A bunch of universities have just sent out notices that email forwarding is going to increasingly break in the very near future. The big email services, gmail, yahoo, outlook and apple, are going to start tightening the thumbscrews (strict SPF, DMARK and DKIM, but also other stuff) on April 1 (bad timing, that).
I’d vaguely seen that gmail was planning to block much more bulk mail to individuals, but hadn’t really thought about the consequences to normal email forwarding. (I blissfully no longer run a mail server and mailing lists.)
Sample notice:
"Can I continue to forward my email to my university address [which then forwards to my personal address]?
“The short answer is no. The new security measures will block non-university email forwarding from your university addresses, including emails from banks, doctors, and other third parties. To continue receiving email from non-university organizations, you must provide them with a personal email address instead of forwarding to your @university.edu account. However, you will still be able to receive emails from the university.”
This is a common set up, so alumni and retirees can keep receiving mail to their university address, even though they no longer have accounts and can’t send from that address.
It’s a good time to audit your email situation, especially if you currently forward mail to large provider controlled domains, or if you have any chains of forwards set up that you’ve forgotten about.
The worst part is that it isn’t going to help. Spammers have already started using subdomain hijacking to get around most of the security restrictions:
Interesting. But this doesn’t sound like a real problem. It’s like saying thieves are breaking into cars that are left unlocked. Lock the damn cars. DNS zone files are under the control of their holders, which controls the defined subdomains and all MX records and DKIM and SPF keys. If people break into your account and we find out you had no password, it’s not newsworthy.
As for email server forwarding, I don’t really like it. If X has a server forward to Y and you reply, they’re typically going to get a reply from Y, which is not whom they emailed. Besides confusing the sender and wasting internet bandwidth, I think it also confuses junk mail handlers that can no longer tell if the sender is a trusted party.
Email aliasing is better, but only works for domains under the same control. As an alternative, every mail client supports multiple accounts. Fetch them separately. And then enjoy these clients like Apple Mail with a smart virtual unified inbox model that offers the simplicity of one stop shop but preserves the value of discrete identities.
Is there still a good use case for server forwarding? We do find it handy at work for supporting legacy mailboxes. But in most cases it just enables our laziness and we should be shutting them down. Like the olden days when you moved to a new home and couldn’t bring your phone number, you can apply a bounce message on the old account to get people to transition to a new one.
We’ve not been able to set forwarding addresses in our College email for the past while. We can on an individual email loaded into outlook but that’s it.
We can’t use anything other than outlook or Edge to access email and that’s on a college supplied laptop. You can interestingly use it on iOS after signing away some rights.
Quite a few staff refuse to do that. Another number just treat the supplied laptop as a desktop and leave it on their desk. Doesn’t work for everyone though, especially adjuncts.
Can’t copy and paste outside the College set of apps either.
I miss forwarding, my email is now split across machines and applications. Antiproductive.
FWIW I just sent myself something at my verizon.net address. It came through as usual, even though Verizon stopped providing email service years ago and started sending (forwarding?) everything sent to it to (in my case) icloud.com. Somehow (and I’ve never been clear on how) it’s worked reliably in both directions so far; if it’s now in peril I’m going to have a lot of work to do correcting over a decade’s worth of personal, commercial, and government contact information.
I have a hazy idea that aol.com did something similar a while back. Is it the sort of thing we’re talking about?
That’s where Apple Mail, at least on iOS, fails miserably. If I’m reading mail in my unified inbox, I sometimes want to know which of my email addresses it was sent to. I tap my name in the To: field, get a link, and tap the link. It shows my contact card. Duh! I know who I am. Then I have to scroll down and look for the tiny gray “Recent” next to the appropriate email address. I wouldn’t even know what that “Recent” label meant except that I did some tests to find out. Worthless.
I don’t use the unified inbox, because my workflow for how I handle emails is highly dependent on which box I’m reading. So it’s a lot more streamlined for me to work through one box at a time, and I think that’s a common use case.
But when I do look at the unified Inbox, the display I currently have shows the nickname of the mailbox in gray in the preview area.
On my Mac, I’ve added “Envelope-To” and “Delivered-To” to the list of displayed headers for a message (Mail/Settings…/Viewing/Show Message Headers). I have some aliases set up for my domain, so it’s sometimes helpful to know how a message ended up in my inbox or direct delivery to a folder.
Check full headers on your email, since your server might use different fields.
“FWIW I just sent myself something at my verizon.net address, It came through as usual, even though Verizon stopped providing email service years ago and started sending (forwarding?) everything sent to it to (in my case) icloud.com”
Personal mail should (probably, at least for now) still get forwarded normally, unless you have corespondents that send out ~5000+ messages per day to a given service–not to the same recipient, just the same service. But commercial/organizational mail easily exceeds that limit and and now has to follow much stricter rules. The two standard protocols that break forwarding are SPF and DMARK. Many sending and receiving servers have so far avoided being strict because forwarding is important.
When forwarding, the original sender sends to ServiceOne. In processing the message, ServiceOne repackages the email to forward it to ServiceTwo. But the repackaging breaks the SPF and DMARK information because the ‘sender’ is now ServiceOne, not your bank, but the spf/dmark says that’s a lie. ServiceTwo may decide to bounce or drop the message due to that. Until now, even the big mail services mostly delivered forwarded mail unless there were other suspicious indications. What’s new is that the biggies are ramping up to require the strictest possible SPF and DMARK.
Anyone forwarding mail between servers, especially if some of that is from defunct services that you can’t log into anymore, really should do an audit to figure out who’s still sending mail to that account, and start changing those addresses beginning with important commercial mail, to a non-forwarded account. Things may not break immediately, but the plan is to ramp thing up quickly (a couple of months, not a year), so procrastination is not a good idea.
Universities and some other organizations apparently got all of five days notice of a stricter than originally advertised rule change. It’s a problem, because at most universities, alumni and employees get to keep their email address (but not a full account) when leaving, and a fairly high percentage take advantage of it. Fortunately for me, I’ve always preferred to keep things separate. But I mostly couldn’t convince users that they should too.
I wouldn’t assume that personal mail is going to be given a pass by everyone. Last year, Gmail started refusing messages sent from my personal domain to Gmail addresses because I hadn’t implemented SPF and DMARK yet (because I didn’t know I needed to). Fortunately, a quick help request to easyDNS sorted it out and got me set up, but it’s clear that Google, at least, isn’t intending to give anyone any leeway once this is all fully implemented.
Gmail has more personal email accounts than probably anybody else, and if not, they’re close to the top. And any domain that doesn’t have SPF and DMARK set up correctly is going to get blocked from sending to any Gmail account. It doesn’t matter whether any other providers follow Google’s lead here. This will break legacy forwarding, simply because of Google’s dominance in personal email.
(Side note: I can’t thank Adam enough for first recommending easyDNS to TidBITS readers, way back when. Yes, they cost more than the basic domain registrars/hosts, but their customer support is absolutely 200% worth every penny. I’ve got three domains there right now, and will be adding more soon if a venture I’m developing right now goes anywhere.)
