Yesterday I wrote about the mechanics of us DKIM signing some of our email, and mentioned that we're definitely not signing email that merely passes through us, for example when an outside person emails a person here and that person forwards their email elsewhere. Such mail forwarding is reasonably popular here; a lot of people forward their email to other places. Some of them have moved (by graduation or whatever), some of them prefer having their email elsewhere, and so on. We officially support this mail forwarding in various ways.

Unfortunately I've increasingly come to think that the days of this mail forwarding and indeed all mail forwarding are numbered. This isn't directly because of DKIM, but DKIM is certainly part of the story, as is DMARC (for years, other people's DMARC policies have meant that we couldn't successfully forward some email). The large scale practical issue is that forwarded email seems more and more likely to be classified unfavorably by all sorts of systems, both inside and outside organizations such as ours. Sometimes you can manually get the other side to work around these issues, but not always. Large scale mail systems rather want to get email directly from the originator without you (ie, us) in the way.

On one level it's not hard to see why. A place that forwards email rather looks like a place that creates forged email from scratch; both send a volume of email that's not from them (from a variety of source domains) off to you. There is technology that can help you tell the difference, but it isn't necessarily widely used (not everyone DKIM signs their email or has a DMARC policy that tells you to reject unsigned email). There have been attempts to make forwarded email look more like it was email actually from you (starting with SRS), but they're not very popular or useful ultimately because they damage the utility of forwarded email, make it look more suspicious, or both at once.

(After all, the human beings receiving the forwarded email usually want it to look more or less like it was sent directly to them. Generally they don't want to have to take extra steps to reply, or read it, or see who it's really from, or so on.)

I don't have any particular solution to square this circle. We'll continue to support straightforward mail forwarding, but I think the days when it worked reliably are increasingly fading away, and at some point I expect it to mostly stop being useful for people. If we're lucky, large mail providers like Google will provide some sort of magic hoops we can jump through to get designated as a 'good' mail forwarding place, so our forwarding to them will mostly still work.