How do you forward mail to external mail systems?


#1

I have a few email addresses that I receive email for that I want to forward to external systems.

Aliases works fine for forwarding to internal mail addresses and to some external systems (that don’t check or care about dkim).

For those destinations that do care and where the sender has tied down the valid sender, the mail will bounce.

What is needed is to forward the email (possibly as an attachment) from the relevant miab account.

Could this be done, or is there code available that will do it, or maybe service providers that offer it?

Thanks in advance for any thoughts on this.


Email forwarding to another domain not working
Authenticated Received Chain (ARC)
#2

create a rule in the account to forward to "example@domain.com" in roundcube/


#3

Thanks for your response.
I did try that out, after finally figuring out how to do it. The result seemed to me to be exactly as if I’d used miab alias. i.e. the forwarded mail appeared to come from the original sender.

Obviously that is the ideal result if the destination mail system respects the embedded dkim signed mail.

Since my post I found a very interesting article exploring these issues…

Regards


#4

Hi Stefbishop, did you ever find a solution to this, I have exactly the same issue, as more email systems adopt a "strict SPF, DKIM and DMARC, emails that get forwarded by alias or via roundcube get blocked.

It looks like ARC is the way forward but its very new and not well documented.


#5

I solved my forwarding issues by using SRS


#6

How did you implement it in MIAB?


#7

I use the postsrsd package. It is easy to configure, but it does have a drawback. All of the return paths are rewritten even for mails that are delivered locally. Email clients seem to know how to handle this so it has not been a problem for me or any users.


#8

Thanks. I’ll investigate once virgin media decide to fix my internet!


#9

There’s a bigger problem with SRS while it may work for some mails, if someone is using DMARC then you’ll see a DMARC fail on SPF even though SPF itself passes.
This is because DMARC also compares the identity used in the From: address with the identity used in the SPF check.

Although there was an draft proposal for SRS submitted to the RFC, it was never formalised as a standard, thus it’s use is NOT recommended. As more and more receivers adopt DMARC checking, we’ll see more and more problems caused by SRS as well.

Edit. I should add that provided the sender is using DKIM as well and the DKIM passes, an SPF fail alone will not cause a DMARC fail.

For DMARC to fail both SPF and DKIM checks must fail. Provided one passes, the mail passes.


#10

The problem is that some servers bounce the mail on the basis of a failed SPF. SRS solves that problem.

Also, I am not certain of your assertion that SRS causes DMARC to fail. I suppose it would depend on the server’s implementation of it.

What is your proposal for sending mail to server’s that bounce on the basis of failed SPF?


#11

While SRS solves the problem of servers that bounce on failed SPF alone, the fact SPF was known to be flawed when forwarding is involved remains a big problem.

I’m active on the Virgin Media community, I take a keen interest in the email boards, and I’ve worked with Virgin Media customers and in the background with the company itself in an informal capacity (I’m not employed by Virgin Media mind you). I have witnessed first hand the pain caused by blocking based on SPF and the effects on DMARC of SRS

Virgin Media took control of their email in house again back in 2015 after Google Media closed their Apps for ISP service, and they’ve had a rocky road when it come to dealing with SPF

Initially they rejected SPF hard fails, then after users who were forwarding inbound mails complained, ended up taking requests to stop SPF checking on those specific email accounts as a workaround to the problem. While SRS did work, not every email forwarder was implementing SRS or showed a willingness to do so.

For their own part Virgin Media switched their inbound checking to DMARC, and even that’s had a rocky ride for some users.

If a sending domain only used SPF then when forwarding has been involved, acceptance/rejection of hard fail has been based on the sending domains DMARC policy - e.g. none = mail is accepted, quarantine = mail ends up in spam, reject = mail get’s bounced.

For their own part Virgin Media have applied SPF to their own domains and also deployed DKIM signing and a DMARC p=quarantine policy. This has enabled me to see firsthand the effects of SRS on DMARC.

If you have a look at this thread from 2017

I arranged for the user to email me so I could view the headers. Here’s what I saw

Return-Path: <SRS0=CbP/0T=BO=ntlworld.com=sender@srs.bis711.eu.blackberry.com>
From: "Stuart/Sam Hughes" <sender@ntlworld.com>

This ultimately produces the following DMARC result

dmarc=fail header.from=ntlworld.com

Meaning that the server then follows the policy in the ntlworld.com DMARC record.

This strictly speaking wasn’t forwarding by the way. Blackberry phones originally sent all outbound mails via Blackberry’s SMTP server, with updates past Blackberry 6 changing this so that outbound mail instead went via the SMTP server of the users choice.

However it does demonstrate what I was saying about SRS and DMARC.

Do I have an answer to the problem. I certainly don’t. But SRS is a workaround ONLY for servers that bounce on SPF alone. But it can end up causing problems forwarding to servers where DMARC is in operation and the sending domain ONLY uses SPF authentication.

So while SRS was certainly once a useful workaround, it’s not a final solution to the issue.


#12

Thanks for the detailed info. But I keep going back to the fact that I still have not seen a bounced email from DMARC failure because of SRS. Before I implemented SRS many mails were being bounced for SPF failure.

While what you say has merit, in my experience SPF failure is the bigger bogeyman.


#13

@jrsupplee John — have you found Outlook to accept forwarded emails when using postsrds?


#14

An interesting discussion on this issue … I am linking it here so it can be found in the future as I will be proposing that MiaB add the recommended fixes as I would like MiaB to handle forwarded emails to an outside server.


#15

Outlook blocks my IP as does at&t, so I deliver via a third party


#16

To be clear, forwarded email to Gmail was working before I implemented SRS. I implemented SRS for a couple of email servers that would bounce all forwarded mail because of SPF failure.


#17

Are you delivering all mail via a third party? or just mail to users of those two companies?


#18

Just to those right now. My third party SMTP service has quotas, so I don’t want to send everything through them


#19

I looked at this article and I don’t think the user had his SPF configured correctly so not sure this is helpful. Maybe someone else with more expertise can comment.