I just wanted to add some comments with regard to rewriting the sender when forwarding mail using the mail sieve rules in Roundcube.
As far as DMARC is concerned Sender Rewriting where SPF and DMARC are the only available checks will cause a DMARC fail.
This is because SPF relies on the Sender address (The Mail From: identity) BUT DMARC relies on the From: identity.
If the domains used in the DMARC and SPF check are not aligned then even though SPF itself passes. DMARC will fail the SPF check.
Sender rewriting has never been officially recognised by the IETF, although it was proposed as a draft standard to deal with the shortcomings of SPF, it has never been formerly recognised.
After all DMARC is an either/or test
DMARC passes on SPF (provided Mail From: and From: are aligned)
DMARC passes on DKIM (provided d=value and From: are aligned)
DMARC only fails when BOTH of the above fail.