How to fix “forwarded mail fails DMARC” from forwarding & mailing lists

Your mail passes DMARC normally, but the same message fails DMARC after it's forwarded or sent through a mailing list — and your reports fill with failures from IPs you don't recognise.

Check your domain first — 10 seconds, free, no signup.
See your DMARC policy, SPF lookup count and every issue explained in plain English.
Run the free check →

What this means

Forwarding rewrites the delivery path. SPF almost always breaks because the forwarding server's IP isn't in your SPF record; DKIM usually survives plain forwarding (the signature travels with the message), so DMARC can still pass via DKIM alignment. It's mailing lists and middleboxes that add subject prefixes, footers or re-wrap MIME that break DKIM too — and then DMARC fails outright. The fix lives at the intermediary: ARC (RFC 8617) records the authentication results before modification so a trusting receiver can honor them, and both Gmail and Microsoft evaluate ARC when deciding DMARC for forwarded mail. Source: RFC 8617 (ARC) · verified 2026-07-15

How to fix it

Step 1. Don't chase forwarder IPs into your SPF — you can't enumerate every forwarder, and you'll blow the 10-lookup limit trying.
Step 2. Rely on DKIM alignment: make sure DKIM passes for your real sends, so plain forwarding still yields DMARC pass.
Step 3. If YOU run the forwarder or list, enable ARC sealing so downstream receivers can trust the original result.
Step 4. Treat unknown forwarding failures in reports as expected noise — don't delay enforcement over them once your direct senders pass.

Frequently asked

How long until fixes take effect?

DNS changes propagate within minutes to 48 hours. Mailbox providers pick up the new records on their next check — most senders see bounces stop within a day of correct configuration.

Does this apply if I send fewer than 5,000 emails a day?

Formal enforcement targets bulk senders, but partial authentication already costs you inbox placement at every volume — and spoofing protection matters regardless of how much you send.

Can I just ask my hosting provider to fix it?

Hosting support can add DNS records for you, but they don't know which services send as your domain. You (or a monitoring tool reading your DMARC reports) have to provide that list — that's the actual hard part.

Don't want to babysit DNS records?
DMARCKeeper monitors your reports, names every sender, and walks you to full p=reject protection.
Start free monitoring →