The downsides of remailing
What is bad about remailing?
Fundamentally we're being asked to do extra work that benefits other people, people who've chosen to break their own mailers for no actual benefit. This is backwards, and in my opinion accommodating such people only encourages the next lot to demand that everyone else clean up their messes.
Apart from that:
- remailing requires additional software and configuration, especially if you want to stop people from still (accidentally) using non-remailing forwarding.
- simple Unix implementations require people you are remailing for to
have something approximating a real account. Forwarding just
requires an /etc/aliases entry, which is a lot more reassuringly
- the simplest implementation discards bounces entirely, insuring that if something goes wrong with the forwarding (and things go wrong with forwarding all the time) that no one will ever find out about it.
- slightly more complicated schemes turn you into an open relay if the spammers start forging 'bounces' and sending them through you.
- to make a secure scheme, you either need to keep a database of remailed mail or you run into SMTP address length limits when there is a remailing chain.
(PS: remember to forward the SMTP null origin address unaltered.)
- the origin address is useful information, and for many purposes remailing destroys it. The remote MTA cannot really do filtering or whitelisting on it any more, and people who want to use it in their own filters will have to fish it out of the message headers (with a different fishing technique for every different place things get forwarded to them).
on a non-technical level, putting your own name on something by remailing it (instead of merely forwarding it) makes you more strongly associated with it. This is a problem when you start remailing spam. It also makes it look more like you really did originate the message, and the other Received: headers are just fakes injected on your machine.
Sidebar: why SPF is pointless
SPF is pointless because it doesn't solve any actual problems.
- it doesn't stop spam; there are a lot of domains without SPF records that spammers can forge freely, and spammers can and do use their own throwaway domains with valid SPF records.
- it doesn't stop you from getting hammered with bounce backscatter; there are and there's always going to be lots of machines on the Internet that don't implement SPF. (And almost everything that still generates backscatter is well behind the best practices curve to start with.)
- it doesn't stop phishing; the phishers barely bother to forge origin addresses to start with (partly because they're invisible to about 99% of the people reading email).
My experience also suggests that having SPF records doesn't cause spammers to avoid forging your domain.