Understanding and Dealing with Forwarding

I am new to DMARC and I feel my policy and setup is pretty rock-solid; however, I am struggling to understand the forwarders section of this volume details.

Is there a guide that shows what each column means, specifically who’s doing the forwarding and how I might fix the issue? I want to change my policy to reject but want to make sure I know how to deal with these issues when they arise. Below is the portion of my report that I am looking at. Is there anything I can or should do about those?

Here is the portion of the report I am looking. Specifically, the one at the bottom.
https://sierranevadaconstruction-my.sharepoint.com/:i:/g/personal/trabe_snc_biz/EWzznHOrfRpMvrA83iCvEv4BSwHDNcHdVOYswG8mLykoGA?e=Wlo6D2

Hi Travis and welcome to the forums.

Emails are forwarded automatically all the time, and often. More so than most users expect. Typically examples are that you may using a Gmail address and are bored of it. So you set up an auto forward to your brand new Outlook address.

The forwarders are meant to represent email systems that received email from one of your legitimate source, but forwarded the mail in such a way where the From address remained unchanged. This means the destination where the email are forwarded to did a DMARC check against your domain.

Specifically to your screenshot, we see here emails are that forwarded by Google. The sending IP and PTR represent the email system which did the delivery. and is implied to be the forwarder. Now it is not always possible to understand where it originally came from, but here we can tell the email was originally sent from a MS 365 Tenant or Exchange Online due to the DKIM selector used (it is a 365 default). Moreover it passes!

The forwarders email compliance is expressed in DKIM survival. The reason is due that most automatic forwarding will rewrite the return-path due to SRS (sender rewriting scheme) which will cause an alignment failure when DMARC is checked by the final destination email system. However automatic forwarding should maintain the original headers. Since DKIM is a header, there are chances where it will still pass. It does in your example.

So overall, the Forwarders tab is meant to show you how much and how often email you send are typically forwarded, and their DMARC compliance. To help this compliance, deploy DKIM wherever possible on your email sources. Once done, you can review the expected impact for emails which are still not compliant, and sometimes even identify a particularly big forwarder’s domain. This is done by looking at the SPF domain column in the app. It will often have been rewritten due to SRS to the original recipient domain you sent the mail to that did the forwarding.

I hope this helps.

-AM

I recently installed this on for a client of mine. There have been only a handful of issues due to forwarding. It sounds like this is limited to the ‘automatic’ forwarding of email based on an automated instruction. I’m assuming that if someone manually presses the ‘forward email’ button that this would not be categorized as such?

Also, of the 5 emails that have been identified as forwarded, 3 maintained 100% DMARC compliance, and 2 were 0%. I have my DMARC set up to quarantine the emails. Where are they quarantined? Will the recipient ever know that the emails were prevented from arriving at their destination? Will my client ever be alerted that these emails did not reach their destination? Is there a way to allow automatic forwarding without opening up the rules to unintended consequences?

You are correct, pressing the forward button sends a new email, changing the from address rather than maintaining the original sender’s.

Regarding the quarantine policy. The action is for receivers to take, and will vary depending on the email security system used. For instance, the default behaviour for many is to put the folder in the recipient’s spam folder. For others, it will quarantine the email for either an administrator, or a user to release upon review. Visibility into quarantined emails is only on the receiver side. You can review the policy applied on emails in DMARC aggregate reports, so you know which source is being quarantined.

Thanks for that feedback. This was the piece of the puzzle I was missing. Now I feel like I can explain this to my client when the topic comes up.