Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Reading a cloudron mailbox using GMail



  • So digging around further on Option 3, the problem with forwarding to GMail is that with simple email forwarding, they spot that the SPF header (if it is present for the original sender) doesn't permit delivery from your own domain (from which the email was re-delivered). This then jacks up the email's spam score. Or possibly has it rejected outright.

    There is a technique called Sender Rewriting Scheme (SRS), which rewrites the email headers to keep the SPF (and DMARK/DKIM?) headers consistent with the source: your own domain. These seems to be the recommended way to avoid being rejected. For example:

    https://superuser.com/questions/1192322/mail-forwarding-do-i-need-to-concern-myself-with-the-spf-fail-header-from-googl

    https://www.jwz.org/blog/2015/03/google-seems-to-have-broken-email-forwarding/

    Happily the Cloudron docs say this is implemented for mailing groups and sieve filters:

    https://docs.cloudron.io/email/#mailing-group
    https://docs.cloudron.io/email/#forward-all-emails

    However, the problem then: if the forwarded email stream contains spam, the source is now interpreted as your own domain and you may find GMail adds your domain to a DNS blacklist for that (and then your spam score everywhere gets jacked up).

    Therefore, to avoid this the server implementing SRS (Cloudron) needs to do decent spam-filtering before forwarding.

    I see that Cloudron can do spam filtering - but either it requires training by marking the spam as junk (not possible in this case), or manual configuration. The documentation doesn't mention DNSBLs, although perhaps that can be configured manually via SpamAssassin rules (although I'm yet to discover how).

    So here is a more specific question: can anyone give me a pointer for how would I implement spam filtering adequately on a forwarded email address to avoid becoming blacklisted by GMail?



  • You can do a few forms of whitelisting in Gmail.



  • That's useful, thank you @robi. I didn't yet find an option to do that in GMail which seemed guaranteed to work.



  • Actually, on a second look: using those methods, it seems like I'd either have to whitelist sender addresses on a case-by-case basis (which seems infeasible to do reliably for a public contact address), or whitelist everything, which would then disable Google's spam filtering.

    Whereas I think what I need to do is to whitelist our MX server from being DNS-blacklisted, whilst still allowing Google to do spam filtering on individual emails from that server, based on their sender etc. I wonder if that's possible.



  • I have been forwarding emails to Gmail without any issue, so I'm not sure what's the challenge here...simply added a filter in roundcube to forward all incoming emails (cloudron hosted email/domain previously a google suite domain/email) to a gmail, I can see in the logs that most emails get forwarded just fine and often cloudron spot spam and don't forward them, am I missing something ?



  • @rmdes

    Basically, if SRS is being done (which I think it is for Cloudron itself, not sure about Roundcube), you're over the first hurdle: GMail won't reject the forwarded mail as having invalid SPF/DMARC headers.

    But there's another problem which might occur, just not predictably: GMail could decide to add your Cloudron server to one of its blacklists (see reasons above). Or worse, a public DNSBL. Then you've then got the unpleasant job of reassuring your users it's gonna be fixed soon, whilst you try and convince GMail etc. to un-blacklist your mail server. And also find an alternative to forwarding.

    I know this can happen because something similar actually happened to me some time ago in a different circumstance. Mail forwarding from a domain's addresses to GMail was working for a while, then suddenly it was being rejected.

    If this second problem hasn't happened to you, or it could just be that you don't get a lot of spam. But how can you be sure it won't happen at some point later?

    (I assume you've read the links in post 5067 above, to conversations about this elsewhere.)


  • Staff

    @wu-lee said in Reading a cloudron mailbox using GMail:

    Basically, if SRS is being done (which I think it is for Cloudron itself, not sure about Roundcube), you're over the first hurdle: GMail won't reject the forwarded mail as having invalid SPF/DMARC headers.

    Yes, Cloudron does SRS, by default. You are also right that this is done at the mail server level (and not specific to an app like roundcube/rainloop).

    For the forwarding, are you thinking about the case where Cloudron gets lots of spam and forwarding spam to gmail will cause issues? I think that's a valid concern (I remember they have some article saying you have to filter spam before forwarding). I guess this is a feature we have to implement in Cloudron.



  • @girish said in Reading a cloudron mailbox using GMail:

    are you thinking about the case where Cloudron gets lots of spam and forwarding spam to gmail will cause issues?

    Yes, exactly that.


  • Staff

    @wu-lee Yes, we have to implement outbound spam filtering for this. We only do inbound spam filtering right now. Feel free to open a feature request in the forum section.



  • This seems relevant here

    https://twitter.com/sneakdotberlin/status/1317734739537653760?s=20

    Gmail now rewrite links even in email pulled in via IMAP



  • I use a browser extension that removes all those as well as utm link data.