As lane said, DMARC provides a way for a sender domain to specify what they would like to happen for messages which fail
both DKIM and SPF.
- SPF can fail during forwarding (although SRS forwarding should solve that issue). DKIM shouldn't be affected by forwarding (unless the content or subject header is modified). So if a message is sent with both SPF and DKIM and these pass at the receiver, it will probably pass the DMARC test.
- DMARC suggests that the destination system by default use the policy specified by the appropriate DNS TXT record (which for Gmeail is
"v=DMARC1; p=none; rua=mailto:mailauth-reports@google.com".
- The main DMARC policies which can be specified by the sender are:
- none (do not treat the message differently due to DMARC, although reports may be sent to the sending domain) - This is specified by the above Gmail DMARC policy on their sent mail.
- quarantine (place the message in a spam folder or otherwise hide it from the Inbox)
- reject (cancel the message at the SMTP receiving level with a 550 response to the sending server)
- Although the sender DMARC policy can be published in the domain DNS records, a destination system can choose to use the sender DMARC policy, ignore that policy, or modify the policy.
- For example, if the sending server is on a reject list or the message has other spammy characteristics, Gmail may reject the message. Forwarding complicates this process, since it's not clear whether the headers can be trusted when the message was apparently accepted by another server.
Peter, are your test messages sent directly to a Gmail account (without forwarding) delivered properly? Have you tried with messages sent from various source systems? Obviously, the vast majority of non-spam messages sent to Gmail are delivered properly, so there must be something about the domains or servers originating the messages (assuming that the message subject and contents aren't suspicious).
Bill