Cloudron rejects iCloud forwarding only when “Delete after forwarding” is enabled (SMTP 550 on MAIL FROM)

estudios507

Hello Cloudron Support,

I’m running Cloudron Mail on my server (mail.estudios507.com / IP 199.241.136.89). I’m trying to set up automatic forwarding from iCloud Mail to a mailbox hosted on Cloudron.

Setup:
• iCloud account: jackhasday@mac.com
• In iCloud.com (Mail Settings): forwarding to inbox@jackhasday.com (mailbox hosted on my Cloudron)
• Option enabled: “Delete messages after forwarding”

Issue:
When “Delete messages after forwarding” is enabled, Cloudron rejects the forwarded message with an SMTP 550 error during the MAIL FROM command, following this pattern:

550 Mail from domain '<domain>' is not allowed from your host (in reply to MAIL FROM command)

In the bounce messages I can see:
• Reporting-MTA: outbound.ms.icloud.com (iCloud is the system delivering the forwarded message)
• Return-Path / envelope-from: e.g. jack@estudios507.com or jack.jr@jardineshasday.com
• Final recipient: inbox@jackhasday.com

Key behavior:
1. If I disable “Delete messages after forwarding” in iCloud, forwarding works and there is no bounce. However, I don’t want to use it this way because the messages that have already been forwarded remain stored in the iCloud mailbox, and there is no way to delete them automatically.
2. If the original email arriving at jackhasday@mac.com comes from external domains (for example Hotmail, gmail, etc), forwarding works fine even with delete enabled.
3. The bounce happens specifically when the original email arriving at jackhasday@mac.com comes from a domain that is also hosted on my Cloudron (for example estudios507.com, jardineshasday.com, and other customer domains hosted on this server). I understand the issue is limited to domains hosted on my own Cloudron, but I cannot make an exception or workaround based on that because most of those locally-hosted domains belong to customers who email me regularly. If those customers email jackhasday@mac.com for support or services, the forwarded message bounces and I never receive it in inbox@jackhasday.com.
4. The bounce only happens when iCloud is forwarding in “forward + delete” mode (the bounce shows X-Apple-Action: FORWARD_DISCARD/...).

What I need:
• Identify which Cloudron restriction/policy is triggering “Mail from domain ‘X’ is not allowed from your host” in this scenario.
• Confirm whether there is a supported and safe way in Cloudron to allow this specific flow (forwarding from iCloud with delete enabled) without broadly weakening anti-spoofing protections.

I can provide full bounce headers and/or server logs if needed.

Best regards,
Jack Hasday

estudios507

Below is a bounce generated when the original email was sent from jack@estudios507.com to jackhasday@mac.com, and then iCloud attempted to forward it (with “Delete after forwarding” enabled) to inbox@jackhasday.com. The forward was rejected by my Cloudron server:

This is a system-generated message to inform you that your email could not
be delivered to one or more recipients. Details of the email and the error are as follows:

<inbox@jackhasday.com>: host mail.estudios507.com[199.241.136.89] said: 550
   Mail from domain 'estudios507.com' is not allowed from your host (in reply
   to MAIL FROM command)
Reporting-MTA: dns; outbound.ms.icloud.com
X-Postfix-Queue-ID: 475EA180017D
X-Postfix-Sender: rfc822; jack@estudios507.com
Arrival-Date: Wed, 21 Jan 2026 19:07:34 +0000 (UTC)

Final-Recipient: rfc822; *****@**************
Original-Recipient: rfc822;jackhasday@mac.com
Action: failed
Status: 5.0.0
Remote-MTA: dns; mail.estudios507.com
Diagnostic-Code: smtp; 550 Mail from domain 'estudios507.com' is not allowed
   from your host
Return-Path: <jack@estudios507.com>
Received: from outbound.ms.icloud.com (unknown [127.0.0.2])
	by p00-icloudmta-asmtp-us-west-3a-60-percent-4 (Postfix) with ESMTPS id 475EA180017D
	for <inbox@jackhasday.com>; Wed, 21 Jan 2026 19:07:34 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; cv=none; d=icloud.com; s=arc-0513; b=S2yd6TLvBnhNOxNVHkkFXncFtr9aYrUkKvhEWh/ImSz5efDxug/Fzl/F71A6rPLpp+66oHQwMr3u2XKTDzJeduL7YAAFpe8uH6Qu3ret+RwD0ZbOro0DOkgS4oWh5OqHi17xuGnJ54kEppQvWrea2H5qgAMf/AH+vuu7VhC5k+YaHB6QdGFiBmG8M0OHqUR+9Ksufb9rK38Ll6x+Kjbxa7+ko34GOEZ4snUedwa/U6LyRClYDxUDIZI/5ySnBFaammMSXSkZQaXyl1+3Kek+IOr1oqVK0RvGvdjlloKC8tSOtST16/wxOm5fWqooRoX4vK18hv6i0ImYtQ4I21p32g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com; s=arc-0513; h=from:to:subject:message-id:date:mime-version:content-type:dkim-signature; bh=uBdSC2KDIl7+AkVnH20TzbYC/UkYANx/BH9ehYm/0vE=; b=inlB4F04p2wQyhVJ8d1BGTIOrYc+mio1WQBnt/2RV3CZHZDvuGw/rrXk8n61ND8At/9RsuI7aJO0QByQ8LUnmv/Jy0VEsSnNzw1IRWfNhwhPxJ0tN/6xJM9HWyNIA+I93jz9FL8SxHHeZ12VPmEDDR2/h8qwEaCRuVNJRp8Z19cK3YgsUN7f0jOG3HgPrE39wJmdNJ83XfGc+qAJMwqwwvtVMWqTHD84ZN5wia/ZJ+CDjbMzRwKd86NS4esa6LaZ7RmzvpjUYMBY85aLw/NVfCo8w1l7b7djloSEXXsmYicl5PgZey4J/9yRnXKMLEjD2Eoc4HEhQbhXVt5n6EBfkQ==
ARC-Authentication-Results: i=1; arc.icloud.com; arc=none; dmarc=pass header.from=estudios507.com; dkim=pass header.d=estudios507.com header.i=@estudios507.com header.b=Sv/1I+80; spf=pass (spf.icloud.com: domain of jack@estudios507.com designates 199.241.136.89 as permitted sender) smtp.mailfrom=jack@estudios507.com
Received: from unknown (unknown [10.52.196.11])
	by p00-icloudmta-asmtp-us-west-3a-60-percent-4 (Postfix) with SMTP id CD5CB18001A8
	for <inbox@jackhasday.com>; Wed, 21 Jan 2026 19:07:33 +0000 (UTC)
Received: from p00-icloudmta-smtpin-us-east-2d-100-percent-1 by p102-mailgateway-smtp-677754878b-94pct (mailgateway 2544B77)
	with SMTP id 46b248cb-85a3-4e75-8860-af40d23a0f87
	for <jackhasday@mac.com>; Wed, 21 Jan 2026 19:07:33 GMT
X-ICLOUD-MAIL-BWL: 1
X-Apple-Action: FORWARD_DISCARD/inbox@jackhasday.com
Original-Recipient: rfc822;jackhasday@mac.com
x-apple-request-uuid: 46b248cb-85a3-4e75-8860-af40d23a0f87
Received: from mail.estudios507.com (mail.estudios507.com [199.241.136.89])
	by p00-icloudmta-smtpin-us-east-2d-100-percent-1 (Postfix) with ESMTPS id 34F59C00E91
	for <jackhasday@mac.com>; Wed, 21 Jan 2026 19:07:28 +0000 (UTC)
X-ICL-Info: GAtbRVYDBVFFSlVHSgQEUFUKE0oWX1gHVQoPB0UBD1tbS1JGVgEFVFtBX1cdVAsIFBoNNx1DQhcREAkETQABTBYWC1ceVAsHBg0TExFfRVdFTkgUF10WEBZEDBYbW14DBh0HDjhdVwFbGgkaWFhTDhpECxYRXBgHBg0TExFfRVdFTkgUF10WEgELWxoZWVpMEAoSAhxZWRFASVFZG19bQhEdWxILREMGHBYVQkgHGAEaFEYaEVQLXkJNU05MAXUgWEAkNTkdAlJEOEtPTHJyT0RMX0Y8BHdaN0xUQThVRRYAHQ8YCwUGVVsaCRpG
X-ICL-Score: 2.33303302422
Authentication-Results: bimi.icloud.com; bimi=none
X-ARC-Info: policy=fail; arc=none; r1=-20; r2=0
Authentication-Results: arc.icloud.com; arc=none
Authentication-Results: dmarc.icloud.com; dmarc=pass header.from=estudios507.com
X-DMARC-Policy: v=DMARC1; p=reject; pct=100
X-DMARC-Info: pass=pass; dmarc-policy=reject; s=r1; d=r1; pdomain=estudios507.com
Authentication-Results: dkim-verifier.icloud.com; dkim=pass header.d=estudios507.com header.i=@estudios507.com header.b=Sv/1I+80
Received-SPF: pass (spf.icloud.com: domain of jack@estudios507.com designates 199.241.136.89 as permitted sender) receiver=spf.icloud.com; client-ip=199.241.136.89; helo=mail.estudios507.com; envelope-from=jack@estudios507.com
Authentication-Results: spf.icloud.com; spf=pass (spf.icloud.com: domain of jack@estudios507.com designates 199.241.136.89 as permitted sender) smtp.mailfrom=jack@estudios507.com
Received: (Haraka outbound); Wed, 21 Jan 2026 19:07:26 +0000
Authentication-Results: mail.estudios507.com;
	auth=pass (plain)
From: E507 | Jack Hasday <jack@estudios507.com>
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_8AB95481-D215-4A19-A0CB-0090E0E79688"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.400.12\))
Subject: Test
Message-Id: <745941CB-9BBA-401A-84BD-1591D4A8B526@estudios507.com>
Date: Wed, 21 Jan 2026 14:07:14 -0500
To: Jack Hasday <jackhasday@mac.com>
X-Mailer: Apple Mail (2.3864.400.12)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
	d=estudios507.com; s=cloudron-026c7d;
	h=from:subject:date:message-id:to:mime-version;
	bh=y43DVsgG2sU95VoXJ0FNgPZl58lguq516l82fE0M9Ac=;
	b=Sv/1I+80bXdOtk7RYow8yU3V3UAfdSrSymfGzYLCdA9SO59/TTCEjGjLD1K7CuzMBLq39LGI1H
	D9Izniv7jegFHJP+B/FUSgjVj6kfdgu+7kbkLSvHIlNS5ottOgS2nxRCFRrKlnpwj4tioQcZupLH
	+pELZV5MT2SlDlW1ToSwE=
X-Proofpoint-ORIG-GUID: lifheCblypm6Yf9Jas2NgnRYtz2szM_1
X-Proofpoint-GUID: lifheCblypm6Yf9Jas2NgnRYtz2szM_1
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMTIxMDE2MCBTYWx0ZWRfX4C54gR/nkgrb
Jq9rzGCHrksr37sqEjTssH2rFfOa2+dKf9n9s8E4IcjjrmXCu3ybYQpKjnYVLUFgj9pvjBl0U1i
KkTMyBkWAc4yOIoJvj0gc2X5nJdWY1YUPeR2rNWi2DB537QpcnkVkUZd50BltYhcGcC7jSdWHHH
75J7WCuM7BppM7fsK6h/lfizkvSsrdcitmj5sH0irsE3PKjMwbSWDJnoEjzurYjqTnR/DWStDYR
sCkS/XuyjX899H0jr5C8up0+ba73z+TrEOvTqlZvU4cbesi2xSNYIprbV0LuA6+s6G8DTMyez1S
nopO4LSNy4M8Ovwldtl
X-JNJ: AAAAAAAB46C6VsSdXXW4eCfQRdUII0H6JNXy4UJs7g7QbS+HNUQUSVcfrVOypj8Eysvp+8/GuZGR15aNjjKTJv8oZHFe7nCmj3QEPki0/JIyU1xGOzVLU2uTgCIv6tYWBKBpIYm0IbTvWtw/7LtN+zhwVC6C+mg2k4AT0Ecn5baHzX1ySKcCsSS+9OSG4wVEqD4H41Qw9Et3l3eDosJ+1ew46BHBlHDDL0eRjVxATGvCK6ka3lwmrW7YNjV9Pqdcqttd/rTryX9fxUdHdNQSShmcVCImXJt4Igc8WZXglR70t3aELF2lAaNIwjZBc94v5NfG3GKDIle5MyXcXq055/mEOKIIX2XmzxnVwMGKzbPuvPxWPU/pw5MhlQFgRLXjlJLYE+JPDXPQRCa8zKh4pl49tyE75vi3iC/0iH7H6VfDESB8IeJ52SXpJ74N00OsykeqXAVE1wsQetWB6gMZELlstZ+imNH9Ch+DcmSagvYPdg+y0pjzAO6aP2T2SikZGwFCXH8pqw9mg9gqcwfuJ0vAHp2NQ0hGKkM0Dn2VeM+WSCVdVqvhq7ovDC0XzHecaAW0fj5vDkqv/k7E1PzmAwmvs6BLvsbJ6jDQ70dUuG5WkxAK6n19cLHnV4ikD7NARxrH3MuspJ/WJGepjyIIyQ0Jr2xuiWLItSfwtmUbE3coXZ0OnglxWFg9nBz7D4WHPtaSRSEAdmwYrcRp5XnnerWKSinEkSwZ2PqUz5S3pgxdLi2aq5k4KS2L07QrAVLD+o7fl7ZNSNU4SSra8Jv+P45ZnI193uC6xiHB9G9vImnbexmo5A==
X-Authority-Info-Out: v=2.4 cv=Y5f1cxeN c=1 sm=1 tr=0 ts=697123f6
cx=c_apl:c_apl_out:c_pps a=Ng/DTdlv9dYXrlarcUhKoA==:117
a=ry2iD/qIpUaetSALygwXCg==:17 a=vUbySO9Y5rIA:10 a=ulvbZRrZjisA:10
a=VkNPw1HP01LnGYTKEx00:22 a=8lJhZ5ieAAAA:8 a=wUyKfIghAAAA:20
a=OlGai0vOSlytd9CZm7AA:9 a=lqcHg5cX4UMA:10 a=PRpDppDLrCsA:10
a=QEXdDO2ut3YA:10 a=FDb1XksWRdYA:10 a=gP4qA3YHpW5r2j2eUlAA:9
a=OKjO5_YqkLUv6xfn:21 a=_W_S_7VecoQA:10 a=CjuIK1q_8ugA:10 a=HXjIzolwW10A:10
a=T6a71-JsGAwA:10 a=Vkyao1OQ-qhFCJ-NQpkk:22
X-Proofpoint-Virus-Version:
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
clxscore=1030 bulkscore=0 mlxlogscore=512 phishscore=0 malwarescore=0
suspectscore=0 mlxscore=0 adultscore=0 classifier=spam authscore=0 adjust=0
reason=mlx scancount=1 engine=8.22.0-2510240001 definitions=main-2601210160
X-JNJ: AAAAAAABSwim74m9WLZkvZeCq1lELRP9xRO5YX0KeJAM+WKDH9hiockTvDts9j7uA3djn9WjVFt3D3QmBN30tzvq6Tc8epA1w9nZFPTKZSA5nUuRqwKJkAo3dXxTdoaY05OEET0iZbHS99bHFsWcwKW+H8UQdK5GE0avp9ldoROQWYJ5T2gsHIy+rDf7J3v5IvypwrgHHC4VGr/vqt9XCqHw6n9lz0Q+3e77kBi2Y+i48Tqoz1OmiknJDPSmOBbUUnIcwpcNU4ALlYU72ZZLX4vAEKqzk+yg0TPi0GLXE9Ujg+sV/qhwtG2zLDUttCZ4BU0WE0M9lFTh8RQ4i8bdonG6ZnEkR0C6CapkTBB/oIVHo0tW/sboTrJmPTddaIS3qNKycF7yrEjYNnKTw+ABWkQRRc6JVYGbA/ercYiY9OGAar8JUiLdyceDHNmA01lqHprg2ntgkZnAGCz56bZ0NKMBYhfn9MuKtwg6a7BI+tQQcvyuPM8e53WqZrX7Csy2sRz6WfjBgcoNt90Nh6hv4DqYUwAfe+tl1e6JOo2pF5y3A46YbIQDsh720qvEtwuVN+7s0vfzLcssc3SeReP1c/xORasPTXeOotw=

estudios507

Below is a second bounce generated when the original email was sent from jack.jr@jardineshasday.com to jackhasday@mac.com, and then iCloud attempted to forward it (with “Delete after forwarding” enabled) to inbox@jackhasday.com. The forward was also rejected by my Cloudron server:

This is a system-generated message to inform you that your email could not
be delivered to one or more recipients. Details of the email and the error are as follows:

<inbox@jackhasday.com>: host mail.estudios507.com[199.241.136.89] said: 550
   Mail from domain 'jardineshasday.com' is not allowed from your host (in
   reply to MAIL FROM command)
Reporting-MTA: dns; outbound.ms.icloud.com
X-Postfix-Queue-ID: 325F21800435
X-Postfix-Sender: rfc822; jack.jr@jardineshasday.com
Arrival-Date: Wed, 21 Jan 2026 19:15:47 +0000 (UTC)

Final-Recipient: rfc822; *****@**************
Original-Recipient: rfc822;jackhasday@mac.com
Action: failed
Status: 5.0.0
Remote-MTA: dns; mail.estudios507.com
Diagnostic-Code: smtp; 550 Mail from domain 'jardineshasday.com' is not allowed
   from your host
Return-Path: <jack.jr@jardineshasday.com>
Received: from outbound.ms.icloud.com (unknown [127.0.0.2])
	by p00-icloudmta-asmtp-us-west-3a-20-percent-1 (Postfix) with ESMTPS id 325F21800435
	for <inbox@jackhasday.com>; Wed, 21 Jan 2026 19:15:47 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; cv=none; d=icloud.com; s=arc-0513; b=NwePU52YPB5g8CvhYlOZRV4RuLpPepXFXChfOBAHfjuskdDlU7U+gtyKSgqfFoQxW0ie00VK0/LMtdogYq7qu2Xikrz5yRwPbTSRLdT41WnsO0RVwNMfYvqJRCdvy66EeRPiWHwLg0Eu9trOA0SHcmFrJQ18Fbbozx/4iNznCHfypwVydXjj7LnsbZpB0y8iZ6xF5eWrs2JMnkiEijmRJksQ/4oBhYFMgM48tIzxWBmlmP/MECl/cUuiq+jQGETcZuAZE9LPx6iqHzxY8u199Uz8uIX9Z4LeC62IsXFpl+A0lAzcbvFNg/7WCjynmO3dR86Lu0c2o3VdyxM24b5G5g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com; s=arc-0513; h=from:to:subject:message-id:date:mime-version:content-type:dkim-signature; bh=B8Rq7JfCpjn8orX4LKFaNcIdBzBmhpd4dlBrVjqXnPM=; b=h9YkNs4Phgpq/dvngLz8yMSPy5QLbqlcfr4pe7FTr11NBlWMbAH58s5/8uWsziQ3suyxOk6SjDI0/IcflrJVjJUQwSl1cABJ7ZIeDlUQIZGHH2nzhQF3Wns/D99TbuNhBDovINzTqgrgEbzv3GEwWFWu/CqIQl1r8PjqH3Y1lcebL7Pgnbw48XlvliW8nWUf2qHmIzEEncNAQVeVJ/Z2FLP3z3rxczRLaisE9lgVJwE7MhWUYpMA5fIsu2L9XJx0Y1hqOwp2lBW3lerjLjXiKPXmTnh/Hak2/9dSR8jDfm8RZKBO1hsmwn7iWSib/awzvbXWbbPeZgCOQBMyOqMIBg==
ARC-Authentication-Results: i=1; arc.icloud.com; arc=none; dmarc=pass header.from=jardineshasday.com; dkim=pass header.d=jardineshasday.com header.i=@jardineshasday.com header.b=q+vfqcQe; spf=pass (spf.icloud.com: domain of jack.jr@jardineshasday.com designates 199.241.136.89 as permitted sender) smtp.mailfrom=jack.jr@jardineshasday.com
Received: from unknown (unknown [10.52.196.11])
	by p00-icloudmta-asmtp-us-west-3a-20-percent-1 (Postfix) with SMTP id AB65F1800411
	for <inbox@jackhasday.com>; Wed, 21 Jan 2026 19:15:46 +0000 (UTC)
Received: from p00-icloudmta-smtpin-us-west-1a-60-percent-39 by p102-mailgateway-smtp-677754878b-9bv27 (mailgateway 2544B77)
	with SMTP id 0a4cb2a5-6cf4-4a9c-9d3f-93212efa68da
	for <jackhasday@mac.com>; Wed, 21 Jan 2026 19:15:46 GMT
X-Apple-Action: FORWARD_DISCARD/inbox@jackhasday.com
Original-Recipient: rfc822;jackhasday@mac.com
x-apple-request-uuid: 0a4cb2a5-6cf4-4a9c-9d3f-93212efa68da
Received: from mail.estudios507.com (mail.estudios507.com [199.241.136.89])
	by p00-icloudmta-smtpin-us-west-1a-60-percent-39 (Postfix) with ESMTPS id 19E7CC001CD
	for <jackhasday@mac.com>; Wed, 21 Jan 2026 19:15:38 +0000 (UTC)
X-ICL-Info: GAtbRVYDBVFFSlVFSgQEUFUKE0oWX1gHVQoPB0UBD1tbS1JGVgEFVFtBX1cdVAsIFBoNWRJCdggUCwIeFlVFChQKAhYBHlUNGFkAE0VaVxAREAgSC1hXEREYH1kbX1tCBxpbHRlTXQoUCgIWAXBbAxZXBRgVEF4HGRZbGhlZWkwQChICHFlZEUBJUVkbX1tCBQ0UShVRXw5bHBUDDVRfDQZMVkBWU1kPVR0CShJRRAYcFwMEEFFFBhQASBQXXRYPHB1bSzwDdVNDTyVEVXMBIEBUUjNABBtaRkhXWkoFAlRFPyRFTgJyJjUTBwUcWVgHBhEHBBxRT0wWFgtJ
X-ICL-Score: 2.33303322422
Authentication-Results: bimi.icloud.com; bimi=none
X-ARC-Info: policy=fail; arc=none; r1=-20; r2=0
Authentication-Results: arc.icloud.com; arc=none
Authentication-Results: dmarc.icloud.com; dmarc=pass header.from=jardineshasday.com
X-DMARC-Policy: v=DMARC1; p=reject; pct=100
X-DMARC-Info: pass=pass; dmarc-policy=reject; s=r1; d=r1; pdomain=jardineshasday.com
Authentication-Results: dkim-verifier.icloud.com; dkim=pass header.d=jardineshasday.com header.i=@jardineshasday.com header.b=q+vfqcQe
Received-SPF: pass (spf.icloud.com: domain of jack.jr@jardineshasday.com designates 199.241.136.89 as permitted sender) receiver=spf.icloud.com; client-ip=199.241.136.89; helo=mail.estudios507.com; envelope-from=jack.jr@jardineshasday.com
Authentication-Results: spf.icloud.com; spf=pass (spf.icloud.com: domain of jack.jr@jardineshasday.com designates 199.241.136.89 as permitted sender) smtp.mailfrom=jack.jr@jardineshasday.com
Received: (Haraka outbound); Wed, 21 Jan 2026 19:15:36 +0000
Authentication-Results: mail.estudios507.com;
	auth=pass (plain)
From: Jardines Hasday <jack.jr@jardineshasday.com>
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_B1D6017D-890E-40E0-A1CF-155CD24607C1"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.400.12\))
Subject: Test desde Jardines Hasday
Message-Id: <D3C166C3-C7B5-4D84-8311-25460FB262DD@jardineshasday.com>
Date: Wed, 21 Jan 2026 14:15:24 -0500
To: Jack Hasday <jackhasday@mac.com>
X-Mailer: Apple Mail (2.3864.400.12)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
	d=jardineshasday.com; s=cloudron-6667f4;
	h=from:subject:date:message-id:to:mime-version;
	bh=VqtpnOtGGQZjIGx33IRyZ889SaJP52QBrZ8qHxdfrqM=;
	b=q+vfqcQeonnBbDbB3JYYiX6ZHEDt36UK0bM+Nrh6ohSRynlyr6F7AHRdrD4XF173Sm1ys7/wGi
	oMIiO6vJaQUwC+H1wP/oMqohbM7Nkrs3je3G5E1IoGkVQV2QqwjYCMsh3rmR7Z7zgmz+RB2y/dhX
	vCwPVxMDamJtSXJiDI11k=
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMTIxMDE2MSBTYWx0ZWRfXwrFyr1P6L/bI
d/3yYo636bb7U/hxwbs9LQDvNpWvOcaoFmBAxvUW9eil0Riuy4bcDuQhLzZA+Lj6YSMIQ+YgekG
9VtZyHH3WP/BOtzTRpr8pTgsQ8OCP6t0Vj49ENLl6TZomxskE7EpjB5nVpxUOcRLNFdLgObSrFL
p6fqEILdB+39T/tkkfnDN3ECUg889ACDqsfOB3yOz020C2cL4AfLz9WRtDX+QrjQCyaYoaoe+vA
LX2Tq54mzkQgh+25F/NVhqKHivx8hsP+Ysz0o9wTMVaiVczmRXniPkeJZxqdBqpy+C6lVuzBtfr
lavbCA3mCidpfbbiN0y
X-Proofpoint-GUID: Mkyn_SIOD2w_wW6PNYAEEYT9qKP1vIEc
X-Proofpoint-ORIG-GUID: Mkyn_SIOD2w_wW6PNYAEEYT9qKP1vIEc
X-JNJ: AAAAAAABuMUeso2wQFGdal/p9JNXNmNaeU7mqrChZCil9q56eS9I1Jw41zVaBEk6hU/Bu0nyS/1GndYOGx40kCOXnH2SBjBE5S3QxNnJ3FXC+yS8rmhRNzoZlzXGgVmZu+ZfCGEQNG+AFW/DyNElW0zLRnenHLUp34iEe1TWnWQyVn9pGnlAOwEueMmDCyPe/f+XBzB97UQSSWsfrSXZ3s3j5hq6CZMMdbtANctzCatLEAARvaPwH6uQl5s4efZxk3ntVRAmPwlE/7axoKHflGxgy/Lcpw9ci97yQ/V42TObnWL1B0yvq1B47bvHVEomt/DNF/80BekJ+P8hFlZEgewP2g0xqO8uawSHmK2fCwAy10VQPndXJE2UxL00i8VpQtTeaFE2nzL9DfL6h7cfg8eq/f1lmrjfjg0zR5z3nyWGxuoOE7PnmcmO/n54osn4SpsIGHrMwyYpw+lsU0RhrntwXBnWVCdJDvuQh3+hMuKhhx8nXm2o88tpeixuepG3IkXmmjY9/JraYj8tyjAvcfD4aUtbGymP7Jdmsf//rePjLEXvTiTZHlvF71uJF8CeeVMwlTgJ84FgwynUiuNdMdeQuy0xKBvdEGMcKgLS1g/Mmx344LXqOQVKG6U4/nGheCXVxSrFRmx4pycqEcKZwLvCcvKOiuS7oocJ0aVlYCBGJFFvOtzcRqf4Vi7lMACznmLgnibRQyg0RQ6uXIkyeuWZQrsKN9Qrmzr1WcWJoOrLePpZ/ujjHnhfcUeXQNbl5+vcaWStfDqjf8jIaru4
X-Authority-Info-Out: v=2.4 cv=SoudKfO0 c=1 sm=1 tr=0 ts=697125e3
cx=c_apl:c_apl_out:c_pps a=Ng/DTdlv9dYXrlarcUhKoA==:117
a=ry2iD/qIpUaetSALygwXCg==:17 a=vUbySO9Y5rIA:10 a=9QMxhTt3bwwA:10
a=VkNPw1HP01LnGYTKEx00:22 a=qTKaMy-KAAAA:8 a=zZ0dxMlp3nlOnM4htLIA:9
a=QEXdDO2ut3YA:10 a=e5bFYvIR1mMA:10 a=HsQN7Jx1AAAA:8 a=-toS3ZsGfbf9Qjwom14A:9
a=kb5bqZQ7yfcur1iC:21 a=_W_S_7VecoQA:10 a=lqcHg5cX4UMA:10 a=CjuIK1q_8ugA:10
a=KQqxNPgzF0kA:10 a=VEiTNn8F7TgA:10 a=ma5am7SHPxQHyC16eOKb:22
a=1EEwl0tWB0_S9o04m0hT:22
X-Proofpoint-Virus-Version:
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0
malwarescore=0 phishscore=0 spamscore=0 suspectscore=0 adultscore=0
mlxscore=0 clxscore=1030 mlxlogscore=414 classifier=spam authscore=0 adjust=0
reason=mlx scancount=1 engine=8.22.0-2510240001 definitions=main-2601210161
X-JNJ: AAAAAAABO2TyGsw4UNfY5fbEch7UuhORuvBwTTajbLHAY2G4ZEe+o4v4pJApyHI/xvl05L4K0HRzkr03QBB8/Y71JO8MGKg1HDISslfl/pjWdqaUnCQBs3Y8UBbIq8Hp7mYqqKkjgnRMA/JpviiVCyFl7VoaX1ZTUK/l+xDapJWSd6ybL1aD3sz33y7WnBDB6fbGxtXgBelfaH5XYUruPsyPDMntcaTFBRaydoc4iFszFSEIrGWkDjNEQA8mDhn/jfQtDqvdidzbrsdaWM6/JImaI+BOiCz6V1XPBIYhvrp4xeshIzvHp61DZEopiMiyYYpdcpvckhggN+KhZXftWIFw1UzWeSAd5Hbju94iwI60+/1WNtD5koGZMaxePIw87m1C8EdYBe/Lzop3ODdEhtlhvtVo6Ste7OvSmyqsaWYwMoe4h0ZDTHs9qhTmKvXsfXW063rEWH8UJc/o6QHbM7Fn4cy7ghtR5QcYLEkKM2gO6gi6ZsIbLQ+QP1ryLmLmGGvjWKG26B06piWc5ekwgAGNp0WsIPaJfszhwGCEU5ViC9d6Dcbj9/eJEvO14ky5vQ9mvWgjND6rWDDE/2JefL2+GzdsuM38GAkocPIlkRM=

james

Hello @estudios507

Thank you for the detailed report. I will try to assist you to my best capabilities.

@estudios507 said in Cloudron rejects iCloud forwarding only when “Delete after forwarding” is enabled (SMTP 550 on MAIL FROM):

Identify which Cloudron restriction/policy is triggering “Mail from domain ‘X’ is not allowed from your host” in this scenario.

Regarding why this is happening.
When iCloud forwards messages in delete mode, iCloud uses the original sender’s MAIL FROM (envelope-from) unchanged instead of rewriting it. If that original sender domain is hosted on the same Cloudron server, Cloudron sees an external connection (from iCloud’s outbound IP) claiming to send mail from its own domain.
Cloudron treats that as spoofing and rejects it.

---

@estudios507 said in Cloudron rejects iCloud forwarding only when “Delete after forwarding” is enabled (SMTP 550 on MAIL FROM):

Confirm whether there is a supported and safe way in Cloudron to allow this specific flow (forwarding from iCloud with delete enabled) without broadly weakening anti-spoofing protections.

There is also another topic regarding this issue with iCloud, see: https://forum.cloudron.io/topic/1998/mail-error-after-sending-message-mail-from-domain-example-com-is-not-allowed-from-your-host

A fix is to add the iCloud servers to the domain A's SPF record.
Your current SPF record is:

dig TXT estudios507.com +short
"v=spf1 a:mail.estudios507.com include:_spf.safewebservices.com ~all"

You can edit that to include apple:

"v=spf1 a:mail.estudios507.com include:_spf.safewebservices.com include:_spf.apple.com ~all"

after that edit it can take some time to propagate, but this should resolve your issue.