All Collections
Using the OnDMARC App
How to identify forwarders from the DMARC reports?
How to identify forwarders from the DMARC reports?

This article explains what are forwarders and how to identify them from the DMARC reports.

Ivan Kovachev avatar
Written by Ivan Kovachev
Updated over a week ago

The DMARC reports contain three main types of senders

  • Assets - These are your legitimate services that you send emails frm

  • Forwarders - These are services that receive emails from you eg. your recipient mail server, and then auto-forward your emails. This article focuses on this type of sender.

  • Malicious senders - Email services that are spoofing your domain eg. an attacker using your domain to send malicious emails.


Scenario:
Lets assume you send emails from Office 365 only, and you have configured this service with SPF and DKIM. In this case all your emails outbound originate from Office 365, and nowhere else.

You then look at your DMARC reports and see many more senders in your reports that are compliant and pass DKIM and DMARC. Why is that?

That immediately indicates that those other services are Forwarders. What is happening is that you send DMARC compliant emails from Office 365 to many recipients, such as clients, customers, partners or suppliers of yours. Many of your recipients will have auto-forwarding rules that will automatically forward your emails to another destination as demonstrated below.

Office 365 --> Gmail (auto-forward) --> Yahoo

Yahoo is the final recipient that will receive your email, which passed through Google. Google will be the service that is shown in your DMARC reports as this is where the email originated from last. Essentially, this auto-forwarding is outside of your control and is configured by your recipients. The DMARC reports will show the last hop that emails took from a sender to the final recipient.


If the email that was forwarded from Google was not modified in transit, it will pass DKIM and therefore DMARC.

Typically, forwarders are services that you don't recognize and they have 0% SPF pass rate, and higher than 0% DKIM pass rate.

Here is an example of forwarders passing DKIM 100%.

Did this answer your question?