Problems with mail forwarding from “@cs.com” addresses
A customer recently reported problems when forwarding mail sent from a “@cs.com” CompuServe address to a Yahoo or Gmail address. Yahoo completely rejects the forwarded message and Gmail puts it in a “spam” folder.
This is caused by a misconfiguration at cs.com, and happens whenever anyone, anywhere, forwards @cs.com mail. It’s not related to our service in particular. However, we’ve reported this to cs.com in the hope that they’ll fix it.
Until they do so, there’s no way to avoid this problem except by having the sender send mail directly to the final destination address, or converting the forwarding address to a mailbox. (This problem is another example of the general rule that “a mailbox is usually more reliable than a forwarding address, because forwarding involves two places where things can go wrong instead of just one”.)
Forwarded mail never passes an SPF check, so successful delivery relies on a valid DKIM signature. The @cs.com mail is DKIM signed, so it should work — but it’s signed by “mx.aol.com”, not by “cs.com”. The relevant headers look like this:
From: "Someone" <firstname.lastname@example.org>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com;
This doesn’t work. Gmail shows something like:
spf=neutral (google.com: 192.0.2.3 is neither permitted nor denied by domain of email@example.com) firstname.lastname@example.org;
dmarc=fail (p=REJECT dis=NONE) header.from=cs.com
The “dkim=pass” but “dmarc=fail” combination is because the DMARC specification requires that the DKIM signing domain name be “aligned with” (the same as, or a subdomain of) the “From” domain name. Sending mail from cs.com that isn’t signed by cs.com doesn’t cut it, as shown in “Example 3” of section B.1.2 of the DMARC specification.
Because neither the SPF nor DKIM checks pass, Yahoo and Gmail think that DMARC is failing, and the message doesn’t get delivered properly.
If the message is sent directly from cs.com to Yahoo or Gmail, the DKIM check still fails, but the SPF check passes, and everything works. This difference makes it look like something is going wrong with our forwarding system, but it’s not: the same thing would happen to any forwarded @cs.com message.