University of Southampton

iSolutions

Zepler.org/Zepler.net Dropped Email

Previously, the University offered ECS Graduates a zepler.net/zepler.org email address which could be forwarded on to a private non-university email address.

Whilst the service is still active for existing users, it has become an increasingly complex service to provide and there is currently a known-issue when forwarding on to Gmail accounts.

Please see the below for further information:

Due to a number of changes in the way that the Email system works, email forwarding at large is becoming increasingly problematic for service providers.

 

There are currently two standards used to determine if emails have been modified in transit, namely SPF and DKIM.

Furthermore, it is a sending domain’s DMARC policy that determines the action to be taken by a participating mail server on the receiving end, if either of the above checks fail. In addition to this, a receiving email server/service is at liberty to apply any additional email scanning they wish, which goes beyond the DMARC policy of a sending domain.

  • SPF records are DNS records published by sending domains, containing a list of IP Addresses and/or host-names of email servers that they permit to send email on their behalf
  • DKIM Records contain the public-key component of a public/private key-pair used to digitally sign emails, and allow receiving email servers to perform a DNS Lookup, retrieve the correct public key, and validate the signature included in the email


By it’s very nature, traditional email forwarding does indeed alter emails in transit by rewriting the “envelope recipient(s)” header from the original address (e.g. joebloggs@zepler.org), to the address it is to be forwarded on to, all the while leaving the “envelope sender” field untouched.

 

This means that traditional email-forwarding will result in SPF checks failing on the final receiving email server, as the mail will be received from an IP Address that is not in the original sending domain’s SPF Record.

 

However, this is only half of the story; in most-cases DKIM should be compatible with traditional email-forwarding as long as it is only the message body that is signed, or as long as the “envelope recipient” header isn’t part of the signed message. This is because most sending domain’s DMARC policies will permit messages to pass if either SPF or DKIM checking succeeds.

 

However, it appears that Gmail may be dropping forwarded email on a stricter basis than the original sending domain’s DMARC policy states, as the only bounce-back errors we receive on the Zepler platform are from emails forwarded to Gmail accounts.

 

In summary:

  1. There is a longer-term solution to the problem known as Authenticated Receive Chain, however it is currently listed as Experimental by the IETF; we aren’t currently ready to implement it, although we will be periodically reviewing its feasibility.
  2. You can work around the issue by changing the account you forward to, from Gmail to another email address.
    *Please note, this is no longer possible via zepler.org, and will require a phone call to the University’s IT Help Desk(https://www.southampton.ac.uk/isolutions/getting-help/serviceline.page)


Was this article helpful?

If you have any further comments, please put them below.

Please note that feedback is anonymous - if you require a reply or assistance, please raise a ticket via ServiceLine.


Thank you for your feedback, it is much appreciated.

Tweet This Article

Back to List

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×