How to rewrite or modify the headers for forwarded emails

[Philip Perez]

We want to rewrite or modify the headers of all incoming emails which are automatically forwarded to third party domains.

For example:
We have [email protected] which forwards all incoming emails to [email protected]

In this case, what we want to achieve is to rewrite the headers like the following:

FROM THIS:

From: [email protected] (or this could also come form the same domain)

To: [email protected] (we hope to apply also the same rule on cc and bcc mails)

Cc: user2@ourdomain, [email protected]

Subject: original subject


TO THIS:

From: "[email protected]" <[email protected]>

(or the string can be the name of the original sender if available instead of the email address)

To: [email protected]

Cc: user2@ourdomain, [email protected] (one question here is - will these send another email to these Cc email addresses or not?)

Reply-to: [email protected]

Subject: original subject

QUESTIONS:
1. Can we achieve this through Exim Configuration Manager in WHM?
2. Can we achieve this through Global Email Filters in CPANEL?
3. I've already read some threads about rewriting headers with exim filters from:

While Mail Forwarding with exim, how do I rewrite the To header with true destination address

Exim Specification - 33 Address rewriting

1. Forwarding and filtering in Exim

https://confluence2.cpanel.net/display/CKB/How+to+Customize+the+Exim+System+Filter+File

...but where should I really start? Which file should I create or modify. Which line should I insert my code? Should I use the exim file, .forward or .filter?


The main reason behind this is we are actually having issues forwarding incoming emails to third party addresses like gmail or yahoo. One of the common problems we are getting is the:

"Unauthenticated email from thirdpartydomian.com is not accepted due to domain's DMARC policy."

Even though we have a successful SPF and DKIM authentication in place.

And lastly, is this the a recommend approach to resolve the issue or there are other ways to resolve this?

 

[cPanelMichael]

The main reason behind this is we are actually having issues forwarding incoming emails to third party addresses like gmail or yahoo. One of the common problems we are getting is the:

"Unauthenticated email from thirdpartydomian.com is not accepted due to domain's DMARC policy."

Even though we have a successful SPF and DKIM authentication in place.

Hello,

The following option under the "Mail" tab in "WHM >> Exim Configuration Manager >> Basic Editor" should address this problem:

Enable Sender Rewriting Scheme (SRS) Support

This option rewrites sender addresses so that the email appears to come from the forwarding mail server. This allows forwarded email to pass an SPF check on the receiving server.

Thank you.

 

[Philip Perez]

Hello,

The following option under the "Mail" tab in "WHM >> Exim Configuration Manager >> Basic Editor" should address this problem:

Enable Sender Rewriting Scheme (SRS) Support

This option rewrites sender addresses so that the email appears to come from the forwarding mail server. This allows forwarded email to pass an SPF check on the receiving server.

Thank you.

Hi Michael,

I already enabled the SRS Support in my server. But it looks like nothing has changed in our headers.

Just like what I've said, we already have a successful SPF and DKIM in place, so whenever we are forwarding emails, our SPF and DKIM always gets a PASS result in the receiving server.

The main issue here is whenever we are forwarding emails coming from Yahoo! (with a very strict DMARC Policy Record "p=reject")
it is being considers as SPAM (with p=reject dis=none) or being rejected with this error:
"Unauthenticated email from yahoo.com (or gmail.com or linkedin.com and others) is not accepted due to domain's DMARC policy."

https://sendgrid.com/blog/yahoo-dmarc-update/

...in spite of getting a PASS in SPF and DKIM authentication.

GMAIL also moved to the same direction as Yahoo!

https://sendgrid.com/blog/gmail-dmarc-update-2016/

According to SendGrid, we should send the forwarded email with a "friendly from" address. How can we achieve this?

 

[cPanelMichael]

I already enabled the SRS Support in my server. But it looks like nothing has changed in our headers.

Could you open a support ticket using the link in my signature so we can take a closer look at this? You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[Philip Perez]

Could you open a support ticket using the link in my signature so we can take a closer look at this? You can post the ticket number here so we can update this thread with the outcome.

Thank you.

Hi! I created a support ticket with Support Request ID No. 7659171

Thank you for your advice.

 

[Mike S]

Hi! I created a support ticket with Support Request ID No. 7659171

Thank you for your advice.

Was a solution found for this?
We have a similar setup, using sendgrid too. I would have expected more people asking for a solution to this, considering the increased strict DMARC/SPF usage however to my surprise there isn't a standard posted solution anywhere online. I would think this would be a 'standard' rewrite rule that would work for every server in such a configuration (such as a external relay server like Sendgrid).

 

[andersondeda]

I have exactly the same problem.
External relay, the problem occurs when our user creates a forwarder off the server, the message is forwarded through the original FROM, even with SRS enabled, however, to use the external relay it is necessary to make those adjustments in the following sessions
Section: AUTH
Section: ROUTERSTART
Section: POSTMAILCOUNT
Section: TRANSPORTSTART

 

[DennisMidjord]

Did anyone manage to find a solution for this?

 

[anderson.deda]

Hello good morning,
The resource is called SRS and it will do the work you need done.

 

[DennisMidjord]

SRS is already enabled on all of our servers.
We need forwarded emails to appear as if they come from the user that forwards them. The "From" header will keep the original value, even though SRS has been enabled.

 

[cPRex]

I'm not exactly sure how to reproduce this issue. I have a cPanel account with an email forwarder (the actual email account doesn't exist - only the forwarder is created) and when I send an email it reaches the server, hits the forwarder, gets sent to the forwarding address, and the sender shows as the original sender value in my inbox without me doing anything special with the server.

Here is a transaction from Gmail to forwarder to external email address showing this:

Message hitting my server from Gmail:
2022-08-08 15:33:31 1oL8VI-00BVLY-H1 H=mail-qv1-f50.google.com [209.85.219.50]:33538 Warning: "SpamAssassin as username detected message as NOT spam (0.0)"
2022-08-08 15:33:31 1oL8VI-00BVLY-H1 <= [email protected] H=mail-qv1-f50.google.com [209.85.219.50]:33538 P=esmtps X=TLS1.3:TLS_AES_128_GCM_SHA256:128 CV=no S=4114 id=CA+9-gBAmNxhKfxPgg55Woof_Avz_3o8GXG4nsOpfBfFR5HS0oQ@mail.gmail.com T="Test" for [email protected]
2022-08-08 15:33:31 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1oL8VI-00BVLY-H1
2022-08-08 15:33:31 1oL8VI-00BVLY-H1 SMTP connection identification D=domain.com [email protected] [email protected] M=1oL8VI-00BVLY-H1 U=username ID=1002 B=redirect_resolver

Message seeing the forwarder:
2022-08-08 15:33:31 1oL8VI-00BVLY-H1 Sender identification U=user D=domain.com [email protected]

Message being sent to the external address:
2022-08-08 15:33:31 1oL8VI-00BVLY-H1 SMTP connection outbound 1659987211 1oL8VI-00BVLY-H1 domain.com [email protected]
2022-08-08 15:33:32 1oL8VI-00BVLY-H1 [144.160.235.144] SSL verify error: certificate name mismatch: DN="/C=US/ST=Texas/L=Dallas/O=AT&T Services, Inc./CN=alph768.prodigy.net" H="al-ip4-mx-vip2.prodigy.net"
2022-08-08 15:33:48 1oL8VI-00BVLY-H1 => [email protected] ([email protected]) <[email protected]> R=dkim_lookuphost T=dkim_remote_smtp H=al-ip4-mx-vip2.prodigy.net [144.160.235.144] X=TLS1.2:AES256-GCM-SHA384:256 CV=no C="250 2.0.0 278JXVqB097401 Message accepted for delivery"2022-08-08 15:33:48 1oL8VI-00BVLY-H1 Completed

 

[DennisMidjord]

and the sender shows as the original sender value in my inbox without me doing anything special with the server.

Hello Rex.
That's what we're seeing as well.

Scenario:
[email protected] is an non-existing account. It's only a forwarder. This forwards emails to [email protected] or something similar.
We have a client that wants this to happen:
When [email protected] sends an email to [email protected], the email should appear as coming from [email protected] once it gets forwarded to [email protected].

Is that possible at all?

 

[cPRex]

Ah, so you *want* it to appear like it's sent from the forwarder then, right?

 

[DennisMidjord]

Exactly - even though I see a few issues with that. One of the bigger issues would be that it makes spotting phishing emails a lot harder.

 

[cPRex]

I don't have a way to change the behavior of the "From" address for a forwarder. Instead of using a forwarder for this situation, it might be best to create an actual email account for the forwarder and use a filter. We have details on this process here:

Forwarders | cPanel & WHM Documentation

This interface allows you to configure an email address to forward copies of incoming emails to another address.

docs.cpanel.net

That would also keep a local copy of the message on the server.

 

[DennisMidjord]

Alright, thanks for letting me know