SRS for forwarded aliases
The help pages for aliases recommend not enabling SRS (sender rewriting scheme) when configuring an alias to forward to an external mail system (gmail in my case).
Can anyone explain why this is the recommendation? |
The help page says:
Quote:
However, the DMARC standard makes use of both DKIM and SPF, and it additionally requires alignment between the envelope From and From header. SRS will cause this alignment to fail. See more at: https://fastmail.blog/2016/12/24/spf-dkim-dmarc/ At this time (with the current popular security standards) it's not possible to guarantee that forwarding works in all cases. This has nothing to do with Fastmail, but is due to the attempts to reduce spam by preventing spoofing of the From address. Bill |
Setting up SRS may prevent an email being rejected for failing SPF, it shouldn't make any difference to whether it passes DMARC.
"We don't recommend enabling SRS unless you need to" without any explanation seems very enigmatic to me. The reason for not having it would have to be a pretty good one IMO because a third-party downstream service could change its policy at any time. |
Quote:
Personally, though, like you I tend to think using SRS may be the lesser risk. |
Old thread revival. If I am not mistaken, Fastmail's other service, Pobox.com, does utilize SRS as part of their email forwarding products. Not sure why a service like Pobox.com seems to be able to do forwarding successfully and make a profit on it while many people seem to think all forwarding is a bad idea. Why do Fastmail and Pobox.com, parts of the same company, have different opinions on SRS? In the past when I used Pobox.com I had absolutely no issues with the forwarding part of their service and when I sent email to others, via Gmail but using Pobox SMTP, my mail was getting through reliably.
|
Fastmail does support SRS as an alias redirection setting, but AFAIK not from sieve/rules.
pobox is the best know portable address provider around. Possibly it gets more widespread special handling. |
Reading up a bit on SRS and forwarding, SPF, DKIM, DMARC, etc., it is a wonder any of our email ends up where it's supposed to!
|
Quote:
SRS can in some cases solve SPF forwarding, but only if the receiving server doesn't use strict SPF and DMARC alignment (which means that the SPF and DKIM signing domains, From header domain, and From envelope domain all match). Bill |
Quote:
|
Quote:
Code:
Authentication-Results: Code:
Authentication-Results: |
Quote:
Authentication-Results: spf=pass (sender IP is 142.0.167.118) smtp.mailfrom=notice.comcastbusiness.com; XXXXXX.org; dkim=pass (signature was verified) header.d=notice.comcastbusiness.com;XXXXXX.org; dmarc=pass action=none header.from=notice.comcastbusiness.com;compauth=pass reason=100 |
Quote:
Bill |
Quote:
|
Quote:
The receiving server may reject based on SPF either without using DMARC or before using DMARC. The latter is not as bad as it sounds because most ham without an author aligned SPF pass will still have an SPF pass. Even if there is no SPF rejection an SPF fail may be taken account of in other spam filtering. |
All times are GMT +9. The time now is 12:06 PM. |
Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy