Your mail passes DMARC normally, but the same message fails DMARC after it's forwarded or sent through a mailing list — and your reports fill with failures from IPs you don't recognise.
Forwarding rewrites the delivery path. SPF almost always breaks because the forwarding server's IP isn't in your SPF record; DKIM usually survives plain forwarding (the signature travels with the message), so DMARC can still pass via DKIM alignment. It's mailing lists and middleboxes that add subject prefixes, footers or re-wrap MIME that break DKIM too — and then DMARC fails outright. The fix lives at the intermediary: ARC (RFC 8617) records the authentication results before modification so a trusting receiver can honor them, and both Gmail and Microsoft evaluate ARC when deciding DMARC for forwarded mail. Source: RFC 8617 (ARC) · verified 2026-07-15
DNS changes propagate within minutes to 48 hours. Mailbox providers pick up the new records on their next check — most senders see bounces stop within a day of correct configuration.
Formal enforcement targets bulk senders, but partial authentication already costs you inbox placement at every volume — and spoofing protection matters regardless of how much you send.
Hosting support can add DNS records for you, but they don't know which services send as your domain. You (or a monitoring tool reading your DMARC reports) have to provide that list — that's the actual hard part.