Secure email gateways sit in an awkward place in mail flow. They inspect, rewrite, wrap, detonate, banner, and sometimes re-route messages for good security reasons. But those same changes are exactly what can make SPF fail, DKIM fail, and then DMARC fail at the final receiver.
That is why admins often end up staring at a message that was legitimate at the source and broken by the time it reached the mailbox platform.
The fix is usually not just "turn on ARC" or "enable Enhanced Filtering" in isolation. The real fix is getting the order of trust right.
If mail reaches Microsoft 365 after passing through a secure email gateway or filtering service, the preferred order is usually:
In plain terms: first try to avoid breakage, then preserve evidence of the original authentication, then teach the final receiver how to trust that evidence.
DMARC depends on aligned SPF or aligned DKIM. A gateway commonly disrupts one or both:
From: domain no longer has an aligned SPF or DKIM pass at the final hop.Google says this plainly in its forwarding guidance: forwarding and message changes often cause SPF or DKIM failures, so admins should minimize content changes and preserve forwarding context. ARC exists for exactly that kind of indirect flow.
If you want the protocol background first, What is ARC and how does it work? and Why forwarding breaks SPF/DKIM and affects DMARC are the right companion reads.
The easiest way to reason about this is to treat every intermediary step as a decision tree.
This sounds obvious, but it is the highest-value fix.
If the gateway can scan without rewriting the body, changing MIME boundaries, replacing attachments, or prepending banners, do that first. A message that keeps its original DKIM signature intact usually does not need ARC to survive DMARC.
Google's sender documentation explicitly warns that changing body content, MIME boundaries, Subject, or other DKIM-covered headers can break DKIM for forwarded mail.
RFC 8617 is very clear on sealing order: message modifications must happen before the intermediary adds its ARC set.
That matters because ARC is not a magic repair tool for a message that was changed after sealing. ARC is the intermediary's signed testimony about what it saw and what happened at that hop.
The healthy sequence is:
ARC-Authentication-Results, ARC-Message-Signature, and ARC-SealIf the gateway seals too early and then rewrites the message afterward, the ARC chain can fail and you lose the exact evidence you were trying to preserve.
ARC only becomes operationally useful when the next receiver validates the chain and decides that the sealer is trustworthy.
For Microsoft 365, that usually means adding the gateway vendor's ARC sealing domain as a trusted ARC sealer, based on the d= value actually present in ARC-Seal. Microsoft documents that trusted sealers can allow ARC evidence to influence composite authentication, including the familiar compauth=pass reason=130 outcome when ARC overrides a DMARC failure.
That is the part many teams miss: you do not usually add your own domain there. You add the domain that actually seals the ARC set.
For more detail on that trust model, see Trusted ARC sealers in Microsoft 365 and Gmail.
Some gateways do not provide usable ARC. Others are deployed in front of Microsoft 365 in a way that causes Microsoft to see only the gateway as the source of all inbound mail.
That is the scenario for Enhanced Filtering for Connectors in Exchange Online.
Microsoft says Enhanced Filtering preserves original source IP and sender context for supported connector-based routing paths, and can also help Microsoft recover from authentication confusion introduced by the intermediary. In other words, it helps Microsoft look past the connector-facing hop and evaluate the real upstream sender more accurately.
This is especially relevant when:
Important boundary: Enhanced Filtering is not a universal substitute for ARC. It is Microsoft's receiver-side correction for connector scenarios, not a standards-based chain-of-custody signal for every downstream mailbox provider.
Re-signing can mean two different things in practice:
This can help if the original DKIM signature is going to break anyway and the gateway can add a new aligned DKIM signature that survives the rest of the route.
But re-signing is not always the first or best fix.
Why:
From: domain and survives later processingIf a gateway re-signs with a domain that is not DMARC-aligned, the message can still fail DMARC. If it re-signs correctly, that can be a valid design, but it should be an intentional architecture choice, not an accidental side effect.
If multiple signatures are already confusing the incident, Multiple DKIM signatures: how receivers evaluate them is a useful refresher.
Recommended order:
Typical signs of success in Microsoft 365 headers:
arc=passoda=1 in ARC-Authentication-Resultscompauth=pass reason=130 in Authentication-Results when DMARC would otherwise have failedRecommended order:
This is the classic skip-listing use case Microsoft documents.
Recommended order:
From:Re-signing can coexist with ARC. It does not replace the need to preserve hop-by-hop trust information.
Admins often trust the wrong domain. Microsoft says to use the domain in the ARC d= value from real headers. If you trust the wrong domain, ARC will validate but not become trusted in the way you expected.
Per RFC 8617, modifications are supposed to happen before sealing. If the chain breaks later, receivers treat failed ARC as effectively unusable.
Microsoft documents Enhanced Filtering for cases where mail is routed through a non-Microsoft service or device before Microsoft 365. It is not meant as a blanket fix for every mail path, and Microsoft explicitly warns about unsupported routing patterns that can distort filtering.
Only an aligned SPF or aligned DKIM result helps DMARC. A replacement DKIM signature from the wrong domain, or one that later breaks again, does not solve the problem.
When a gateway seems to be breaking DMARC, check headers in this order:
Authentication-Resultsspf=, dkim=, dmarc=, and in Microsoft 365 also compauth= and reason=ARC-Authentication-Results, ARC-Message-Signature, and ARC-Sealcv=pass or cv=none/pass in the expected orderd=From: domain with any surviving DKIM header.d= valuesThat workflow usually tells you whether the real problem is:
Use a small, controlled test set before changing the full production path.
That sequence keeps teams from enabling three overlapping fixes at once and then not knowing which one actually solved the issue.
If the intermediary already supports clean ARC sealing, start there before redesigning DKIM signing or adding broad connector exceptions. It is usually the most faithful way to preserve what the original message proved at the moment the gateway received it.
Secure email gateways break DMARC when they change the message or obscure the original sending path without preserving trustworthy context.
The right order is usually simple:
When those pieces are applied in the right order, the gateway can keep doing its security job without making legitimate mail look spoofed.