Is it still possible to use a catch-all email forwarder to gmail, and how?

AskUbuntuUser13085924

6/13/24, 11:25 AM

Since ever, I've been using a catch-all email forwarder at a domain I hold, *@mydomain.net, and sending the email to my personal gmail account, mygmail@gmail.com. I've just been ousted from my domain host by a pricing change, and moved to a new one (fasthosts, as it happens). The catch-all has been configured at the new host, and it seems that it is working, since emails from some sites (including amazon.co.uk) are getting through. However, emails from elsewhere are not, and I suspect gmail is blocking them silently.

The (successfully-received) email from amazon includes these lines:

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@amazon.co.uk header.s=27ndrlrdagf22763jnizbipdvvil3lqa header.b=S2xxySPL;
       dkim=pass header.i=@amazonses.com header.s=shh3fegwg5fppqsuzphvschd53n6ihuv header.b=XRjtDO1P;
       spf=fail (google.com: domain of 20230613081337141a97ca6a024ef9b0845e68c800p0eu-c398vbjjn95lvi@bounces.amazon.co.uk does not designate 213.171.216.218 as permitted sender) smtp.mailfrom=20230613081337141a97ca6a024ef9b0845e68c800p0eu-C398VBJJN95LVI@bounces.amazon.co.uk;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.co.uk

which I guess might read as: it failed on SPF, but was passed anyway because... and then I don't know.

The SPF record for the domain is as follows:

Non-authoritative answer:
mydomain.net    text = "v=spf1 a ip4:213.171.216.0/24 ip4:77.68.64.0/27 mx ~all"

Authoritative answers can be found from:

From the amazon email headers, it looks like gmail went to ask amazon if the fasthosts server was a permitted sender. So I can't change that, I guess.

Is there a way to configure my gmail, or my records at fasthosts, to make catch-all forwarding start working again?

Failing that, might an alternative mail provider be available that was not as strict as gmail and would let these mails through?

161

1 + 2

gmail

spf

HBruijn

6/13/24, 12:36 PM

SPF records and bounce handling usually "break" when using "simple" e-mail forwarding schemes. To deal with that the [SRS ; the Sender Rewriting Scheme](https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme) has been developed. That needs to be supported in the e-mail server doing the forwarding. - You can associate your custom domain with your Gmail account with a paid Google Workspace and recieve email directly without the need of a forwarding service

AskUbuntuUser13085924

6/13/24, 3:01 PM

Thanks for the answers. For info, I have resolved the immediate (rather an emergency) issue by taking a paid mailbox from fasthosts for 1 year. That gives me time to get into your answers and understand the problem, whilst not missing important mail. I guess because it's hosted by them, it works, but I admit I'm not clear exactly why.

Score:1

Server

Reinto

6/13/24, 12:38 PM

DMARC

These days ESPs such as Gmail or Outlook rely more and more on DMARC authentication results than purely on SPF authentication, since SPF is checked on the bounce address (a.k.a. envelope from or Return-Path or smtp.mailfrom) instead of on the sender address that is visible to recipient in their email client (the header.from).

This is visible in the ARC-Authentication-Results header you provided as it shows the domain used in the header.from=amazon.co.uk and the smtp.mailfrom=20230613081337141a97ca6a024ef9b0845e68c800p0eu-C398VBJJN95LVI@bounces.amazon.co.uk.

DMARC demands that either a) SPF passes on a domain that aligns with the header.from domain, or b) DKIM passes on a domain that aligns with the header.from domain.

I would advise you to read up on DKIM and DMARC because they are very important in modern day email authentication. Especially in the fact that DKIM may survive forwarding, while SPF fails.

Depending on who the sender is, emails might fail DMARC check for their domain because DKIM is not applied (or a signed header has been altered during forwarding) and SPF is failing because your domain is not in their SPF record.

Possible fixes

Modern email services / systems will offer you various ways to approach this issue with forwarding emails that are failing authentication. This question, basically, is about the same issue as you're describing.

Since SRS might not be desirable and Enhanced Filtering not available in free email services like a Gmail account, your best hope is that FastHosts will start adding ARC headers to the emails that they are forwarding to different ESPs. But still, it will be up to the ESPs to recognize Fasthosts as a trusted ARC source.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is it still possible to use a catch-all email forwarder to gmail, and how?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.