So not sure if my first question was very clear, emails are being forwarding (and are setup as filter in roundcube). When sending mail, 3rd party system checks the DKIM and SPF etc and if fails (most email systems are checking this now) then rejects the email sending and “the forward” and so its failing the record check, alot hunting around on internet looks like this is a known issue and that’s why ARC.
Forward itself is working correctly.
but when forwarding, it breaks email validation " The problem with indirect mailflow" as talked about on the Return Path website.
Why do I see failing SPF reports for some legitimate sources?
In some cases, an email provider may forward your email to another address. For instance, you send a newsletter to a customer and they forward it from their main mailbox to their Gmail account. While most email providers will properly preserve the from address and Return-Path address, others may rewrite it, causing a failure. While this may present a problem, it is limited to a small percentage. In addition, ISPs can still consider if a message has DKIM present in this case and allow it to pass. This is why it is important to have both SPF and DKIM passing on a domain.
My users often forward their emails to another mailbox, how do I keep DMARC valid?
DMARC relies on SPF and DKIM. In the case of forwarding emails, SPF is likely to fail, in a DMARC sense, at the receiver. You are resending from your infrastructure and it is unlikely your sending IP is in the SPF record of the domain contained in the from header of the email. However there is no reason for DKIM to fail. For DKIM not to fail, you must ensure that your mail server does not drastically modify the message. Typically, the only modification that preserves DKIM is to add new email headers to the messages without touching the subject or the body of the message. Headers protected by DKIM should not be modified in any way, and the message should not be converted from one encoding to another.
The problem is that you can’t always determine what an intermediate mail server is doing with the mails. I once sent a mail to three different addresses with forwarding set to a third address. The addresses sent to ended with the following domains.
All three mails failed SPF when forwarded to a final destination. But the outlook one failed DMARC as well.
Checking the outlook headers themselves showed the inbound mail had a DKIM and SPF pass. But the mail saved to the Outlook server had been modified between the DKIM check and forwarding it on to the final destination (I compared the copy of the mail on the outlook server with the sent mail).
Google Apps for business can be another pain as they add any automatic disclaimers to forwarded mails, which again breaks DKIM, although this is typically the only change that Google makes.