Dan,
FWIW, I've told my hosting customers that Forwarding as a reliable function is
effectively dead and should be avoided, for all of the reasons you are dealing
with.
If an email really does need to be "forwarded", I've advised my customers to
copy the email to the clipboard and paste it into a new email to the intended
recipient (what would have been the forwardee).
Hope that helps,
Mark
--
_________________________________________________________________
L. Mark Stone, Founder
North America's Leading Zimbra VAR/BSP/Training Partner
For Companies With Mission-Critical Email Needs
Winner of the Zimbra Americas VAR Partner of the Year -Two Years Running!
On Sunday, June 7th, 2026 at 2:11 PM, Dan Mahoney via mailop
<[email protected]> wrote:
>> On May 23, 2026, at 1:52 PM, John Levine via mailop <[email protected]>
>> wrote:
>>
>> It appears that Dan Mahoney via mailop <[email protected]> said:
>>
>>> Hey guys, this looks like a fun one.
>>>
>>> I have a user, Jack Zito. He owns[jackzito.com](http://jackzito.com/), for
>>> whom i host a vanity domain. Jack wants to forward his mail to hotmail,
>>> and hotmail has removed the ability to check external accounts (google's
>>> also removing this option).
>>>
>>> There's a fashion brand, Vitaly, that's sending jack email. It comes with a
>>> VERPified sender. I forward it on, not modifying
>>> either the body or the MAIL FROM so I don't break DKIM signatures.
>>> According to microsoft, it passes DKIM and DMARC (not
>>> SPF). They still bounce it.
>>
>> Yeah, they have a new rule that both SPF and DKIM have to pass. It might
>> work if you change the
>> envelope address to one you control so the SPF is OK, or it might not.
>
> (Sorry for the somewhat delayed response, had my head deep in other DMARC'y
> things).
>
> This seems like just the problem that SRS is supposed to solve.
>
> <<< 550 5.7.515 Access denied, sending domain
> [GEEKSOUTFIT.COM](http://geeksoutfit.com/) doesn't meet the required
> authentication level. The sender's domain in the 5322.From address doesn't
> meet the authentication requirements defined for the sender. To learn how to
> fix this see: https://go.microsoft.com/fwlink/p/?linkid=2319303 Spf= Fail ,
> Dkim= Pass , DMARC= Pass
> [[SA1PR19MB5214.namprd19.prod.outlook.com](http://sa1pr19mb5214.namprd19.prod.outlook.com/)
> 2026-06-07T15:00:43.133Z 08DEC466AEF18D4B]
> [[CH0P221CA0031.NAMP221.PROD.OUTLOOK.COM](http://ch0p221ca0031.namp221.prod.outlook.com/)2026-06-07T15:00:43.173Z
> 08DEC456A262BDEA]
> [[CH2PEPF00000142.namprd02.prod.outlook.com](http://ch2pepf00000142.namprd02.prod.outlook.com/)
> 2026-06-07T15:00:43.176Z 08DEC3EB5E87E482]
> 554 5.0.0 Service unavailable
>
> So I guess I'm going to be rewriting both the envelope *and* the From:
> header. I'd be concerned about breaking VERP here, but...see earlier in this
> thread, VERP replies just double-bounce. I hope Jack doesn't want to
> actually, yanno...REPLY to any mail when there's no reply-to: header.
>
> My normal advice would be to tell Jack to just use the "check external
> account" function in the web client, but both MS and GM have removed/are
> removing this.
>
> Cool. Cool cool cool.
>
> -Dan
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
