Why Strict DMARC Rejection Is Not Always the Right Choice
Every email security guide says the same thing: set your DMARC policy to p=reject. It is the strongest setting. It tells receiving servers to bounce any email that fails DMARC checks. Maximum protection against spoofing.
But there is a problem nobody mentions in the beginner guides: email forwarding breaks DMARC.
Why forwarding breaks DMARC
DMARC requires either SPF or DKIM to pass and align with the From domain. When email is forwarded:
- SPF fails because the forwarding server's IP is not in the original sender's SPF record (this is exactly what SRS was created to solve)
- DKIM usually survives if the email content was not modified. But some forwarding services modify headers or add footers, which breaks the DKIM signature.
If both SPF and DKIM fail alignment, DMARC fails. If the sender's domain has p=reject, the receiving server bounces the email. The forwarded message — which was perfectly legitimate — is lost.
Who this affects
Anyone who uses email forwarding:
- Mailing lists — Messages to a mailing list are redistributed to subscribers. The forwarding breaks SPF, and if the list modifies the message (adds a footer, changes the subject), DKIM breaks too.
- University alumni addresses — Many universities offer lifetime forwarding addresses (
you@alumni.university.edu) that forward to your personal inbox. - Email alias services — Cleanbox, SimpleLogin, and others forward email from aliases to your real inbox. SRS handles SPF, but DKIM can still fail if content is modified.
- Corporate forwarding — Auto-forwarding rules in Exchange or Google Workspace.
The practical approach
The right DMARC policy depends on context:
| Situation | Recommended policy | Why |
|---|---|---|
| Your domain only sends directly (no forwarding expected) | p=reject | Maximum spoofing protection, no forwarding to break |
| Your domain's email gets forwarded by recipients | p=quarantine | Flags failures without bouncing — forwarded email lands in spam instead of being lost |
| You are just starting with DMARC | p=none with reporting | Monitor failures before enforcing, catch misconfigurations |
How Cleanbox handles this
Cleanbox uses SRS (Sender Rewriting Scheme) for relay forwarding to maintain SPF alignment. For alias delivery via IMAP, DMARC is checked at the Cleanbox server — the result is recorded in the message but does not cause rejection at the destination, because Cleanbox writes directly to the mailbox.
For relay addresses, you can optionally enable DMARC_POLICY_REJECT as a spam symbol rule to reject DMARC failures on specific addresses. This gives you per-address control instead of a global policy that would break forwarding for everyone.
For more on email authentication, see The Complete Guide to Email Authentication.
