The question sometimes arises from organizations as to what can be done to ‘fix’ emails that fail authentication when going through a forward. The short answer is that there is nothing realistically that can be done to guarantee forwarded email authenticate properly. To fix the issue would today require working with each forwarding entity to try to get them to update their systems to forward emails without breaking authentication (which may not even be possible). This is not realistic. Some things to be aware of:

  1. Forwards are a very tiny percentage of total email volumes and so the impact of these forwards is very small

  2. Emails should always be DKIM signed if the sending service supports it. DKIM signing tends to fare better when an email is forwarded which reduces the number of failures

  3. A new Internet standard, Authenticated Received Chain (ARC) has been finalized which will help to address this issue. It has not been fully rolled out but Google and Microsoft (among many others) are actively deploying