schedule 3-min read

How Secure Email Gateways Affect DMARC, SPF, and DKIM

Secure email gateways sit in the mail flow and affect authentication. Here’s how SEGs interact with DMARC, SPF, and DKIM — and the common gotchas.

01

Introduction

Secure email gateways (SEGs) — Proofpoint, Mimecast, Microsoft Defender for Office 365, Barracuda — sit in the mail flow between the internet and your mailbox infrastructure. They affect how SPF, DKIM, and DMARC interact with inbound and outbound mail.

This article covers the interaction patterns and the common gotchas.

02

Why this topic matters

Many DMARC issues at enterprise scale trace back to SEG interaction. Understanding how the gateway changes authentication semantics is essential to a clean rollout.

03

How SEGs interact with authentication

Inbound

SEGs receive mail on behalf of your domain. They:

  • Read DMARC policy of the sender's domain and apply receiver-side enforcement.
  • Add headers describing authentication results.
  • Quarantine or release based on policy + content analysis.

This is normal DMARC receiver behavior. Your outbound DMARC posture isn't affected.

Outbound

For outbound mail, the SEG sits in the SMTP path:

  • Adds the SEG's IP to the connection. Your SPF must include the SEG's IPs.
  • May rewrite headers for branding or compliance.
  • May re-sign with DKIM using the SEG's selectors.

This is where most gotchas live. If your SPF doesn't include the SEG and the SEG doesn't re-sign DKIM aligned with your domain, outbound DMARC fails.

04

Common gotchas

  1. SEG IPs missing from SPF. Outbound mail fails SPF until the gateway's IPs are included.
  2. SEG DKIM signing not aligned. Some SEGs sign with their own domain by default; configure custom DKIM.
  3. Header rewriting breaks DKIM signature. SEGs that modify subject lines or add disclaimers can invalidate upstream DKIM signatures; the SEG must re-sign.
  4. Inbound DMARC enforcement bypass. Some SEG rules let trusted senders bypass DMARC checks; treat carefully.
05

Step-by-step approach

  1. Document SEG IP ranges. From the SEG vendor.
  2. Include in SPF. Add to outbound SPF.
  3. Configure SEG-side DKIM signing with your domain.
  4. Verify alignment in DMARC aggregate reports.
  5. Audit inbound DMARC enforcement behavior.
06

Best practices

  • Treat SEG as a sender. Include in SPF, configure DKIM.
  • Watch for DKIM-breaking modifications. Test with a sample message.
  • Pair with Proofpoint, Mimecast, Defender specific guides.
  • Configure inbound DMARC enforcement in line with company policy.
  • Document the gateway configuration.
07

If you have an SEG, verify it's included in SPF and that its DKIM signing aligns with your domain. Misconfigured SEGs are a common DMARC issue.

08

FAQ

Does an SEG affect my DMARC posture for outbound?

Yes — SEG IPs and DKIM signing must be in your outbound authentication setup.

Does an SEG enforce inbound DMARC?

Most can. Configure to honor sender's published policy by default.

What about gateway IP changes?

SEG vendors publish IP ranges; subscribe to update notifications.

Can SEG bypass break DMARC?

Yes — if trusted senders bypass DMARC, the receiver might deliver mail your DMARC policy says to reject.

What about hybrid mail routing?

Hybrid setups (on-prem + cloud + SEG) need careful authentication configuration. Document the flow.

09

Final thoughts

SEGs are part of the authentication architecture, not separate from it. Treat the SEG as a sender for outbound and as a receiver-side DMARC enforcer for inbound.

Configure carefully, document explicitly, monitor consistently.

Ready to Implement?

Get authenticated mail moving in minutes — start free, book a guided demo, or talk to the team about your stack.

Start free arrow_forward event Book demo mail Contact us