Understanding and Dealing with Forwarding

I am new to DMARC and I feel my policy and setup is pretty rock-solid; however, I am struggling to understand the forwarders section of this volume details.

Is there a guide that shows what each column means, specifically who’s doing the forwarding and how I might fix the issue? I want to change my policy to reject but want to make sure I know how to deal with these issues when they arise. Below is the portion of my report that I am looking at. Is there anything I can or should do about those?

Here is the portion of the report I am looking. Specifically, the one at the bottom.
https://sierranevadaconstruction-my.sharepoint.com/:i:/g/personal/trabe_snc_biz/EWzznHOrfRpMvrA83iCvEv4BSwHDNcHdVOYswG8mLykoGA?e=Wlo6D2

Hi Travis and welcome to the forums.

Emails are forwarded automatically all the time, and often. More so than most users expect. Typically examples are that you may using a Gmail address and are bored of it. So you set up an auto forward to your brand new Outlook address.

The forwarders are meant to represent email systems that received email from one of your legitimate source, but forwarded the mail in such a way where the From address remained unchanged. This means the destination where the email are forwarded to did a DMARC check against your domain.

Specifically to your screenshot, we see here emails are that forwarded by Google. The sending IP and PTR represent the email system which did the delivery. and is implied to be the forwarder. Now it is not always possible to understand where it originally came from, but here we can tell the email was originally sent from a MS 365 Tenant or Exchange Online due to the DKIM selector used (it is a 365 default). Moreover it passes!

The forwarders email compliance is expressed in DKIM survival. The reason is due that most automatic forwarding will rewrite the return-path due to SRS (sender rewriting scheme) which will cause an alignment failure when DMARC is checked by the final destination email system. However automatic forwarding should maintain the original headers. Since DKIM is a header, there are chances where it will still pass. It does in your example.

So overall, the Forwarders tab is meant to show you how much and how often email you send are typically forwarded, and their DMARC compliance. To help this compliance, deploy DKIM wherever possible on your email sources. Once done, you can review the expected impact for emails which are still not compliant, and sometimes even identify a particularly big forwarder’s domain. This is done by looking at the SPF domain column in the app. It will often have been rewritten due to SRS to the original recipient domain you sent the mail to that did the forwarding.

I hope this helps.

-AM