Home / Blogs

How Spam Has Damaged Mail Forwarding - And Ways to Get Around It

John Levine

Courtesy forwards have been a standard feature of e-mail systems about as long as there have been e-mail systems. A user moves or changes jobs or something, and rather than just closing the account, the mail system forwards all the mail to the user's new address. Or a user with multiple addresses forwards them all to one place to be able to read all the mail together. Since forwarding is very cheap, it's quite common for forwards to persist for many years.

Unfortunately, forwarding is yet another thing that spam has screwed up. If you just forward all the mail that arrives at a typical address, most of what you'll be forwarding is spam. From the point of view of the system you're forwarding to, you're the one sending the spam, and they're likely to block you.

Fortunately, there are some ways to mitigate the damage.

  • Configure separate outbound IPs, use one for forwarded mail, one for locally generated stuff. That way, if the forwarding goes wonky, only forwarded mail gets blocked. All of your outbound IPs should have reasonable and matching A and PTR records in the DNS. (This last bit applies whether you're forwarding or not.)
  • Use all the usual conservative DNSBLs such as Spamhaus and Spamcop to hard block mail. Their error rate is low enough that you don't have to worry about it.
  • Run the mail through Spamassassin or something similar. Some ISPs allow you to put an X-Spam-Flag: Yes header on the mail and send it along to be dropped in the user's spam folder. Most don't, in which case you should throw it away or put it in a local mail account they can check occasionally.
  • Point out to your forwarding users that it is cheap and easy to configure modern mail programs to check multiple accounts. Rather than forwarding the mail somewhere else, deliver it to a local mailbox and have them configure their mail program to pick it up along with mail from other accounts. Most webmail systems now have a way to import mail via POP (the same way desktop mail programs pick it up). Even if there's a lot of spam mixed in, it won't affect your system's outgoing reputation since you didn't send it to their incoming mail server.
  • If you control your IP ranges, sign up for feedback loops at the ISPs you forward to, so you can see what people are complaining about.

If you do these, you should get mail through to most places. The local pickup trick will get mail through to anywhere.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: Email, Spam

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


Traditional courtesy forwards are likely also illegal Alessandro Vesely  –  Mar 06, 2012 12:02 PM PST

Some countries, e.g. Australia, Canada, Europe, have rules to protect the rights of email address owners.  A dot-forward file with an external email address written in it, should be accessible by the owner of that address.

As quibblish as this may sound, that principle has the potential to kill all the murkily legal spam.  By requiring that each stored email address be notified and accessible to its owner --except personal address books-- we can bring fairness to the email business.  In fact, mailing lists, newsletters, and any case where the delivery addresses are not set interactively, are a case of forwarding that could be fixed.  See fixforwarding.org.

Huh? John Levine  –  Mar 06, 2012 12:05 PM PST

All the courtesy forwards I know are set up at the request of the user of the address. This comment makes no sense.

I don't even understand this comment. Phil Howard  –  Mar 06, 2012 1:40 PM PST

I don't even understand this comment.  Either an email provider provides a forwarding service or they don't.  I can't see how government regulations can require a .forward file to even be implemented, much less give email users shell access to change it.  If they offer it, they can likely provide it in a profile panel.  If I offered such a service I would limit forwarding to only domains I'm hosting.

If you have email provided to you, you should be able to close it if you wish (or they do so for non-payment if it is a paid service).  Or just leave the account open as you tell everyone to use your new email, and read from both as in the 4th suggestion.

Sorry I wasn't clear Alessandro Vesely  –  Mar 07, 2012 9:46 AM PST

IANAL, but I don't think laws differentiate dot-forwards from mailing lists.  The same obligations to prove opt-in and give opt-out information hold.  Indeed, that's what full blown vanity email address providers do.

The fourth of John's suggestions above is more internationally valid than the others.

To post comments, please login or create an account.

Related Blogs

End-to-End Email Encryption - This Time For Sure?

Coordinating Attack Response at Internet Scale

Who Is Sending Email As Your Company?

When DNSBLs Go Bad

Email Vendors: Time to Build in DMARC

Related News


Industry Updates – Sponsored Posts

Non-English "IDN Email" Addresses Are Finally Working!

A Look Inside Dyn's 1.2 Billion Monthly Email Delivery Statistics

Dyn to Host Email Analytics Webinar With Ongage

Dyn Adds Claudia Santoro, Dave Connors and Andrew Sullivan to Technical Team

Dyn Receives $38M Investment from North Bridge

Nominum Launches Comprehensive Suite of DNS-Based Security Solutions for Russian Service Providers

Nominum Sets New Record for Network Speed and Efficiency

DNS on Defense, DNS on Offense

Managing Outbound Spam: A New DNS-based Approach For Stopping Abuse (Webinar)

MarkMonitor Fraud Intelligence Report, Q4 2011

MarkMonitor Fraud Intelligence Report Released for Q2 2011

Dyn Releases New Powerhouse in Enterprise Class Email Delivery

The Botnet-Counterfeit Drugs Connection

Global Company Leads the Pack as One of the First Microsoft Partners to Offer Exchange 2010

Dyn Inc. Acquires Email Delivery Provider SendLabs

Afilias and .JO Registry Bring Native Language E-mail to Arabic Internet Users

New Monthly Fraud Intelligence Report Now Available

MarkMonitor to Highlight Importance of Cross-Functional Approach to Brand Protection

Preventing Your DNS Account from Being Hacked

Paid Search Ads Can Lead to Fake Goods

Sponsored Topics


DNS Security

Sponsored by
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines


Sponsored by


Sponsored by