I am operating a Postfix email server for my domain, say mydomain.com. It mostly acts as a forwarding email server: users receive an email address @mydomain.com, but usually elect to have their address forward to an external inbox (Gmail, Yahoo, etc). There are a few thousand addresses being forwarded, so the server handles a fairly significant volume of mail traffic.
In the past, the server did not use SRS rewriting. This of course meant that forwarded mail would fail SPF checks, as my ip address is not technically authorized to send email on behalf of the original sender's domain. However, from what I can see it doesn't seem to be causing any significant issues. Generally no complaints from users as Gmail, Yahoo, etc. seem to be smart enough to ignore the SPF failures and deliver the messages anyway.
With this in mind, is it really necessary to enable SRS rewriting? I am considering enabling it but my main concern is that my domain will get blacklisted for sending spam when spam inevitably gets fowarded. Wouldn't the rewrite make it appear as if I'm the originator of the spam? (At least, this is my understanding from reading Gmail's Best Practices for Forwarding Mailservers).
Granted, I am already taking some of the recommended precautions like using SpamAssassin to add "SPAM" to the subject line of suspected spam before forwarding, not forwarding high confidence (score 15+) spam, and using the spamhaus blocklist, but these measures aren't perfect and spam can still slip through unmarked.
Is enabling SRS rewriting worth it, if it increases the risk of getting wrongly marked as a spammer? Or would it be safer to just leave it as is and ignore SPF failures?
Best Answer
It seems to me that what your question boils down to is "how many mail servers out there check SPF records on incoming email?". If it's most of them, SRS is an absolute requirement for a forwarding server; if it's none of them, you don't need SRS.
Unfortunately, I can't immediately put my hands on any academic work on this. But since I check SPF on incoming email, I can say with certainty that some mail servers do check it. Any of your clients who have your server forward to accounts on my server will lose email sent from senders who advertise an SPF that ends (as they all should)
-all, unless you use SRS. So I can say with certainty that without SRS, some of your customers' email will not be delivered.I apologise to Marc that I can't read German, so I can't say whether the PDF he quotes advances compelling arguments, but I can reiterate that without SRS, some fraction of your customers' email won't be delivered. I cannot say what that fraction is, but it isn't zero - and that given, I don't think you have any alternative but to run SRS.
I agree that your server will not be helping itself by forwarding SPAM, but in my experience most of the reputational damage is done to its IP address, not the envelope-From domain; this will be done regardless of SRS usage.
The deeper answer to your question is that, between SPF and its (ill-considered and internet-breaking) followup DMARC, it seems to me that mail forwarding services have had their day. I've already required all but one of my users to have final delivery on my server, and that one user will have to change or leave in 2016. Nowadays, many webmail systems will allow integration over multiple mailboxes by collecting off-server mail using IMAP or POP, and many mail clients allow multiple IMAP or POP accounts to present as a single integrated INBOX, so forwarding isn't the boon to centralised reading that it used to be.
In short, I'd say you need SRS in the short term, and a new business model in the longer term.