Mail Forwarding Desperately Needs Sender Rewriting Scheme (SRS)

In order to use forwarding-only emails with a service such as Gmail, Sender Policy Framework (SPF) is becoming necessary to avoid landing in spam folders. However, without implementing Sender Rewriting Scheme (SRS), SPF is essentially broken — one can send emails out from Gmail and the SPF passes, but replies to that email fail without SRS in place.

Are there any plans at Dreamhost to offer SPS for forwarding-only emails? This is causing me a big headache in trying to improve my use of Gmail with my domain hosted at Dreamhost. For a variety of reasons, I’m not interested in changing to a DH-hosted mailbox and using POP to grab it from Gmail (it means I’ve got two copies, more points of failure, disk space issues, etc.).

I’ve seen several questions about SRS on these forums via search, but nobody ever answers from DH. I also see some DH competitors offer this (e.g. hostwinds).

I was under the impression that SRS was only needed for forwarders that modify the message (like mailing lists that change from-adds and footers, etc). I thought a simple forwarder should work if DMARC is setup and the DKIM signature is valid, because DMARC allows email to fail SPF as long as DKIM passes.

1 Like

I have no issue using forward-only email aliases hosted here at DH pointed to gmail. Never had any end up in users’ spam. Never needed to add SRS or anything else.

What DMARC entry would work to accomplish that? I tried what I thought would be permissive, then tried deleting it altogether, and still can’t pass.

@keyplyr are you using Dreamhost’s SMTP server in Gmail, or are you grandfathered in for using Google’s SMTP? I’m using Dreamhost’s and that seems to be what’s creating the issue for me.

And to be clear, the easiest repeatable symptom is if I send an email from Gmail (to another person on Gmail) using my DH-hosted domain address via the ‘send mail as’ function, then wait for a reply from the recipient, their reply always, 100% goes into Gmail spam. It also comes with an SPF softfail complaining that Google can’t verify DH’s mail servers:

spf=softfail (google.com: domain of transitioning otherperson@gmail.com does not designate 64.90.62.163 as permitted sender) smtp.mailfrom=otherperson@gmail.com;

My email alias is basically just a display for humans to see. It is not config’d. Gmail just displays it. If you look at the email headers (which most users will not do) it shows actual gmail address.

So to be clear, I have nothing config’d with SMTP or SPF or SRF. I just use the DH utility to add forwarding domain alias email addresses and forward them all to gmail. Then in my Gmail settings, I have added each of them as additional Sender addresses, but as I mentioned, it is really just a sender display since gmail doesn’t use DH servers to send.

So according to the error message you posted, that seems to be the problem. You’ve condig’d the aliases to be DH sent, but Gmail isn’t doing that.

Solution: just set up the aliases like I’m doing.

When you say you have “added each of them as additional Sender addresses” can you clarify what you mean? I am adding mine under Settings–>Accounts and Import–>Send Mail as–>Add another email address. From there there’s no choice but to configure SMTP. Are you adding yours somewhere else?

As I said, don’t set up SMTP. That’s what is causing your errors. Let Gmail send/receive mail without attempting to connect to DH mail servers. The end user will still see your domain alias.

I would recommend wiping everything & starting over. Just setup your email domain aliases here at DH and point them at your Gmail address… that’s it. Don’t config anything.

Then at Gmail, add those to settings so you can send mail using those addresses displayed as the Sender. Simple as that.

With forwarding, I’m pretty sure that the forwarding domain DMARC record isn’t involved. Only the DMARC of the sending domain is tested. So when Gmail mail is forwarded, it is evaluated based on GMail’s DMARC.

I was able to reproduce the problem you describe. Here’s the setup (correct me if I misinterpreted):

                  DH Mailhosting
                  Forward-Only:
A@gmail.com --> staff@example.com --> B@gmail.com

Using a DH mail-hosted domain (example.com), I setup a forward only address (staff@example.com) which forwards to a Gmail address (B@gmail.com). I then sent email from another Gmail account (A@gmail.com).

Test mail from A was received by B, but was put in the spam folder. The mail failed SPF but passed DMARC because A’s mail was DKIM signed by Gmail, and DH’s forwarder didn’t modify the message.

So why did it end up in spam, despite passing DMARC? My understanding is that DMARC is just one of many signals that Gmail uses to distinguish ham from spam. Other likely signals are:

  • Domain novelty: the domain I used for forwarding hadn’t sent much mail, so Gmail was suspicious.
  • Forwarding server: DH seems to forward via mx*.dreamhost.com, which is different from the server used to send regular mail from the domain (*.relay.mailchannels.net), so Gmail was suspicious.
  • Forwarding spam filtering? If DH isn’t filtering spam for forward-only addresses, then Gmail won’t trust the forwarding servers ( mx*.dreamhost.com).

To work around the problem, I setup a never-spam filter in B’s Gmail settings:

Matches: to:(staff@example.com)
Do this: Never send it to Spam

That fixed the immediate problem. Now, a few days later, I’ve removed the filter and re-tested and forwarded mail is no longer marked as spam. Clearly, Gmail ruminated on the new mail flow pattern, and finally decided it was ok.

I have this problem as well. I’ve gone thru many rounds of testing with spf and tweaking DNS records attempting to send mail thru my domain only to have it marked as spam by the recipient, not just mail forwarding. Then, I started to receive messages telling me that mailchannels won’t let me send a personal email which it tagged as spam, outgoing. gawd, I just gave up and switched to a different smtp service outside of dreamhost.

Incoming email has issues as well. The headers now say that every email received comes from carbon60 on 199.10.31.237 and .238. This makes it impossible for me to filter spam or find the true source of an incoming email. I’m assuming that carbon60 is a cloud front end for email? This is new.

Thank-you.

About SRS, the successor to SRS is Authenticated Received Chain (ARC), which has the forwarding domain re-sign email before forwarding. This give the final receiver a chain of signed authentication results to use in evaluating ham/spam.

Rather then implement SRS, I think DH should jump directly to implementing ARC which should work better with Gmail.

I’ve only really used DH mail after they switch to mailchannels.net, and as far as I can see, one can’t modify any mail-DNS settings (SPF/DKIM/DomainKey), except for DMARC. How can you change SPF if you’re dns/mail hosting on DH?

When I look at mail received by a DH hosted email address, I see the 3 or 4 Receive: headers I would expect. The last one (top one) is for an inbound-egress-*.mailchannels.net server. I don’t see “carbon60” - maybe you could post the header?

Look at the entry in arin.net

Ah, thanks. I hadn’t dug deep enough to see that MailChannels is hosted at Carbon60.

You have to disable the (now default) DH mailchannels settings:

Panel → Mail → Anti-spam
Click Edit Filter next to mail domain
Click Edit Settings button
Click Change Filter Settings and Proceed to Disable Filtering

Regular DNS settings should now be editable via Domains → Manage Domains → DNS

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.