February 6, 2024 – Beginning today, we will be ending the ability to do “remote forwards” on email accounts. A remote forward is setup to take an email address which is local to our servers and forward it to another service. For example, if we forwarded email@example.com (which is located on our servers) to firstname.lastname@example.org, that would be a “remote forward”. The problem with this is that when Yahoo! sees the email, they think it is being sent by our servers. So, if a spammer sends an email to email@example.com and we forward it to Yahoo!, then Yahoo! thinks we are spamming them.
This month, Google has put much more strict policies in place dealing with spam and as a result, emails coming through our systems are being rejected or flagged as spam by Google’s servers. This is due to the number of remote forwards we have in place, and so we’ve had to make the decision to stop these forwards and institute a policy of not allowing them in the future.
Since Google has implemented this, the rest of the industry who haven’t already done so will quickly line up to do so as well.
Some more information about remote forwards follows for the technically curious:
Why remote forwards are bad
With the anti-spam protections in place in all modern mail servers, forwarding emails to remote servers or addresses is not recommended. The whole industry is moving away from remote forwards. As Best Practices for email server operators, remote forwarding should be disabled due to the potentially system-wide negative effects they could cause, such as backscatter and IP reputation issues.
Backscatter can stem from the remote addresses being no longer valid, servers not being authorized to send emails for the sender’s domain, or emails being rejected by remote servers due to anti-spam policies in place at the remote site.
As more backscatter events accumulate, they will not only cause higher system load and resource usage, but will also have a negative effect on the IP reputation of the sending servers. A poor IP reputation will cause system-wide delivery issues affecting accounts on those servers. For example, if our server’s IPs are blocked or rate-limited by Yahoo! or Gmail servers, all accounts will experience delivery issues when sending emails to Yahoo! and Gmail addresses. (This is happening now. See: https://www.netsolinc.com/gmail-blocking-email/)
Aside from the backscatter and IP reputation issues, having remote forwarding available provides a way for bad actors secretly forwarding a compromised account’s emails to a remote address without the account/mailbox owner’s knowledge. For example, if third-party site’s account verification or password-reset emails are being forwarded to a remote address, the bad actor could gain access to the compromised user’s other online accounts.