Why Email Forwarding Breaks SPF (And How DKIM Saves You)
Email forwarding breaks SPF authentication because the sending IP changes. Learn why this happens, how DKIM and ARC solve the problem, and what to configure.
You've set up SPF perfectly. Every sending service is included. The record passes validation. Then you discover SPF is failing for a chunk of your recipients — and the cause is email forwarding, something you can't control.
Email forwarding is the most common reason SPF breaks on otherwise properly configured domains. Here's why it happens and how to protect your deliverability.
Why Forwarding Breaks SPF
SPF works by checking whether the sending IP address is authorized by the sender's domain. When an email is forwarded, the IP address changes — the forwarding server sends the email, not the original server.
The Sequence
- You send an email from IP 1.2.3.4 (authorized in your SPF record)
- The email arrives at [email protected]
- That recipient has forwarding set up to [email protected]
- Company.com's server forwards the email from IP 5.6.7.8
- Gmail checks SPF: "Is 5.6.7.8 authorized by the sender's domain?"
- SPF fails — 5.6.7.8 isn't in your SPF record, and it shouldn't be
You can't add every possible forwarding server to your SPF record. There are millions of them, and you don't know which recipients use forwarding.
Who Forwards Email?
Email forwarding is more common than many senders realize:
- University alumni addresses forwarding to personal accounts
- Vanity domains forwarding to Gmail or Outlook
- Company email forwarding to personal accounts during vacation
- Old email addresses forwarding to new ones after job changes
- Mailing lists that redistribute email to subscribers
How DKIM Survives Forwarding
Unlike SPF, DKIM doesn't depend on the sending IP address. DKIM signs the email content with a cryptographic signature. When the email is forwarded, the signature stays intact (as long as the email content isn't modified).
The Sequence with DKIM
- You send an email signed with your DKIM key
- The email is forwarded through any number of servers
- The final receiving server checks the DKIM signature
- The signature validates against your public key in DNS
- DKIM passes — regardless of which IP forwarded it
This is exactly why DMARC supports alignment with either SPF or DKIM. As long as one passes and aligns, DMARC passes. For forwarded email, DKIM is typically the one that passes.
DKIM can break during forwarding if the forwarding server modifies the email — adding a footer, changing encoding, or rewriting headers. This is less common than SPF failure but does happen with some mailing list software.
Verify your DKIM setup
Run a free deliverability check to confirm DKIM is properly configured. DKIM is your safety net when SPF breaks from forwarding.
ARC: The Protocol That Fixes Forwarding
Authenticated Received Chain (ARC) is a protocol designed specifically to solve the forwarding authentication problem.
How ARC Works
When a trusted intermediary (like a mailing list or forwarding service) handles your email:
- The intermediary validates the original authentication (SPF, DKIM, DMARC)
- It records the results in ARC headers
- It signs these results with its own key
- The final receiver checks the ARC chain to see that authentication was valid before forwarding
ARC essentially says: "I checked authentication before forwarding, and it was passing. Here's my signature to prove it."
ARC Support
Major providers support ARC:
- Gmail validates and generates ARC signatures
- Microsoft validates ARC headers
- Yahoo supports ARC validation
ARC is still maturing, but its adoption has increased significantly since Google and Yahoo's bulk sender requirements drew attention to authentication in forwarding scenarios.
Do You Need to Configure ARC?
As a sender, you don't configure ARC directly. ARC is implemented by intermediaries (forwarding services, mailing lists). What you need to do:
- Ensure DKIM is properly configured (ARC relies on the original DKIM signature as part of its validation chain)
- Have a DMARC record in place
- Consider adding an ARC-friendly forwarding policy if you operate mailing lists or forwarding services yourself
What to Do About Forwarding Failures
Ensure DKIM Is Always Configured
DKIM is your primary defense against forwarding-related SPF failures. If you haven't set up DKIM, or if it's misconfigured, forwarded emails fail both SPF and DKIM — and DMARC fails too.
Every sending service you use should have DKIM configured. Check your domain to verify.
Review DMARC Reports
DMARC aggregate reports show you which emails fail authentication and why. If you see patterns like:
- SPF failing from unfamiliar IPs
- DKIM passing from the same emails
- DMARC passing overall (because DKIM aligned)
This is normal forwarding behavior and doesn't require action.
If you see both SPF and DKIM failing from certain sources, investigate whether:
- DKIM is misconfigured for a sending service
- A mailing list is modifying your emails (breaking DKIM)
- Someone is spoofing your domain
Don't Try to Fix SPF for Forwarding
You might be tempted to add forwarding servers to your SPF record. Don't:
- You can't know all possible forwarding servers
- Adding too many IPs weakens SPF's security purpose
- Your SPF record would exceed the 10-lookup limit
- The proper solution is DKIM, not a broader SPF record
Handle Mailing Lists Carefully
Mailing lists are the most problematic forwarding scenario because they often:
- Change the envelope sender (breaking SPF)
- Add footers or modify content (breaking DKIM)
- Redistribute to many recipients (amplifying failures)
If you send to mailing lists, ensure your DMARC policy accounts for this. A p=reject policy can cause mailing list distribution to fail entirely. Some organizations use p=quarantine instead to reduce this impact while still protecting against spoofing.
The Bottom Line
| Protocol | Survives Forwarding? | Why |
|---|---|---|
| SPF | No | Forwarding changes the sending IP |
| DKIM | Usually yes | Signature is tied to content, not IP (breaks if content is modified) |
| DMARC | Yes, if DKIM passes | Only needs one of SPF or DKIM to align |
| ARC | Yes | Preserves original authentication through the chain |
The practical takeaway: DKIM is not optional. It's your authentication safety net for the substantial percentage of email that gets forwarded before final delivery.