Email: forwarding errors to Gmail due to DMARC

I have email forwarding configured to a Gmail account. Some legitimate emails get rejected by Mail Delivery Subsystem <[email protected]> due to
550 5.7.1 DMARC checks failed. dJDdEJfjX45d
550 5.7.1 DMARC checks failed. UzIuUULqb1UZ
550 5.7.1 DMARC checks failed. ls3ebJKjTplX

Not sure whether those are references that may help you check your logs.

Could someone from Cloudflare who works on email forwarding provide some insight please? Anything we can do to troubleshoot this?

One suggestion: provide storage for emails that fail to forward so at least we have a way to see them/download them.

Perhaps related thread:

Email forwarding has been a bad idea for at least a decade. With DMARC adoption on the rise, it is only going to get worse. DMARC can authenticate email in one of two ways: SPF & DKIM. Forwarded emails simply cannot pass SPF DMARC verification. That leaves only DKIM for DMARC authentication. For this to work, it requires the sender to have a working DKIM implementation and the signed elements must remain unaltered through the entire transit between the signing element and the final DKIM check.

In situations where email reliability is important, the best solution is to pay for a domain mailbox and not rely on forwarding. Does forwarding between 2 Gmail accounts have the same problem or does that work OK because it’s Google on both sides and they special case it?

My ultimate goal is to have a custom domain’s email end up in a personal Gmail account rather than have an IMAP/email server elsewhere. I have a legacy (free) GSuite account which I used to host my domains at in the past and email worked very well, but the recent fiasco about shutting down GSuite legacy accounts made me move to a personal Google account and Cloudflare email forwarding, which now seems to be problematic for a handful of emails every month. I wonder whether I should move my domains back to GSuite and just forward from there to my personal Gmail which I now use as my main Google account.

I can’t speak to forwarding between Gmail accounts as that is not anything I have ever had the need to implement. Since DMARC validation is intended to be performed at edge of an organization’s email infrastructure, I suspect that your presumption is correct. You could perform some testing or inquire at the Gmail Community if you need confirmation.

I have found that pulling email from an external domain mailbox into a Gmail account using POP3S is a far more reliable solution than forwarding in the age of DMARC. It also has the added benefit of being able to provide DKIM signing and native SPF by using the mailbox’s authenticated SMTP service. I made that change many years back, long before I rolled out DMARC across all of my managed domains.

I don’t know what Cloudflare’s end goal is with the Email Routing Beta. Perhaps it is part of a larger well-defined strategy, but as an outsider, it seems like half-baked solution that is inappropriate for most use cases that I see posted in the Community. It seems to also generate a fair amount confusion and even though the support costs may be negligible since the community are all volunteers, there is still some direct cost to internally support the infrastructure.

It obviously works well enough for some people, but I have yet to find a situation where it would provide any benefit over any of my current solutions.

POP checking from Gmail is slow, in particular when you need an auth code quickly.

I avoid email auth codes whenever possible. TOTP codes are instant. I realize that doesn’t help you solve your problem. I’m just acknowledging your use case and sharing that I recognize that mine may not be similar enough to yours for my solutions to assist in your situation, especially if a dedicated domain mailbox is not an option for you.

Hopefully another community member can share a perspective that is more applicable to your requirements.

Shouldn’t all these forwarding issues be solved by ARC?
Does Cloudflare support ARC? From looking at the headers of forwarded emails it doesn’t look like it does.
Then there’s also the question of whether Gmail would trust Cloudflare ARC headers.

Products and Services Using ARC

1 Like

ARC doesn’t seem popular yet :frowning: