Problems with mail forwarding from “” addresses

A customer recently reported problems when forwarding mail sent from a “” CompuServe address to a Yahoo or Gmail address. Yahoo completely rejects the forwarded message and Gmail puts it in a “spam” folder.

This is caused by a misconfiguration at, and happens whenever anyone, anywhere, forwards mail. It’s not related to our service in particular. However, we’ve reported this to in the hope that they’ll fix it.

Until they do so, there’s no way to avoid this problem except by having the sender send mail directly to the final destination address, or converting the forwarding address to a mailbox. (This problem is another example of the general rule that “a mailbox is usually more reliable than a forwarding address, because forwarding involves two places where things can go wrong instead of just one”.)

Technical details

This problem happens because recently published a DMARC policy saying that all their mail must either be signed with DKIM or the sending IP address must pass an SPF check.

Forwarded mail never passes an SPF check, so successful delivery relies on a valid DKIM signature. The mail is DKIM signed, so it should work — but it’s signed by “”, not by “”. The relevant headers look like this:

From: "Someone" <>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;;

This doesn’t work. Gmail shows something like:

spf=neutral ( is neither permitted nor denied by domain of;
dmarc=fail (p=REJECT dis=NONE)

The “dkim=pass” but “dmarc=fail” combination is because the DMARC specification requires that the DKIM signing domain name be “aligned with” (the same as, or a subdomain of) the “From” domain name. Sending mail from that isn’t signed by doesn’t cut it, as shown in “Example 3” of section B.1.2 of the DMARC specification.

Because neither the SPF nor DKIM checks pass, Yahoo and Gmail think that DMARC is failing, and the message doesn’t get delivered properly.

If the message is sent directly from to Yahoo or Gmail, the DKIM check still fails, but the SPF check passes, and everything works. This difference makes it look like something is going wrong with our forwarding system, but it’s not: the same thing would happen to any forwarded message.