Email Forwarding Is Bad: Why you should never forward email.

Forwarding mail is defined as re-sending mail from one mailbox to another.  For the sake of this discussion, we’re going to assume that you have an email account on a private domain name hosted at any web hosting company online, or even on your own VPS or dedicated server. We’ll use this tidbitsfortechs.com’s name as an example.  For our example email addresses we’ll use the name [ryansemailaddress]@. It’s in brackets so that it’s automatically broken- we don’t want anyone trying to send emails to it because it’s not real.

Ryan has to deal with many different email addresses, including [ryansemailaddress]@tidbitsfortechs.com. But Ryan doesn’t want to have to check every single address every day, and would like to have them all centrally located. We’d all agree that this is a reasonable need.

If this were 2003, Ryan would just forward the mail from [ryansemailaddress]@tidbitsfortechs.com to his email address [ryansemailaddress]@hotmail.com and it would be absolutely fine. The forward would work, and the problem would be solved.

But this isn’t 2003 anymore, and it won’t work correctly.

The Big Problem

Forget about email for a moment, and try to remember the last time you went to the airport and boarded an airplane. Depending on when that was, you may have been asked by a tired looking guy with a badge if anyone has asked you to carry a package for them. Why? Because that nice guy who just really needed to get that package to his grandma for her birthday wasn’t sending cookies. If you get on board a plane with his package, you’re now an accomplice. And when the sleepy guy with a badge finds out you’re carrying a suspicious package, chances are it’s going to be pretty hard for you to explain that away. In fact you might have a really hard time ever flying again.

How does this relate to email forwarding? I’m glad you asked!

Meet Joe Spammer. Joe Spammer is a real jerk, and he wants people to click on his links so he can steal their credit card numbers. Mail providers around the world keep an eye out for Joe Spammer’s spam, and they block it whenever they see it. Joe is especially bad in that he breaks into other peoples email accounts to send his spam.

So lets follow one of Joe Spammers emails. JS sends an email to [ryansemailaddress]@tidbitsfortechs.com, and Ryan, being on a quest for efficiency, has forwarded all email to [ryansemailaddress]@hotmail.com (or gmail, or msn, you get the idea). Hotmail.com looks at the email, and says “hey, this looks just like Joe Spammer!” and subsequently blocks the mail from arriving.

Normally, you’d think that that mail being blocked is a good thing. But it’s not. Why? Because Joe Spammer wasn’t the last person to touch that email. [ryansemailaddress] was! And now, [ryansemailaddress]@tidbitsfortechs.com is believed to be an agent for Joe Spammer, intentional or otherwise,  and is blocked.

But wait- there’s more. Now everything @tidbitsfortechs.com is suspect, and before you know it, the mail reputation for the entire domain is ruined. All email is blocked and can’t get to its destination. Yes, email providers rank email coming from any address at your domain, and will block your entire domain based on this.

You technical types, don’t bother looking for an RFC to find out how that works- there isn’t one. We’re in Magic Black Box territory here. Each mail provider does things their own proprietary way, and they’re not obligated to tell anyone how they do it.

Don’t Forward Email. Retrieve it.

If forwarding is bad, how do you get all your email into one inbox? Gmail, Outlook, and other email providers offer ways to use POP or IMAP to retrieve mails from another account and include them in your inbox. This is different than forwarding, because it’s being asked to retrieve the email instead of having random spammy emails forced down its throat.

Here are tutorials on how to turn on and use POP retrieval on Gmail and Outlook/MSN/Hotmail:

https://support.google.com/mail/answer/21289?hl=en&co=GENIE.Platform%3DDesktop

https://support.office.com/en-us/article/add-your-other-email-accounts-to-outlook-com-c5224df4-5885-4e79-91ba-523aa743f0ba

You’ll need to know the POP settings for your email accounts, and your web host can provide you with those. Hint: Search google for “mywebhost.com pop settings”.

TL;DR

This isn’t 2003 anymore. Don’t be the last person to send a piece of spam to its final destination. Use POP retrieval to move mail from one box to another. Don’t forward email, and you won’t get blocked.

More Info

We’re not the only ones who say “don’t forward email” and so you don’t have to believe me. Instead believe the really smart guys at Oregon State University:

http://oregonstate.edu/helpdocs/forward-mail-exchange-gmail-not-recommended

And if you’re interested, I’ve written on this topic before:

How Autoresponders and Email Forwarding make you an Accidental Spammer.

7 comments

1 ping

Skip to comment form

    • Ann on October 17, 2019 at 4:01 pm
    • Reply

    Valuable to me. I was going to forward to keep a jerk away. Hope this works.

  1. This article makes an implicit assumption : there is an email server receiving email for [ryansemailaddress]@tidbitsfortechs.com.

    Fair enough.
    But the fast majority of questions about email forwarding I read are for another use case : there is no email server for domain [ryansemailaddress]@mydomain.com.
    Most domain providers provide email forwarding , but you have to pay for a real mailbox.
    A lot of people are not prepared to pay for domain mail if they already have a Gmail account.
    Now, when you want to use a service like CloudFlare , they do not provide email forwarding.
    This is why people come up with all sort of solutions for email forwarding like MailGun, SendGrid or Open Source solutions like forwardemail.net.
    BTW: I tried MailGun and all email to Yahoo was blocked. Wasted two days of my time.
    I have been looking into a proper solution for email forwarding for quite some time and they all have advantages and disadvantages.

    1. Indeed, this article bases its statements on email that is self hosted on a domain using either a private server (VPS or dedicated) or a commodity web hosting configuration. But really any configuration where address@mydomain.com is re-sent (aka forwarded) to another address will have the same problems. The issue isn’t the technology used, it’s the fact that there’s no such thing as forwarding. It’s just the label we use for accepting and re-sending to another address.

      It really underlines the fact that Email Is Broken. It’s built using a 50 year old paradigm and hasn’t changed greatly in 40 years. Sure, it’s had a lot added to it (DKIM, SPF, graylisting, RBL, DNSBL, that kind of thing) but fundamentally it’s a design built for ARPANET where it was a trusted environment. Nobody redesigned it when ARPANET turned into the Internet.

    • Jeremy on March 27, 2020 at 11:29 am
    • Reply

    Honestly this is a dumb argument against forwarding email and exposes the real source of the problem described.

    It is perfectly legitimate and reasonable to forward email to another address, especially if for some reason you do not have access to that email account except say at work (assuming that your work does not fall under specific confidentiality categories). And if you want to forward all your emails to one address to save time, that’s also a reasonable desire. It may not be ideal in all cases, but it’s hardly some noxious sin.

    The real problem here is with spam filters and detection systems which idiotically assume that the sender of the email was the person who sent the spam even in the presence of information that might indicate another source. Now we might argue that’s reasonably effective if you don’t care who or what gets blocked, but in real life we don’t want free email services or anyone’s business email domain getting blocked arbitrarily and without recourse. Because the fact is that those email providers and business are generally legitimate and not spammers.

    And in any case even if most people actively decided not to forward stuff themselves that doesn’t keep anyone from hacking your system and sending emails with it. Nor does it prevent someone from exploiting email infrastructure in other ways such as spoofing the sender’s address or pretending to be a particular mail server. It would be better to have slightly smarter detection that looks at the header and for other clues about the true source of email that seems to be spam.

    • MichaelS on April 24, 2020 at 12:21 pm
    • Reply

    This would seem to be a problem if forwarding directly to a service such as Hotmail, Gmail, etc. I don’t know if that is what most people would do, but my ISP provides a free mailbox as part of the service. So I would forward all mail to that mailbox. If I wanted to use a Gmail etc. mailbox (I don’t usually) I would collect it from my ISP’s mailbox with POP3 or IMAP. So long as my ISP doesn’t play silly games with blacklisting mail (and I can and do call their customer service about any problems I have, and would expect them to resolve such issues), there’s no problem with forwarding. If I change ISP (but not mail domain) I just forward to the new ISP’s mailbox. You had me worried for a moment. (The hidden email address I’ve given is not valid beyond 20 May 2020 – that’s why I came here!]

    1. Hey there Michael, unfortunately, directly forwarding to Gmail is exactly what people do, which is why I wrote this. But as long as you’re doing POP3 or IMAP collection, it’s fine. Thanks for the reply!

    • Felix on April 28, 2020 at 10:17 pm
    • Reply

    POP3 and IMAP have their own issues, in that they don’t support 2 factor authentication (which everyone should be using).

  1. […] (baseball@, for example) which also forwarded to one or more personal email accounts.  Forwarding email is an insecure practice that can result in email getting blocked from your entire domain (meaning you won’t be able to […]

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.