Forum Discussion
Tenant Forwarding - Trusted ARC Sealer
As part of a tenant to tenant migration we often need to forward mail from one tenant to another. This can cause some issues with email authentication verdicts on the destination tenant. Is it possible or best practice to configure another tenant as a Trusted ARC sealer to help with forwarded email deliverability?
1 Reply
While it is technically possible to configure another tenant (or service) as a Trusted ARC sealer in Microsoft 365. It is not the recommended approach.
During a tenant to tenant migration, the email gets forwarded from source to destination tenant it means during this transit all its headers, mailflow are modified. This commonly results in SPF, DMARC or DKIM failure. Thus its best to avoid such temporary forwarding paths or have another intermediate tenant with as a trusted ARC sealer.
The preferred approach is temporarily relax email authentication DMARC but ensure email flow is closely monitored ensuring email forwarding is enabled only for the migrated batch of users most importantly for a very short window. Upon cut-over ensure you disable mail forwarding and activate email authenticate as normal.
In-short: Rely on SRS -> temporary DMARC relaxation -> short forwarding window
NOTE: Mail forwarding should be temporary and for short window cannot be a design in itself.
If you find the answer useful, please do not forget to like and mark it as a solution
