Does DKIM Survive Email Forwarding?

If you've set up DKIM (DomainKeys Identified Mail) and everything checks out, you might assume your authentication is bulletproof. But email forwarding introduces a wrinkle that catches many businesses off guard. Sometimes DKIM passes on forwarded messages. Sometimes it breaks completely. Understanding when and why makes the difference between reliable delivery and messages landing in spam.

How DKIM Differs from SPF (Sender Policy Framework) During Email Forwarding

SPF checks the sending server's IP address. When someone forwards your email, the forwarding server's IP sends the message onward, not yours. Since the forwarding server isn't listed in your SPF record, SPF always fails on forwarded email.

DKIM checks the message content and headers. The DKIM signature is embedded in the email itself. As long as the signed parts remain unchanged, DKIM verification passes regardless of which server delivers it.

This is one of DKIM's biggest advantages. It was designed to survive forwarding, in theory.

When DKIM Survives Forwarding

In simple forwarding scenarios, DKIM works perfectly:

Auto-forwarding rules. When someone sets up their mailbox to forward incoming mail to another address, the message passes through untouched. The body, headers, and DKIM signature remain intact.

Email redirects. Services that redirect email without modifying the message preserve DKIM signatures. The message is relayed as-is.

Server-level forwarding. When a mail server forwards messages at the transport level without processing them, DKIM remains valid.

In all these cases, the forwarding system acts as a transparent relay, moving the message without touching the parts DKIM protects.

When DKIM Breaks on Forwarded Email

DKIM breaks whenever the forwarding system modifies the signed portions of the message. This happens more often than you might expect.

Mailing Lists

Mailing lists are the single biggest cause of DKIM failures. When you send to a mailing list, the list server typically:

• Adds a footer like "To unsubscribe, visit..."
• Modifies the Subject line with a prefix like "[ListName]"
• Rewrites the From header to show the list address
• Adds or changes Reply-To headers

Any of these changes invalidate the DKIM signature because the signed content no longer matches what was originally signed.

Email Gateways and Security Filters

Corporate email gateways often modify messages in transit:

• Adding compliance disclaimers or legal footers
• Stripping attachments or HTML content
• Re-encoding content (changing character encoding or MIME structure)

Content Modification by Forwarding Services

Some forwarding services reformat messages, converting HTML to plain text, stripping images, adding forwarding notices, or re-wrapping long lines in the body.

How to Check if DKIM Survives Your Forwarding Setup

Start by confirming your DKIM record is valid. Then send test messages through your forwarding scenarios and check the authentication headers on the receiving end.

Solutions for DKIM Forwarding Failures

Use Relaxed Canonicalization

DKIM canonicalization controls how strictly the message is normalized before verification. With "relaxed" canonicalization, minor formatting changes (extra whitespace, header capitalization) are tolerated. This won't save you from major content modifications, but it prevents failures from minor adjustments during transit.

When generating your DKIM keys at dkimcreator.com, make sure your configuration uses c=relaxed/relaxed rather than c=simple/simple.

Rely on DMARC (Domain-based Message Authentication, Reporting, and Conformance) with Both SPF and DKIM

DMARC only requires one authentication method to pass: either SPF or DKIM. By having both configured, you give DMARC two chances to pass. For non-forwarded mail, SPF provides a safety net. For forwarded mail, DKIM is usually your best hope.

ARC: The Forwarding Fix

ARC (Authenticated Received Chain), defined in RFC 8617, is a protocol designed to solve the forwarding authentication problem. When a forwarding server that supports ARC receives an authenticated message, it:

1. Records the original authentication results (SPF, DKIM, DMARC)
2. Signs its own header with those results
3. Forwards the message with the ARC headers attached

The receiving server can then see the chain of authentication, even if DKIM broke during forwarding, it knows DKIM was valid before the forward. Major providers like Google, Microsoft, and Yahoo support ARC.

SRS: Fixing SPF for Forwarding

SRS (Sender Rewriting Scheme) addresses SPF failures during forwarding. The forwarding server rewrites the envelope sender to its own domain, then uses its own SPF record. SRS doesn't directly help DKIM, but it ensures SPF can pass after forwarding, giving DMARC a better chance of succeeding.

Practical Steps to Protect Your Deliverability

The Bottom Line

DKIM is more resilient to forwarding than SPF, but it's not indestructible. Simple forwarding preserves DKIM signatures. Mailing lists, email gateways, and content-modifying services can break them. The combination of relaxed canonicalization, proper DMARC configuration, and modern protocols like ARC gives your email the best chance of staying authenticated no matter how many hops it takes.

References

• RFC 8617: Authenticated Received Chain (ARC). IETF protocol for preserving authentication results across forwarding hops.

Monitor Your DKIM Records

Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.