The DMARC protocol relies on SPF and DKIM to function.
SPF authenticates the sending server of an email based on the sending IPv4 or IPv6 address. Therefore, when that email gets auto-forwarded, the IP address changes, causing SPF to fail. This is one of the limitations of SPF, hence why you should not rely simply on SPF but also configure DKIM.
DKIM, on the other hand, authenticates the email based on the sending domain, as well as the email content, using a digital signature. Since the verification of this Public/Private keypair is performed via lookups of the sending domain's DNS records, it can be performed at any point along the forwarding, and therefore will survive forwarding.
For more information please click the buttons below: