Is it still possible to use a catch-all email forwarder to gmail, and how?

Question

Since ever, I've been using a catch-all email forwarder at a domain I hold, *@mydomain.net, and sending the email to my personal gmail account, [email protected]. I've just been ousted from my domain host by a pricing change, and moved to a new one (fasthosts, as it happens). The catch-all has been configured at the new host, and it seems that it is working, since emails from some sites (including amazon.co.uk) are getting through. However, emails from elsewhere are not, and I suspect gmail is blocking them silently.

The (successfully-received) email from amazon includes these lines:

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass [email protected] header.s=27ndrlrdagf22763jnizbipdvvil3lqa header.b=S2xxySPL;
       dkim=pass [email protected] header.s=shh3fegwg5fppqsuzphvschd53n6ihuv header.b=XRjtDO1P;
       spf=fail (google.com: domain of 20230613081337141a97ca6a024ef9b0845e68c800p0eu-c398vbjjn95lvi@bounces.amazon.co.uk does not designate 213.171.216.218 as permitted sender) smtp.mailfrom=20230613081337141a97ca6a024ef9b0845e68c800p0eu-C398VBJJN95LVI@bounces.amazon.co.uk;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.co.uk

which I guess might read as: it failed on SPF, but was passed anyway because... and then I don't know.

The SPF record for the domain is as follows:

Non-authoritative answer:
mydomain.net    text = "v=spf1 a ip4:213.171.216.0/24 ip4:77.68.64.0/27 mx ~all"

Authoritative answers can be found from:

From the amazon email headers, it looks like gmail went to ask amazon if the fasthosts server was a permitted sender. So I can't change that, I guess.

Is there a way to configure my gmail, or my records at fasthosts, to make catch-all forwarding start working again?

Failing that, might an alternative mail provider be available that was not as strict as gmail and would let these mails through?

Answer 1

DMARC

These days ESPs such as Gmail or Outlook rely more and more on DMARC authentication results than purely on SPF authentication, since SPF is checked on the bounce address (a.k.a. envelope from or Return-Path or smtp.mailfrom) instead of on the sender address that is visible to recipient in their email client (the header.from).

This is visible in the ARC-Authentication-Results header you provided as it shows the domain used in the header.from=amazon.co.uk and the smtp.mailfrom=20230613081337141a97ca6a024ef9b0845e68c800p0eu-C398VBJJN95LVI@bounces.amazon.co.uk.

DMARC demands that either a) SPF passes on a domain that aligns with the header.from domain, or b) DKIM passes on a domain that aligns with the header.from domain.

I would advise you to read up on DKIM and DMARC because they are very important in modern day email authentication. Especially in the fact that DKIM may survive forwarding, while SPF fails.

Depending on who the sender is, emails might fail DMARC check for their domain because DKIM is not applied (or a signed header has been altered during forwarding) and SPF is failing because your domain is not in their SPF record.

Possible fixes

Modern email services / systems will offer you various ways to approach this issue with forwarding emails that are failing authentication. This question, basically, is about the same issue as you're describing.

Since SRS might not be desirable and Enhanced Filtering not available in free email services like a Gmail account, your best hope is that FastHosts will start adding ARC headers to the emails that they are forwarding to different ESPs. But still, it will be up to the ESPs to recognize Fasthosts as a trusted ARC source.