Understanding Auto Forwarding

Hi all,

I am working a 3rd party (redSift OnDMARC) to implement DMARC across my domain and have hit a bit of a wall in terms after configuring all protocols SPF, DKIM & DMARC. The 3rd party are suggesting it is a good time to place my domain into Reject. However, I am not completely sold on the matter, as I am seeing a huge volume for Google Work Space on my domain and that is constant very month. I am being told that Google is a forwarder and most of the traffic I see is Auto Forwarding.

I have also been told that my DMARC reports show me the last hop of the email flow before reaching a recipient on my domain. However, I believe the product is telling us that someone is sending email and is saying it is coming from my domain.

My issue is that I don’t believe that the 3rd company product would have visibility of Auto forwarding. I am a Microsoft shop and I do not allow the use of Google work space on my Domain. I believe the tool is showing me services that are pretending to our domain. Which wouldn’t include Auto-Forwarding and doesn’t make sense in this instance. The big question that I have is why do I see Google work space as a sender of my domain, when it is not authorised on my system. Also trying to understand if that is legitimate or malicious traffic that I am seeing. The volume of email that I have is in the thousands and I am concerned if I just switch to reject, that I may potentially impact a live system.

Hi Obi and welcome to the forums!

I will make some assumptions here as I am not familiar with the onDMARC solution enough to speakon
their behalf. It might be worthwhile for you to speak with their support if you haven’t done so. That being said, it’s likely forwarding, and quite possibly Google Group behaviour.

Emails are forwarded automatically all the time, and often. More so than most users expect. Typically examples are that you may using a Gmail address and are bored of it. So you set up an auto forward to your brand new Outlook address.

DMARC data that displays forwarding will show your domain as a sender, a Google IP as the sender, and a variety of reporters (recipient who sent the DMARC report as part of their DMARC check). This number can increase quite dramatically if the forwarding is done as part of Google Group delivery.

A Google Group is how Google handles distribution list. It behaves the same way as a mailing list. Let’s use a hypothetical example.

example.com is hosted on Google Workspace
group@example.com is a Google Group (distribution list) with 20 members.

If you send an email to group@example.com, your domain will receive a DMARC report for 21 unique email count. This is because Google performs a DMARC check for each email it distributes to members of that group, even if the members are also on example.com.

In the DMARC report or reports:
1 count will be for when Google initially received the email from your domain. This will show Google reporting your IP sending them an email from your domain.

20 counts will appear as sent from Google, to Google on behalf of your domain. This is the Google Group behaviour.

If you have a large number of Google forwarding, this is quite possibly the reason why. This is especially true if the XML report contains an Override Comment field of “arc=pass”. The good news is, just like most mailing list, Google rewrites from the From header of domains publishing a DMARC policy of quarantine or reject to prevent impact on emails forwarded as part of their Google Group distribution. This means the number of Google forwarding will drop significantly once you publish an enforcement policy in DMARC, assuming you haven’t already done so.

Overall, forwarding can be difficult to grasp and analyze through DMARC data alone. Speak with your service provider should you still have concerns, they are uniquely positioned to help you since they have access to your data.

I hope this helps!