The demise of email forwarding is getting closer

A bunch of universities have just sent out notices that email forwarding is going to increasingly break in the very near future. The big email services, gmail, yahoo, outlook and apple, are going to start tightening the thumbscrews (strict SPF, DMARK and DKIM, but also other stuff) on April 1 (bad timing, that).

I’d vaguely seen that gmail was planning to block much more bulk mail to individuals, but hadn’t really thought about the consequences to normal email forwarding. (I blissfully no longer run a mail server and mailing lists.)

Sample notice:

"Can I continue to forward my email to my university address [which then forwards to my personal address]?

“The short answer is no. The new security measures will block non-university email forwarding from your university addresses, including emails from banks, doctors, and other third parties. To continue receiving email from non-university organizations, you must provide them with a personal email address instead of forwarding to your @university.edu account. However, you will still be able to receive emails from the university.”

This is a common set up, so alumni and retirees can keep receiving mail to their university address, even though they no longer have accounts and can’t send from that address.

It’s a good time to audit your email situation, especially if you currently forward mail to large provider controlled domains, or if you have any chains of forwards set up that you’ve forgotten about.

The worst part is that it isn’t going to help. Spammers have already started using subdomain hijacking to get around most of the security restrictions:

1 Like

Interesting. But this doesn’t sound like a real problem. It’s like saying thieves are breaking into cars that are left unlocked. Lock the damn cars. DNS zone files are under the control of their holders, which controls the defined subdomains and all MX records and DKIM and SPF keys. If people break into your account and we find out you had no password, it’s not newsworthy.

1 Like

As for email server forwarding, I don’t really like it. If X has a server forward to Y and you reply, they’re typically going to get a reply from Y, which is not whom they emailed. Besides confusing the sender and wasting internet bandwidth, I think it also confuses junk mail handlers that can no longer tell if the sender is a trusted party.

Email aliasing is better, but only works for domains under the same control.

As an alternative, every mail client supports multiple accounts. Fetch them separately. And then enjoy these clients like Apple Mail with a smart virtual unified inbox model that offers the simplicity of one stop shop but preserves the value of discrete identities.

Is there still a good use case for server forwarding? We do find it handy at work for supporting legacy mailboxes. But in most cases it just enables our laziness and we should be shutting them down. Like the olden days when you moved to a new home and couldn’t bring your phone number, you can apply a bounce message on the old account to get people to transition to a new one.

We’ve not been able to set forwarding addresses in our College email for the past while. We can on an individual email loaded into outlook but that’s it.

We can’t use anything other than outlook or Edge to access email and that’s on a college supplied laptop. You can interestingly use it on iOS after signing away some rights.

Quite a few staff refuse to do that. Another number just treat the supplied laptop as a desktop and leave it on their desk. Doesn’t work for everyone though, especially adjuncts.

Can’t copy and paste outside the College set of apps either.

I miss forwarding, my email is now split across machines and applications. Antiproductive.

2 Likes

It’s hard for me to tell what technology is at play here. So let me focus:

  1. Does the mailbox support IMAP access? Or POP3?

  2. Are there IP restrictions blocking access from all but certain devices?

1 Like

You’re thinking like an individual in control of this laptop. :grinning:

Nothing to fix or sort, a managed device with services limited centrally.

FWIW I just sent myself something at my verizon.net address. It came through as usual, even though Verizon stopped providing email service years ago and started sending (forwarding?) everything sent to it to (in my case) icloud.com. Somehow (and I’ve never been clear on how) it’s worked reliably in both directions so far; if it’s now in peril I’m going to have a lot of work to do correcting over a decade’s worth of personal, commercial, and government contact information.

I have a hazy idea that aol.com did something similar a while back. Is it the sort of thing we’re talking about?

That’s where Apple Mail, at least on iOS, fails miserably. If I’m reading mail in my unified inbox, I sometimes want to know which of my email addresses it was sent to. I tap my name in the To: field, get a link, and tap the link. It shows my contact card. Duh! I know who I am. Then I have to scroll down and look for the tiny gray “Recent” next to the appropriate email address. I wouldn’t even know what that “Recent” label meant except that I did some tests to find out. Worthless.

1 Like

I don’t use the unified inbox, because my workflow for how I handle emails is highly dependent on which box I’m reading. So it’s a lot more streamlined for me to work through one box at a time, and I think that’s a common use case.

But when I do look at the unified Inbox, the display I currently have shows the nickname of the mailbox in gray in the preview area.

Maybe you don’t have that enabled?

I have which account it was sent to on Mac mail, but would love to know how to enable that on iOS and iPadOS.

2 Likes

On my Mac, I’ve added “Envelope-To” and “Delivered-To” to the list of displayed headers for a message (Mail/Settings…/Viewing/Show Message Headers). I have some aliases set up for my domain, so it’s sometimes helpful to know how a message ended up in my inbox or direct delivery to a folder.

Check full headers on your email, since your server might use different fields.

2 Likes

“FWIW I just sent myself something at my verizon.net address, It came through as usual, even though Verizon stopped providing email service years ago and started sending (forwarding?) everything sent to it to (in my case) icloud.com

Personal mail should (probably, at least for now) still get forwarded normally, unless you have corespondents that send out ~5000+ messages per day to a given service–not to the same recipient, just the same service. But commercial/organizational mail easily exceeds that limit and and now has to follow much stricter rules. The two standard protocols that break forwarding are SPF and DMARK. Many sending and receiving servers have so far avoided being strict because forwarding is important.

When forwarding, the original sender sends to ServiceOne. In processing the message, ServiceOne repackages the email to forward it to ServiceTwo. But the repackaging breaks the SPF and DMARK information because the ‘sender’ is now ServiceOne, not your bank, but the spf/dmark says that’s a lie. ServiceTwo may decide to bounce or drop the message due to that. Until now, even the big mail services mostly delivered forwarded mail unless there were other suspicious indications. What’s new is that the biggies are ramping up to require the strictest possible SPF and DMARK.

Anyone forwarding mail between servers, especially if some of that is from defunct services that you can’t log into anymore, really should do an audit to figure out who’s still sending mail to that account, and start changing those addresses beginning with important commercial mail, to a non-forwarded account. Things may not break immediately, but the plan is to ramp thing up quickly (a couple of months, not a year), so procrastination is not a good idea.

Universities and some other organizations apparently got all of five days notice of a stricter than originally advertised rule change. It’s a problem, because at most universities, alumni and employees get to keep their email address (but not a full account) when leaving, and a fairly high percentage take advantage of it. Fortunately for me, I’ve always preferred to keep things separate. But I mostly couldn’t convince users that they should too.

I wouldn’t assume that personal mail is going to be given a pass by everyone. Last year, Gmail started refusing messages sent from my personal domain to Gmail addresses because I hadn’t implemented SPF and DMARK yet (because I didn’t know I needed to). Fortunately, a quick help request to easyDNS sorted it out and got me set up, but it’s clear that Google, at least, isn’t intending to give anyone any leeway once this is all fully implemented.

Gmail has more personal email accounts than probably anybody else, and if not, they’re close to the top. And any domain that doesn’t have SPF and DMARK set up correctly is going to get blocked from sending to any Gmail account. It doesn’t matter whether any other providers follow Google’s lead here. This will break legacy forwarding, simply because of Google’s dominance in personal email.

(Side note: I can’t thank Adam enough for first recommending easyDNS to TidBITS readers, way back when. Yes, they cost more than the basic domain registrars/hosts, but their customer support is absolutely 200% worth every penny. I’ve got three domains there right now, and will be adding more soon if a venture I’m developing right now goes anywhere.)

1 Like

It looks as if email forwarding isn’t to be trusted any more. you’re depending upon it, then before you expect to get any message of importance, test it. Do not be surprised if it suddenly stops working for you. Organizations are continuing tightening email security.

A new article describes how to tighten email security for any custom domains you may have hosted at another email provider’s site (e.g., Google for Work, Apple iCloud+, etc.): https://talk.tidbits.com/t/need-to-check-dmarc-settings-for-custom-domains

As to why: due to recent increases in fraudulently spoofed email, the big email services (gmail, yahoo, outlook, and apple) as well as a lot of other organizations are tightening incoming email security. As a result, other organizations which provide email to large numbers of people (universities, large businesses) are having to update their outgoing email security

Using strict SPF, DKIM, and DMARC (esp. DKIM) makes message forwarding very difficult. I suspect most sites which currently offer mail forwarding will simply stop doing so. [Possibly without announcing that they’re doing so, which is why you need to test any that you want to continue to depend upon.]

I’m confused by this discussion. I tried forwarding copies of an email newsletter to a gmail address that I read through Apple Mail, an alumni address managed and forwarded to me by Microsoft, and an old email address forwarded by the site (which no longer provides email service). All came through. What should we worry about?

The issue doesn’t really affect the kind of forwarding that you’re describing, where you as an individual are selecting a message to directly forward to another email address. When you do that, your email address is applied as the sender. That works pretty much the same as just sending a message directly, and unless you have a custom domain, you probably don’t have to worry much about that having trouble.

It’s the original automatic, server-level forwarding that got those messages to you in the first place that’s at risk. When you forward a message in that manner, it retains the original sender. This sender’s domain will not match the domain that the message is being forwarded via. SPF, DKIM, and DMARC are a group of protocols for verifying that the message is still legitimate despite the domains not matching.

In order for this kind of forwarding to continue happening, SPF, DKIM, and DMARC need to be properly implemented by every domain the message passes through. The forwarding domains can be updated to implement this, but the domain that’s being forwarded from (such as your old alumni address’s domain) also needs to have it implemented, and many of these older domains aren’t being actively managed anymore. They’re still registered (if they weren’t, the email sent to them would bounce right off the bat), but if they’re not actually using them for anything except maintaining forwarding, there’s a good chance that they won’t bother to implement the necessary protocols, and you may not be able to reach anyone managing those domains to get them updated.

Your Microsoft address probably won’t have any issues. While Microsoft does not yet appear to be requiring DMARC for messages it receives, it still should have it implemented for what it sends. So if they’re managing the domain for that old alumni address, they’re able to make sure DMARC is set up properly.

A lot will actually depend on the domain you receive your emails through. If it’s Google, they’re rejecting all messages that aren’t DMARC-authenticated (if this isn’t in place for all receipts yet, it will be soon). Other major email providers are at various stages of implementing DMARC requirements for incoming mail.

You usually will not know that a message sent to you was bounced, because the bounce goes back to the originator. You would likely notice it only if you know that you should have received a message, but didn’t. So messages you expect to be forwarded to you will simply disappear if those old domains don’t get their settings updated.

If you send a noncompliant message to a server that is rejecting noncompliant messages, you’ll get the bounce. This is pretty much a risk only if you use a custom domain, in which case you’ll need to follow the directions in the other thread to make sure your domain has the protocols set up correctly. It’s not difficult, but your domain host will not invisibly do it for you. Each domain owner/manager is individually responsible for setting up SPF, DKIM, and DMARC on their domain.

Re: “I tried forwarding copies …”

If you select a message you’ve received, and manually forward it elsewhere, that should continue to work consistently.

Where you’ve set up relaying or automatic forwarding a different email address is where things can be unreliable.

Example: I’ve used several different email address (real addresses, not aliases) to receive mail from different mailing lists. For convenience, I’ve converted some of those email addresses to “forwarding only” addresses, in order to collect everything at a single address.

Now, I either don’t get some of those messages, or they end up in a spam folder. This didn’t used to happen …

The disposition of a message varies depending on the different (and possibly changing) security policies of:

  1. The site where the messages to the mailing list are sent from
  2. The site which does the forwarding
  3. The end site where I want to receive those messages

Also, to clarify: aliases still work just fine.

I.e., if you use Hide My Email for your @iCloud email address, you should be able to receive (and send) to all your created arbiTraryR4nd0m@icloud.com addresses as well (at least until you delete that alias).

Thanks for the explanation. I don’t fully understand the details, but when I looked for email sent to one address I have forwarded to me, I saw that the emails retained the email of the original sender, so I passed your comments along to alert them.

I also have another question. What happens if an organization uses a single gmail address to receive emails from outside and forward them to officers? I am the treasurer of a small group that almost lost its web site because bills going to the gmail address were not being forwarded to the officers supposed to deal with them. Has Google set up email on its own system to avoid the problem, or do they block that kind of forwarding? And what happens if some of members do not use gmail addresses?
Thanks, Jeff