Problems with mail forwarding from “@cs.com” addresses

Posted July 2nd, 2014 in Tales From the Support Team, Tech Corner. Tags: .

A customer recently reported problems when forwarding mail sent from a “@cs.com” CompuServe address to a Yahoo or Gmail address. Yahoo completely rejects the forwarded message and Gmail puts it in a “spam” folder.

This is caused by a misconfiguration at cs.com, and happens whenever anyone, anywhere, forwards @cs.com mail. It’s not related to our service in particular. However, we’ve reported this to cs.com in the hope that they’ll fix it.

Until they do so, there’s no way to avoid this problem except by having the sender send mail directly to the final destination address, or converting the forwarding address to a mailbox. (This problem is another example of the general rule that “a mailbox is usually more reliable than a forwarding address, because forwarding involves two places where things can go wrong instead of just one”.)

Technical details

This problem happens because cs.com recently published a DMARC policy saying that all their mail must either be signed with DKIM or the sending IP address must pass an SPF check.

Forwarded mail never passes an SPF check, so successful delivery relies on a valid DKIM signature. The @cs.com mail is DKIM signed, so it should work — but it’s signed by “mx.aol.com”, not by “cs.com”. The relevant headers look like this:

From: "Someone" <example@cs.com>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com;

This doesn’t work. Gmail shows something like:

Authentication-Results: mx.google.com;
spf=neutral (google.com: 192.0.2.3 is neither permitted nor denied by domain of example@cs.com) smtp.mail=example@cs.com;
dkim=pass header.i=@mx.aol.com;
dmarc=fail (p=REJECT dis=NONE) header.from=cs.com

The “dkim=pass” but “dmarc=fail” combination is because the DMARC specification requires that the DKIM signing domain name be “aligned with” (the same as, or a subdomain of) the “From” domain name. Sending mail from cs.com that isn’t signed by cs.com doesn’t cut it, as shown in “Example 3” of section B.1.2 of the DMARC specification.

Because neither the SPF nor DKIM checks pass, Yahoo and Gmail think that DMARC is failing, and the message doesn’t get delivered properly.

If the message is sent directly from cs.com to Yahoo or Gmail, the DKIM check still fails, but the SPF check passes, and everything works. This difference makes it look like something is going wrong with our forwarding system, but it’s not: the same thing would happen to any forwarded @cs.com message.

  1. Recent Posts

    1. PHP versions 8.2.17 and 8.3.4
    2. President’s Day 2024 holiday hours
    3. PHP versions 8.1.27 and 8.2.15
    4. Martin Luther King, Jr. Day 2024 holiday hours
    5. New Year’s 2024 Holiday Hours
    6. Christmas 2023 Holiday Hours
    7. Brief scheduled maintenance December 16-17, 2023
    8. Thanksgiving 2023 Holiday Hours
    9. PHP versions 8.1.25 and 8.2.12
    10. PHP versions 8.1.24 and 8.2.11

  2. Categories

  3. Tags

    all servers email holiday hours linux mailman maintenance mod_security mysql network php phpmyadmin security server updates spam ssl status updates webmail wordpress zapp

  4. Feeds