender rewriting schemes), the process whereby the envelope sender (SMTP Mail From) is rewritten for the purposes of resending an email. When this occur, your domain is not longer evaluated for SPF in favour of the forwarder’s.

As you stated, DKIM and ARC becomes the tools used to ensure successful delivery as it pertains to email authentication. Deploying DKIM wherever possible is of great help. In other cases, such as sender to Mailing List or Google Groups, you have little to worry about since all the major mailing list providers handles rewriting of the From header when forwarding email for a domain having published a DMARC enforcement.

I hope this helps.

1 Like

Thank you so much Asher for your feedback. It’s all clear now.