Emails Failing DMARC Validation on Forwarding via Cloudron

vadim

Hi Cloudron team,

I'm encountering an issue where forwarded emails fail DMARC checks when the sender domain has a strict DMARC policy (p=reject). Gmail rejects these forwarded emails with the following error:

550 5.7.26 Unauthenticated email from example.com is not accepted due to domain's DMARC policy. Please contact the administrator of example.com domain if this was a legitimate mail.

Setup:

• Emails are forwarded via Cloudron to Gmail.
• Sender domain (example.com) has a strict DMARC policy.
• SPF and DKIM are valid when the email is received by my Cloudron server, but forwarding breaks DMARC validation.

Issue:

The forwarded email’s envelope sender (Return-Path) remains as the original sender’s domain, causing SPF/DMARC validation to fail on Gmail’s side.

Question:

1. How can I ensure SRS (Sender Rewriting Scheme) is properly enabled on Cloudron to resolve this issue?
2. Is there any additional configuration required to handle forwarding for domains with strict DMARC policies?

Appreciate any guidance!

girish

@vadim Cloudron implements SRS and the Return-Path is rewritten to the Cloudron domain . Can you check the mail server logs ? You should see a line like "SRS Forward: address changed to: xx"

vadim

This is a constant problem and I have encountered it more than once.
There are 2 screenshots from log.

girish

@vadim OK, so from the first screenshot, you can see that mailFrom header is SRS wrapped .

I think the issue is gmail is seeking SPF alignment in the message header From header (which is still set to the original from). Unfortunately, there is no easy fix here since gmail won't realistically change or if it changes, they won't tell us.

Maybe ARC will help per https://support.google.com/mail/answer/175365?hl=en but it's an experimental standard afaik.

girish

Per https://serverfault.com/questions/949620/gmail-rejects-forwarded-mail-with-dmarc-but-i-am-using-srs which has the same error, maybe gmail works with ARC.

girish

OK, https://support.google.com/a/answer/81126?hl=en has even more information. "ARC checks the previous authentication status of forwarded messages. If a forwarded message passes SPF or DKIM authentication, but ARC shows it previously failed authentication, Gmail treats the message as unauthenticated."

Have to investigate https://github.com/postalsys/haraka-plugin-mailauth .

But long story short, @vadim unfortunately the situation is gmail forwarding is probably not going to work until we implement this. I have no ETA to implement this feature.