How to block people's automatic mail forwarding (to GMail, at least)

February 22, 2023

Suppose, hypothetically, that you're the kind of person who is certain that your email is so sensitive that it should never be automatically forwarded. If you send email to person@example.org and the person likes to forward their email to GMail, well, tough. Your email is too important; they can read it through example.org or not at all. Given the anarchy of Internet email, it sounds like this would be hard to achieve, but don't worry; modern email standards have your back here, at least for places (like GMail) that generally respect them.

Here's what you do. First, configure a strict DMARC policy for your domain, one that tells receivers that you want them to reject any email that doesn't pass DMARC. Then, set up a restrictive SPF policy, one that definitely only passes things sent from your server. Finally, the important step: don't sign your outgoing email with DKIM.

Since you have a strict DMARC policy, receivers like GMail will reject email with a 'From:' header with your domain that doesn't pass DMARC checks (this is DMARC alignment). Since you do have a (restrictive) SPF record, email send directly from your email servers will pass SPF checks and so pass DMARC alignment. But since you don't DKIM sign messages, if GMail receives email from anywhere else with your domain in the From: header, the email will fail DMARC; it can't pass a DKIM check because there's no signature, and it can't pass a SPF check because it doesn't come from you.

Some automatic forwarding will change the envelope sender (the SMTP MAIL FROM) so that it will pass other people's SPF checks (this can be done with SRS or other mechanisms). But very little automatic mail forwarding changes the From: header address, partly because doing so makes it much harder for the person receiving it to do things with the email. And if the forwarding system adds its own DKIM signature, nothing really changes because the signature won't be for your domain and won't count for DMARC alignment.

I regret to inform you that there are mail systems out in the world who are actually doing this, although perhaps they aren't doing it deliberately. Maybe their DKIM signing has broken, or doesn't cover all of the email they sent, or just never got implemented. These people even send mail to people at universities, I assume deliberately. Not all of that email gets through.

(People can of course still manually forward your messages, because manual forwarding generally creates a From: header with their email address, and now what matters is their DMARC policies, DKIM signatures, and SPF records, which their email probably passes if they want it delivered.)

PS: Possibly Google's SMTP rejection messages that I've seen for this have been incomplete, in that maybe Google wouldn't have been as insistent on DMARC alignment in other situations. I saw this with Message-ID headers.

(SMTP email long ago stopped being a fully predictable or understandable system, as systems took increasing measures to defend themselves against spam.)

Written on 22 February 2023.
« Grafana Loki doesn't compact log chunks and what this means for you
The web single sign on versus availability problem »

Page tools: View Source.
Search:
Login: Password:

Last modified: Wed Feb 22 22:35:22 2023
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.