Kitz Forum

Internet => Web Browsing & Email => Topic started by: Weaver on May 01, 2020, 11:27:41 PM

Title: Email redirection
Post by: Weaver on May 01, 2020, 11:27:41 PM
I have a lot of domain names. In the case of many them I would like email to be redirected to one central email mailbox because checking multiple mailboxes would be madness and it has cost implications too.

My question: to redirect email, do I merely set the appropriate MX record do that it gets sent to the central aggregation target redirection mailbox? Can I get away with just doing that?

I’m wondering if the redirection target destination mail server will object because the email’s to: address will not be a match for the recipient aggregation mailbox’s known address.
Title: Re: Email redirection
Post by: sevenlayermuddle on May 02, 2020, 12:36:15 AM
I suspect that is a question about the destination server, rather than MX records?

I suppose it is possible to write a server that would perform a domain name check before accepting incoming mail, but that would seem to make it a rather useless server as this is a scenario that happens all the time.   So I am betting that most servers won’t care about addressing. If mail is delivered, they would process it regardless of ‘to’ address.

For my own domains, as far as I recall, all I need do is update MX for mail to be handled by different servers.

But I may have forgotten something (how would I know if I had?), or I may just be wrong and/or others may know better. :)

Title: Re: Email redirection
Post by: d2d4j on May 02, 2020, 07:00:29 AM
Hi

If you change your MX record to a mail server which is not aware of your domain it should be refused and not received

I think you maybe getting confused with catchall for domain email which can be turned on or off (and you can have catchall in O365 but takes a little work to configure)

So your mx record needs to point to your correct email server which is setup to handle your domain email

As for the question over diverting all your domains email to just one email - you could setup each email account to forward email or create domain email aliases - a lot depends if you the want to use same alias as a sender email addrsss - please remember most mail servers are not open relay

Many thanks

John
Title: Re: Email redirection
Post by: Ronski on May 02, 2020, 08:50:06 AM
I have various domains with IONOS (formally 1&1), on all domains I can set up up as many free email forwards that I want, just create the address and tell it the address to forward to, works perfectly, been doing that for years. Presumably other domain registers have the same feature.
Title: Re: Email redirection
Post by: jelv on May 02, 2020, 09:52:39 AM
As John said, if you change the MX records to point to a server that is not explicitly hosting mail for that domain emails will be refused. You need to set up redirects on the mail servers to forward mail to the email address on the domain where you want all the mail to end up.

To preserve the correct email address when you send emails out you will still probably have to keep multiple accounts in your mail client and make sure you use the correct one each time.
Title: Re: Email redirection
Post by: sevenlayermuddle on May 02, 2020, 02:35:21 PM
Having refreshed my brain,  it is certainly possible to pretty much do as Weaver has suggested, I do it myself.   

Most of my domains specify the same MX, directing mail to Google Apps (Now known as G Suite).  Within Google Apps admin console I then add additional domains as aliases, for which Google then handle mail, after authenticating me as the owner.

This is much better than mailbox forwarding as it provides clean send/receive, with correct inward/outward addressing for each domain via IMAP.   It also avoids the overhead of paying for a.n.other mail provider for each domain, to perform the forwarding, and of administering multiple different mail hosts.

I was lucky, signing up to Google Apps when it was free, a deal which they continue to honour.  Since about 2012 it is no longer free, far from it, and so unlikely to be an attractive option.   But if Google can do it, so can others...  are there really no similar services elsewhere?
Title: Re: Email redirection
Post by: d2d4j on May 02, 2020, 04:38:02 PM
Hi

Sorry weaver did not state he would add the domain into an email server - just change the mx record

@7lm - you are talking email alias’s which it is upto each provider if they choose to allow or not. Not that only google can do it and not available anywhere else

All our enterprise mail platforms are set as standard for email aliases and shared are the same.

However, there are exceptions where it might be reduced for that action if it is abused.

Not every provider earns the same amount of monies as google and as you state, now charge which the cost would cover email aliases or be taken into account

I would be highly surprised if AA do not allow email aliases

Many thanks

John
Title: Re: Email redirection
Post by: sevenlayermuddle on May 02, 2020, 05:17:43 PM
Ah sorry you are correct, Weaver cannot merely change the MX, he must do more than that an configure a server too.   But providing the platform does support aliases, is that not still a better solution, better addressing the cost implications of using multiple different platforms with forwarding?

In order to finally aggregate all mail into a single mailbox he would still need to set up forwarding rules for each alias, within the final delivery platform.   For example, I have my Google Apps domain aliases configured to forward incoming mail among themselves.   But that should still be simpler as each domain forwarding rule will use the same UI, in my case Google’s.   I’d rather use a single UI many times over, than a bunch of different UIs once each.

Title: Re: Email redirection
Post by: d2d4j on May 02, 2020, 05:37:00 PM
Hi

It depends upon multiple factors and what is the final goal been trying to achieve. So there is no straight yes or no due to individual requirements

If weaver just wants the additional domains as domain aliases, then you just add them as aliases (some confusion could creep in here though, as some providers show aliases as forwarders which mean the same to them and not users)

There is also the issue over mail filtering for spam (this does not usually include antivirus scanning etc... or SRBL) which spam filter may or may not act as expected

Also, you have to consider if outgoing email is required using the alias - if so, your net creating as alias in its own right but more a full mailbox to allow outgoing. Imap is easier then pop in this respect to achieve.

Lastly, having different providers may help if a provider goes down or is having blacklisted issues as an example

There is much more but that’s digression

Many thanks

John
Title: Re: Email redirection
Post by: sevenlayermuddle on May 02, 2020, 06:18:42 PM
I believe forwarding also breaks SPF spam detection, potentially causing legitimate mail to be marked as spam after forwarding.   Not sure if forwarding also breaks DKIM?

I personally fell out of love with forwarding a long time ago. :(
Title: Re: Email redirection
Post by: Weaver on May 02, 2020, 06:27:25 PM
Thanks. I thought it would go wrong somehow if I merely set the MX records
Title: Re: Email redirection
Post by: d2d4j on May 02, 2020, 06:29:08 PM
Hi

These tend not to be an issue if mx is pointed at same mail platform

It is also not an issue if using different mail platforms but requires additional work to cover spf, dk/dkims and dmarc as well as caa if used

This though is digressing from original post.

Many thanks

John
Title: Re: Email redirection
Post by: sevenlayermuddle on May 02, 2020, 07:22:14 PM
Assuming Weaver does not mind the digression, I am interested to know how SPF can be mitigated?

My understanding of the problem which, as always may be flawed is....

‘A’ sends an email addressed to ‘B’.   ‘A’ has configured his own DNS SPF to say that any server receiving his mail should hard fail, if the originating IP address differed from ‘A’s own outgoing server (or a list of IPs, dictated by ‘A’).

Now assume ‘B’ silently forwards the mail to ‘C’, leaving the sender as ‘A’.   The receiving server at ‘C’ will see that ‘A’ was the sender and query A’s SPF, finding that ‘B’ is not authorised to send such mail, and thus may rightly reject it as spam.

Genuinely curious?   :)
Title: Re: Email redirection
Post by: d2d4j on May 02, 2020, 09:18:24 PM
Hi

Many thanks

The A spf record is amended to cover B sending server - which if both on same email server is already covered by a or mx as both use same IP address

Now if on different providers, again A spf is amended to add sending B server - usually by adding include <spfofsenderBserver>

Many thanks

John
Title: Re: Email redirection
Post by: d2d4j on May 02, 2020, 09:48:12 PM
Hi

In your context of example, it could be interpreted differently to different events

So let’s say ao.com send an email to B (so been A) and B forwarded to C, you could not adjust A spf

In this instance, the headers are injected at mail platforms with sender B so C check on spf is for B and not A

My last post covers other instances which may happen

Many thanks

John
Title: Re: Email redirection
Post by: sevenlayermuddle on May 02, 2020, 11:36:45 PM
Thanks John.

I’m still not entirely clear.  I’d not expect a forwarding server to modify sender in the header, as the final recipient expects to see the original sender’s address?   That is why I thought final destination would refer back to original sender’s SPF rule.

But no worries, happy to leave it at that, and that it’s my failure to understand.  Thanks for taking time to explain things. :)

Title: Re: Email redirection
Post by: d2d4j on May 03, 2020, 08:13:58 AM
Hi

Many thanks

I think it’s important to note any email been sent or forwarded must include the sender details within the headers (covered by RFC rules). This cannot be overridden by email users so a traceable header is given

However, the email remains intact in every way and the recipient who finally received the email would be able to click reply and the correct reply address is used.

The recipient may not know or be interested in which mail servers were used to send.

If you would like to see this, O365 gives a good header for email been forwarded to different email servers for filtering and then final transmission to recipient. So just look at any email received from a domain using O365 you may receive

It is also important to note that these headers can be removed or altered at sending server but at the receiving server end, you cannot alter or change them from the sender server (so you cannot hide your sender details) and these headers are also included in the header of the recipient email

So in my example used above in previous post, it is the sender mail url used and checked along with PTR which both should match and pass.

As I said, there is a lot more but hopefully this should help to answer your question

It is also worth pointing out that email is not a new concept and your question and many more have been asked/resolved many years ago

Many thanks

John
Title: Re: Email redirection
Post by: d2d4j on May 03, 2020, 09:34:36 AM
Hi

To show you what I mean please see below (note this is not an forwarded email but shows the number of mail servers used by Exchange before final delivery - so in this example 4)

Many thanks

John

Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80105.outbound.protection.outlook.com [40.107.8.105]) by nnnnn.receiving-server with SMTP;
   Mon, 13 Apr 2020 16:31:30 +0100

Received: from DB8PR03MB6041.eurprd03.prod.outlook.com (2603:10a6:10:ef::13)
 by DB8PR03MB6155.eurprd03.prod.outlook.com (2603:10a6:10:141::15) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.15; Mon, 13 Apr
 2020 15:31:10 +0000

Received: from DB8PR03MB6041.eurprd03.prod.outlook.com
 ([fe80::593b:562:8e01:c80e]) by DB8PR03MB6041.eurprd03.prod.outlook.com
 ([fe80::593b:562:8e01:c80e%7]) with mapi id 15.20.2900.028; Mon, 13 Apr 2020
 15:31:10 +0000

originator details removed/not shown to protect identities (2)
Title: Re: Email redirection
Post by: sevenlayermuddle on May 03, 2020, 12:00:58 PM
A few observations, John...

From Wikipedia, SPF article...
https://en.wikipedia.org/wiki/Sender_Policy_Framework
Quote
FAIL and forwarding[edit]
SPF breaks plain message forwarding. When a domain publishes an SPF FAIL policy, legitimate messages sent to receivers forwarding their mail to third parties may be rejected and/or bounced if all of the following occur:

The forwarder does not rewrite the Return-Path, unlike mailing lists.
The next hop does not whitelist the forwarder.
This hop checks SPF.

This is a necessary and obvious feature of SPF – checks behind the "border" MTA (MX) of the receiver cannot work directly.
Publishers of SPF FAIL policies must accept the risk of their legitimate emails being rejected or bounced. They should test (e.g., with a SOFTFAIL policy) until they are satisfied with the results. See below for a list of alternatives to plain message forwarding.

I'm probably asking for trouble here, paraphrasing the issue myself I've already linked to what is probably a much better article.  But I'll risk it....

...When a server domain passes mail between servers within its own domain, it would either not bother checking SPF, or it would whitelist its own servers, that explains why the various outlook servers shuffled things around before delivery.  The problem arises when mail arises at a node that does check SPF, and finds that the sending IP address is not authorised to generate mail on behalf of the sender's domain.

As an example, since I use Google Apps, and my own DNS SPF records authorise various Google's IP addresses to generate mail from my domain, with a 'soft fail' for unauthorised IPs.  This works perfectly of course, for mail sent using IMAP upload to Google for my domain.    But I also occasionally generate email directly to my own addresses, from my own home within Linux shell scripts, in which case the originating IP is my own ISP-assigned IP address.  These messages correctly fail SPF and are, by default, delivered to my spam folder.  I could add my own IP as an SPF authorised sender but I have not done so, it's an incentive to check my spam once in a while.

When I refer to 'forwarding' I am not talking about opening a mail client and forwarding a message.  That would work, because the recipient would see a message forwarded by 7lm, ie it was sent by 7lm, and would find that came from Google, and so it passes SPF.

The forwarding scenario that I don't like is...   Some registrars/hosts that I have used in the past offer a transparent forwarding service, whereby mail arriving at the domain is forwarded to some other address, the intention being that mail appears exactly as if it had been addressed to that new address in the first place.  This is, effectively, sender 'spoofing', which is what, by my understanding,  SPF is intended to stop.    If the final receiving server then performs an SPF check, it will think that mail was sent by the IP of the forwarding host.  We can't assume that the forwarding host's IP was authorised by the sender and so, if the sender has configured his DNS for SPF, SPF will fail.
Title: Re: Email redirection
Post by: d2d4j on May 03, 2020, 01:16:14 PM
Hi

Sorry that’s a long post...

The example I posted was edited for easy viewing of the servers. All other information was not shown - apologies I thought that was evident to all. FYI exchange checks spf as do all our mail platforms

I think your overthinking spf, which upon first introduction was easily spoofed and has never really been widely adopted by all domains. Look how many do not have any spf records.

I could send an email pretending to be from a n other and genuinely have spf pass, even if your spf is set to hardfail and would be delivered. This without any special software or changes to any mail servers... it takes a few mouse clicks

So that’s the reason why other more reliable checks are undertaken  and spf check only forms a small proportion of checks

Reputation checks are now been more relied upon at mail server level and you need to send a certain amount of email daily in order to be scored. If your not scored you are classed poor or very poor and Mail is rejected in full

Whitelisting is legal and forms part of smarthost, as is server to server on your own backbone

I’ll leave it at that

Many thanks

John
Title: Re: Email redirection
Post by: sevenlayermuddle on May 03, 2020, 02:32:56 PM
Many thanks

John

Thanks indeed. :)