SPF, DKIM, DMARC, and Email Forwarding

Overview

SPFDKIM, and DMARC are email authentication technologies designed to help reduce spoofing (but they can sometimes interfere with email forwarding). 

  • SPF (Sender Policy Framework) works to prevent spoofing by allowing email domains (e.g. uoregon.edu) to specify where receiving email servers should expect to receive email from.
    • Emails from one of the sender's allowed servers will pass this test.
    • Emails from other sources will fail this test.
  • DKIM (DomainKeys Identified Mail) works to prevent spoofing by cryptographically signing each message as it is sent so that receiving email servers can determine if it has been tampered with.
    • Emails that have been signed with a key designated by the sender's email domain (e.g. uoregon.edu) will pass this test.
    • Emails that have been modified will fail this test.
  • DMARC (Domain Message Authentication, Reporting and Conformance) works to prevent spoofing by using the two previous systems to apply policies on how messages that fail the previous tests should be handled.
    • Policies can be set so that failures: do nothing (reporting only), quarantine messages, or reject them.

More information about these technologies can be found on the Binding Operational Directive 18-01 article from the Department of Homeland Security.

Information

I have an email forward setup and I know someone sent me a message but I didn't get it, what happened?

As more email senders setup these security measures, an increasingly large number of messages will not be delivered to your email forward destination due to failing these checks. When an email is forwarded through the UO system, your email forward destination service will perform the SPF and DKIM checks. Since the emails would appear to be coming from the UO's email servers and not the sender's email servers, the SPF test will fail. The DKIM test may also fail if there are any links in the email as the Proofpoint URL Defense service will replace the links with protected ones in order to stop phishing attacks. When these tests fail, your message will be blocked if the sending domain has setup a policy to quarantine or reject messages that could not be authenticated successfully.

Can you fix this so that my forwarded emails will be delivered?

No. As the policy is set by the sender's email domain and the policy is being applied by the third-party email service, we have no control over either of these and we have no ability to force emails to be delivered.

What can I do to make sure I receive all emails sent to me?

The best option to ensure that you receive all your emails is to not setup an email forward and to access your UO email directly, if possible.

Print Article

Details

Article ID: 94882
Created
Mon 12/23/19 12:06 PM
Modified
Tue 1/9/24 4:16 PM

Related Articles (1)

SPF and DKIM for Third-Party Mail Senders
Configuring email security protocols in regard to validating third party email vendors that send email on behalf of the University of Oregon