By default, forwarding a message (by any email service) breaks SPF. If SPF is broken, one of the two DMARC tests (SPF and DKIM) fails. If DKIM does not pass, then SPF failure will lead to DMARC failure.
So first look at messages sent by proper (not fake) senders at "originating.com" as received in your Fastmail account. Look at the full headers (More > Show Raw Messages) for the Authentication-Results header. If DKIM does not pass, then if SPF fails due to forwarding you should get a DMARC failure.
- If dkim=none, then no DKIM signatures were found.
- If dkim=pass, the DKIM signing was verified when received at Fastmail.
- If dkim=fail, the DKIM signing failed verification (which might be due to alteration of the message during transport).
- Other dkim results might be shown.
If you forward using alias targeting (rather than a rule), you can use SRS rewriting to fix the SPF forwarding issue. This will probably solve your problem:
https://www.fastmail.com/help/receiv...html?#advanced
If you need to use a rule (rather than a specific alias) to decide which messages are forwarded, here is a solution (which I have tested):
- Set up one special alias with only one target (the external account you want to receive the forwarded messages). Enable the SRS rewriting feature for this alias.
- Create a rule which forwards as desired, but set the "sent a copy to" address to the special alias.
- Now messages which trigger the rule will be forwarded to the special alias, which will forward them with SRS rewriting to the external account.
Bill