Thanks for your response.
I did try that out, after finally figuring out how to do it. The result seemed to me to be exactly as if I’d used miab alias. i.e. the forwarded mail appeared to come from the original sender.
Obviously that is the ideal result if the destination mail system respects the embedded dkim signed mail.
Since my post I found a very interesting article exploring these issues…
Hi Stefbishop, did you ever find a solution to this, I have exactly the same issue, as more email systems adopt a "strict SPF, DKIM and DMARC, emails that get forwarded by alias or via roundcube get blocked.
It looks like ARC is the way forward but its very new and not well documented.
I use the postsrsd package. It is easy to configure, but it does have a drawback. All of the return paths are rewritten even for mails that are delivered locally. Email clients seem to know how to handle this so it has not been a problem for me or any users.
There’s a bigger problem with SRS while it may work for some mails, if someone is using DMARC then you’ll see a DMARC fail on SPF even though SPF itself passes.
This is because DMARC also compares the identity used in the From: address with the identity used in the SPF check.
Although there was an draft proposal for SRS submitted to the RFC, it was never formalised as a standard, thus it’s use is NOT recommended. As more and more receivers adopt DMARC checking, we’ll see more and more problems caused by SRS as well.
Edit. I should add that provided the sender is using DKIM as well and the DKIM passes, an SPF fail alone will not cause a DMARC fail.
For DMARC to fail both SPF and DKIM checks must fail. Provided one passes, the mail passes.
While SRS solves the problem of servers that bounce on failed SPF alone, the fact SPF was known to be flawed when forwarding is involved remains a big problem.
I’m active on the Virgin Media community, I take a keen interest in the email boards, and I’ve worked with Virgin Media customers and in the background with the company itself in an informal capacity (I’m not employed by Virgin Media mind you). I have witnessed first hand the pain caused by blocking based on SPF and the effects on DMARC of SRS
Virgin Media took control of their email in house again back in 2015 after Google Media closed their Apps for ISP service, and they’ve had a rocky road when it come to dealing with SPF
Initially they rejected SPF hard fails, then after users who were forwarding inbound mails complained, ended up taking requests to stop SPF checking on those specific email accounts as a workaround to the problem. While SRS did work, not every email forwarder was implementing SRS or showed a willingness to do so.
For their own part Virgin Media switched their inbound checking to DMARC, and even that’s had a rocky ride for some users.
If a sending domain only used SPF then when forwarding has been involved, acceptance/rejection of hard fail has been based on the sending domains DMARC policy - e.g. none = mail is accepted, quarantine = mail ends up in spam, reject = mail get’s bounced.
For their own part Virgin Media have applied SPF to their own domains and also deployed DKIM signing and a DMARC p=quarantine policy. This has enabled me to see firsthand the effects of SRS on DMARC.
If you have a look at this thread from 2017
I arranged for the user to email me so I could view the headers. Here’s what I saw
This ultimately produces the following DMARC result
Meaning that the server then follows the policy in the ntlworld.com DMARC record.
This strictly speaking wasn’t forwarding by the way. Blackberry phones originally sent all outbound mails via Blackberry’s SMTP server, with updates past Blackberry 6 changing this so that outbound mail instead went via the SMTP server of the users choice.
However it does demonstrate what I was saying about SRS and DMARC.
Do I have an answer to the problem. I certainly don’t. But SRS is a workaround ONLY for servers that bounce on SPF alone. But it can end up causing problems forwarding to servers where DMARC is in operation and the sending domain ONLY uses SPF authentication.
So while SRS was certainly once a useful workaround, it’s not a final solution to the issue.
Thanks for the detailed info. But I keep going back to the fact that I still have not seen a bounced email from DMARC failure because of SRS. Before I implemented SRS many mails were being bounced for SPF failure.
While what you say has merit, in my experience SPF failure is the bigger bogeyman.