This article confuses me, and I’m a professional sysadmin who deals with email (including these issues). As far as I know, neither GMail (in practice) or DMARC (in theory) require that the envelope sender domain match the From: address domain. DMARC normally requires either SPF to pass (the email is coming from the original source) or for the email to have a valid DKIM signature for the From: domain (‘alignment’), and GMail is increasingly requiring one of the two in order to accept email even for domains without a published DMARC policy. But if the email is DKIM signed for the From: domain, it is okay by DMARC AFAIK and pragmatically GMail still accepts lots of such email being forwarded from us to it.
(A domain that does not DKIM sign its mail can prevent its mail from being forwarded, but this will also take out a bunch of mailing list activity by its people, so I’ve only rarely seen it. However small scale mail systems in small organizations may not do much DKIM signing, so perhaps this is a bigger issue for people who deal with a lot of them.)
Yeah, I think this post is wrong. But it’s a common misunderstanding.
I believe the issue is just that there are a lot of sources explaining DMARC alignment wrong. What DMARC alignment actually says is that either DKIM or SPF need to match the From domain. But many poorly researched sources will tell you it means the envelope from needs to match the from header.
After I understood this, I wondered if I should write a blogpost explaining how DMARC and forwarding works, because it took me a while to understand how it all works together. I probably should write that post.
I think this was more of an issue back in the day when a mail client couldn’t handle multiple accounts. I really don’t find much reason to do forwarding these days. I just have all the accounts in a single unified inbox and if I need to send I just choose the appropriate address and do that. Not to say that forwarding can’t be convenient, but I think it’s much less necessary than it used to be.
I stopped doing exactly this because I find all mail clients terrible and slow. I use fastmail and gmail (work) web clients on desktop, and their official apps on mobile.
Personally, I stopped using my old accounts for privacy reasons, so keeping a constant connection to, e.g, Google’s servers defeats the point, especially authenticated.
For some platforms there is a workaround; rather that forwarding mail, have the platform collect it from a mailbox using POP3 or IMAP. For example, Gmail have their “check messages from other accounts” functionality in their mailboxes, which picks up you mail from a mailbox as if it’s been received by the Gmail mailbox directly, and other platforms are adding similar options.
I would like to insist my fellow VPS users do this, rather than forward to gmail over SMTP, and further impact our VPS’s IP reputation. I’m fairly sure I’ve seen another Lobsters thread recently calling for POP3 tools to be dropped, unfortunately, last I checked, Google/GMail don’t do ingress from IMAP. I side-stepped the problem to some extent by buying in SMTP services from (coincidentally) Mythic Beasts.
The issue is that Google had no incentive to do this properly, where properly would’ve been telling Google that you’re forwarding email through / from a given email address. Instead, Google decided to treat the forwarder as the source of spam when spam is forwarded, with no way around this.
It makes perfect sense when we consider the fact that Google doesn’t want any email other than their own to work properly, so they have no reason whatsoever to do something that makes sense, or that had been practiced for decades before they existed.
This article confuses me, and I’m a professional sysadmin who deals with email (including these issues). As far as I know, neither GMail (in practice) or DMARC (in theory) require that the envelope sender domain match the From: address domain. DMARC normally requires either SPF to pass (the email is coming from the original source) or for the email to have a valid DKIM signature for the From: domain (‘alignment’), and GMail is increasingly requiring one of the two in order to accept email even for domains without a published DMARC policy. But if the email is DKIM signed for the From: domain, it is okay by DMARC AFAIK and pragmatically GMail still accepts lots of such email being forwarded from us to it.
(A domain that does not DKIM sign its mail can prevent its mail from being forwarded, but this will also take out a bunch of mailing list activity by its people, so I’ve only rarely seen it. However small scale mail systems in small organizations may not do much DKIM signing, so perhaps this is a bigger issue for people who deal with a lot of them.)
Yeah, I think this post is wrong. But it’s a common misunderstanding.
I believe the issue is just that there are a lot of sources explaining DMARC alignment wrong. What DMARC alignment actually says is that either DKIM or SPF need to match the From domain. But many poorly researched sources will tell you it means the envelope from needs to match the from header.
After I understood this, I wondered if I should write a blogpost explaining how DMARC and forwarding works, because it took me a while to understand how it all works together. I probably should write that post.
yes, please!
[Comment removed by author]
[Comment removed by author]
Wrong thread. Having some issues with my web browser. Sigh.
I think this was more of an issue back in the day when a mail client couldn’t handle multiple accounts. I really don’t find much reason to do forwarding these days. I just have all the accounts in a single unified inbox and if I need to send I just choose the appropriate address and do that. Not to say that forwarding can’t be convenient, but I think it’s much less necessary than it used to be.
I stopped doing exactly this because I find all mail clients terrible and slow. I use fastmail and gmail (work) web clients on desktop, and their official apps on mobile.
Personally, I stopped using my old accounts for privacy reasons, so keeping a constant connection to, e.g, Google’s servers defeats the point, especially authenticated.
I would like to insist my fellow VPS users do this, rather than forward to gmail over SMTP, and further impact our VPS’s IP reputation. I’m fairly sure I’ve seen another Lobsters thread recently calling for POP3 tools to be dropped, unfortunately, last I checked, Google/GMail don’t do ingress from IMAP. I side-stepped the problem to some extent by buying in SMTP services from (coincidentally) Mythic Beasts.
The issue is that Google had no incentive to do this properly, where properly would’ve been telling Google that you’re forwarding email through / from a given email address. Instead, Google decided to treat the forwarder as the source of spam when spam is forwarded, with no way around this.
It makes perfect sense when we consider the fact that Google doesn’t want any email other than their own to work properly, so they have no reason whatsoever to do something that makes sense, or that had been practiced for decades before they existed.