Forwarded Emails
Idea shared by John Marx - 1/17/2022 at 3:32 PM
Our SMTP Gateway (SMTP2GO, SendGrid, and MailGun) all complain when we forward emails received from a clients email to their @gmail, @yahoo, etc.

I propose a simple checkbox that when an email is forwarded that it be an actual "forward" whether it comes from the users mailbox on the SmarterMail server rather than forwarding faking the from address.

Example: So when user@domain.com receives an email from user@received-domain.com and is forwarded to say fake@yahoo.com that it come from user@domain.com.

5 Replies

Reply to Thread
Can you define "complain"?    SRS encoding, which SM can implement, is the usual technique to prevent SPF FAIL when a message is forwarded.

Rewriting of the message's From should not be necessary if you are forwarding the message without modification.   Adding text to the message will break the originator's DKIM signature, which can be a problem if the sender requests DMARC enforcement and the evaluator applies DMARC enforcement.    Most users do not want From to be rewritten, since "From" should represent the author and the usual reply-to address.    So the best strategy is to not apply tagging if a message might be forwarded.

Forwarding is a lose-lose proposition for you.   If you let any spam through, as determined by the recipient, the recipient's mail system will blame you, not the originator.   If that means you get blacklisted, that's a problem.   If you lock down your system so that no spam gets through, you will probably have false positives (as judged by the account owner), and the account owner will blame you for blocking email that he wants.  Since everyone has a different and imperfect approach to email filtering, your chance of getting the right balance is somewhere between zero and zero.

Allowing employees to forward mail to their personal account creates just as many risks to the business:   corporate data becomes personal data, replies become personal correspondence rather than corporate correspondence, and regulated data may be handled in ways that violate regulations.   Employee accounts can be disabled or managed by a replacement employee.   Off-network communication can never be disabled.

The bare minimum for safe forwarding is that the system owner (you) MUST know that the targeted account actually wants the forwarding to happen, as evidenced by an email from that account to you.  Otherwise, you might be part a participant in a accidental or intentional assault on that mailbox.   Not that any known mail system will give you that power.

An even better requirement is to also require an email from the recipient's mail system administrator indicating that they are willing to accept your forwarding stream.   With this knowledge, hopefully they will use that knowledge to judge the true source of unwanted messages (not you), although this is also wishful thinking.

PostFix is highly configurable.   If you use it as an outgoing gateway and filter, you could probably build something like waht you want or something like I propose.   But it runs on Linux, so one will need to know or learn Linux while learning a very complex mail product.
Sure, below is what is listed. After the : is a list of emails that are auto-forwarding. We have it setup that any spam that comes through doesn't get forwarded. Spam (thankfully) isn't a problem for us. Being the forwards are set by our customers this is something they requested.

Our preferred we talk everyone into doing is doing a POP pull but most systems (e.g., Google, Yahoo, AOL (yes, it's still used), Frontier, Xfinity/Comcast, etc.) no longer allow that or require payment for that option.

-- Begin message
We also noticed that your account appears to be auto-forwarding emails. Auto-forwarding is the automatic forwarding of emails received from a third party to another recipient.

We have detected auto-forwarding to the following recipients: 
-- End message

That dpes not look like it is blocking message delivery, so it may not matter.   Do you have SRS on or off?    I wonder if they send these when SRS encoding is not used.
We also have this issue. Hosting SmarterMail in an Azure VM means that it has outgoing SMTP connections blocked, and requires a relay to work. Setting up SendGrid, Amazon SES, Azure Communications Service, etc... as a relay requires verifying the 'From' domain.

This works under normal circumstances, but if a user forwards their email, then the 'From' domain comes from the original sender and is being rejected as an unverified domain. The 'From' could be anyone, we aren't able to verify all possible 'From' domains, and the SRS header isn't checked by the 3rd party services when it comes to whether or not the 'From' address is allowed to send email as a verified domain/address.

At this point we're still exploring options, but it looks like we can't allow any forwarding for any mailboxes in SmarterMail if we host in Azure and use a 3rd party "Outgoing Gateway".
I suspect that you have an incoming spam filter which alters the message, breaking any DKIM signatures.

 Gmail, yahoo, and many others sign their messages.  If you make changes that break the signature, the forward may be rejected because of failed signature.

Nothing described is a problem that SmarterMail can fix 

Reply to Thread