Email Forwarding

What is Email Forwarding?

Email forwarding is a mail routing configuration that automatically redirects messages received at one email address to another destination address. When an email arrives at the forwarding address, the mail server immediately sends it to the target address without storing it in the original mailbox.

How Email Forwarding Works

1. Email sent to: sales@example.com
2. Mail server receives at MX: mail.example.com
3. Server checks forwarding rules
4. Email forwarded to: team@company.com
5. Team receives email (appears from original sender)

The forwarded email preserves the original sender information, so replies go back to the original sender, not the forwarding address.

Types of Email Forwarding

Simple Forwarding

One address forwards to one destination:

info@example.com → admin@example.com

Multi-Destination Forwarding

One address forwards to multiple recipients:

support@example.com → {
  tech-team@example.com,
  support-lead@example.com,
  ticket-system@helpdesk.com
}

Conditional Forwarding

Forward based on criteria:

If subject contains "urgent" → priority@example.com
If from VIP domain → executive@example.com
Else → general@example.com

Domain-Level Forwarding

Forward all email from one domain to another:

*@old-domain.com → *@new-domain.com

Configuring Email Forwarding

cPanel

1. Email → Forwarders
2. Add Forwarder
3. Address to Forward: sales@example.com
4. Forward to: destination@example.com
5. Add Forwarder

Postfix (Linux)

# /etc/aliases
sales: destination@example.com

# Or for virtual domains
# /etc/postfix/virtual
sales@example.com destination@example.com

# Apply changes
newaliases  # For /etc/aliases
# or
postmap /etc/postfix/virtual && systemctl reload postfix

Gmail Forwarding

1. Settings → Forwarding and POP/IMAP
2. Add a forwarding address
3. Verify forwarding address (click link in confirmation email)
4. Enable forwarding
5. Choose what to do with original (keep, archive, delete)

Microsoft 365

1. Admin Center → Users → Active users
2. Select user → Mail tab
3. Email forwarding → Manage email forwarding
4. Forward all email to: destination@example.com
5. Save changes

Google Workspace (Domain-Wide)

1. Admin Console → Apps → Google Workspace → Gmail
2. Routing → Add Route
3. For recipient: Single recipient or All recipients
4. Forward to: destination@example.com
5. Options: Change route, Modify headers

Email Forwarding vs. Aliases

Alias:
  sales@example.com  } → Same mailbox
  contact@example.com }   (both deliver to mailbox, different addresses)

Forwarding:
  sales@example.com → john@gmail.com
  (only delivers to john@gmail.com, nothing in sales mailbox)

SPF and Email Forwarding

Email forwarding creates SPF challenges because the forwarding server sends email on behalf of the original sender:

The Problem

1. Sender: alice@sender.com sends to sales@forwarder.com
2. Forwarder: sales@forwarder.com forwards to bob@final.com
3. Final server checks SPF:
   - Envelope From: alice@sender.com
   - Sending IP: forwarder.com's IP
   - SPF Check: Does sender.com authorize forwarder.com's IP?
   - Result: Usually FAIL (forwarder not in sender.com's SPF)

Solutions

Forwarder rewrites envelope sender:
  Original: MAIL FROM: <alice@sender.com>
  Rewritten: MAIL FROM: <srs=hash=sender.com=alice@forwarder.com>

Now SPF checks forwarder.com's SPF (passes)

# Install postsrsd
apt-get install postsrsd

# /etc/postfix/main.cf
sender_canonical_maps = tcp:127.0.0.1:10001
recipient_canonical_maps = tcp:127.0.0.1:10002

systemctl restart postsrsd postfix

Preserves authentication results through forwarding:

ARC-Authentication-Results: forwarder.com;
  spf=pass smtp.mailfrom=sender.com
  dkim=pass header.d=sender.com

DKIM and Forwarding

DKIM signatures can break during forwarding if the forwarder modifies the message:

Common Modifications That Break DKIM

• Adding disclaimers to message body
• Appending "[FORWARDED]" to subject line
• Converting plain text to HTML
• Changing line endings or encoding

Preserving DKIM

# Postfix: Don't add disclaimers to forwarded mail
smtpd_discard_ehlo_keywords = silent-discard

# Add forwarder's DKIM signature
# Original sender's signature may break, but forwarder's passes

Best Practices for Email Forwarding

Use Forwarding Sparingly

Prefer aliases or shared mailboxes when possible:

Instead of: info@example.com → john@gmail.com
Use: John checks info@example.com directly via IMAP/webmail

Implement SRS for External Forwarding

Essential when forwarding outside your domain:

Internal forwarding:  sales@example.com → team@example.com (safe)
External forwarding:  sales@example.com → team@gmail.com (use SRS)

Monitor Forwarding Loops

Prevent infinite forwarding:

A forwards to B
B forwards to A
= Loop

Solution: Postfix max_hop_count limit (default 50)

Set Up Delivery Notifications

Be notified when forwarding fails:

# Postfix
notify_classes = bounce, resource, software

Document Forwarding Rules

Maintain inventory:

# forwarding-rules.md
| From | To | Purpose | Owner | Created |
|------|----|---------| ------|---------|
| sales@example.com | crm@example.com | CRM integration | IT | 2024-01 |

Regular Audits

Review and clean up:

# List all forwards (Postfix)
grep -v "^#" /etc/postfix/virtual | grep "@.*@"

# Check for outdated destinations
# Remove forwards for terminated employees

Common Forwarding Issues

Forwarding Silently Fails

• Destination address doesn't exist
• Destination server rejects forwarded mail
• Forwarding loop detected and broken

# Check mail logs
tail -f /var/log/mail.log | grep "forwarding"

# Test forwarding
echo "Test" | mail -s "Test" forwarding-address@example.com
# Check if it arrives at destination

SPF Failures on Forwarded Mail

Forwarding Delays

• Queue backlogs on forwarding server
• Greylisting at destination
• Rate limiting

# Check Postfix queue
mailq

# Process queue immediately
postqueue -f

Destination Marks Forwarded Mail as Spam

• SPF/DKIM failures
• Forwarder IP has poor reputation
• Destination doesn't trust forwarder

• Implement ARC on forwarding server
• Whitelist forwarder IP at destination
• Use SRS for envelope rewriting

Forwarding for Specific Use Cases

Temporary Forwarding (Vacation)

# .forward file (user home directory)
\myuser, colleague@example.com

# Delivers to both user's mailbox and colleague

Forwarding with Local Copy

# Keep copy in original mailbox while forwarding
# Postfix virtual:
user@example.com user@example.com, forward@destination.com

Department Distribution

# /etc/aliases
sales: john@example.com, jane@example.com, crm-system@tools.com

External Service Integration

# Forward to ticket system
support@example.com → ticket-RANDOM@helpdesk.io

# Forward to Slack email
alerts@example.com → workspace.channel.ABC123@example.slack.com

Security Considerations

Forwarding to Personal Email

Risks:

• Corporate data on unsecured personal accounts
• Loss of compliance control
• No backup/archival

External Forwarding Disclosure

GDPR considerations: forwarding may constitute data sharing.

Forwarding as Attack Vector

Compromised account sets up forwarding to exfiltrate emails:

# Detection
# Alert on new forwarding rules:
monitor /etc/postfix/virtual for changes
monitor Exchange/M365 forwarding rule creations

Testing Email Forwarding

# Send test email
echo "Test forwarding" | mail -s "Forwarding Test" source@example.com

# Check logs on forwarding server
tail -f /var/log/mail.log

# Verify arrival at destination
# Check destination mailbox

Send email through forwarding chain
Check authentication headers at destination:

Authentication-Results: destination.com;
  spf=pass (forwarder: domain of source.com designates <IP> as permitted sender)
  dkim=pass header.d=source.com

Email forwarding is useful but requires careful configuration to maintain deliverability and security.