Email Security Blog

The Fours Types of Senders: Forwarders

Agari November 25, 2014 DMARC
Fallback Featured Image

Series Introduction l Internal Infrastructure l Third Party Senders

John Wilson, Director, Sales Engineering

Let’s re-visit our cocktail party scenario to illustrate how this third type of sender works, because who doesn’t love a good party? Someone again hands you a business card, this time with a PayPal logo on it. You ask them how they like working at PayPal, and the person says, “I don’t work for PayPal. That guy over there gave me his business card to hand to you.” That’s forwarding in the world of cocktail parties, and the same thing happens every day with email.

The two most common types of forwarders are alumni forwarding services and disposable email address services. Alumni forwarders are quite common; you graduate from college, and your alma mater gives you an email address to use after you graduate. Here’s the catch: you get an email address, but no mailbox. Instead, you tell your university your “real” email address, and they set up your alias to relay all mail sent to your alias to your “real” email address.

A disposable email address (DEA) service enables people to have unlimited single-use email addresses that all relay into to the same real mailbox. Suppose you want to read a security whitepaper offered up by a website, but they will only let you download it in exchange for your email address. You can use a DEA service to generate a unique email address just for that purpose. Three months from now, when that email address starts receiving lots of spam, you’ll know who leaked your address to the spammers and you’ll be able to disable the disposable address.

Both of these forwarding scenarios introduce challenges for email authentication. Forwarding always breaks SPF. Some forwarders simply keep the original envelope domain; these messages will fail SPF authentication. Some forwarders change the envelope address when forwarding a message. These will fail SPF authentication due to DMARC’s alignment check. Either way, SPF is not going to pass, which means we must rely on DKIM in these situations.

Most forwarders pass the message along unchanged, and the DKIM signature will validate without issue. Unfortunately, some forwarders tamper with the message headers and/or body, in which case the DKIM signature will no longer validate. At Agari, we refer to these as “broken forwarders” or “sloppy forwarders”. Messages relayed through a broken forwarder will fail DMARC, and will be subject to quarantine or rejection if you’ve implemented a policy other than p=none.

How can you tell if a message has failed authentication due to a “broken forwarder”? If you are an Agari customer it’s easy. Simply use our IP Information tool to see what domains we see emanating from that IP; most forwarders will send email from dozens if not hundreds of domains.

Next week we will take a look at the final and definitely scariest type of sender: the malicious attacker.


Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

April 17, 2019 Fareed Bukhari

The Time is Now: Underscoring the Importance of DMARC for State and Local Governments

Scammers know that impersonating a trusted government agency is an extremely effective way to trick…

Agari Blog Image

February 26, 2019 Armen Najarian

Retail Trails Other Sectors in Adopting DMARC for Phishing Prevention

Recent research by the Agari Cyber Intelligence Division finds that the retail industry is dead…

Person Looking at DMARC Protected Email

February 19, 2019 Fareed Bukhari

DMARC Adoption Up, But 85% of Fortune 500 Remains Vulnerable to Brand Hijacking

Adoption of Domain-based Message Authentication, Reporting, and Conformance (DMARC) has seen modest growth in recent…

Agari Blog Image

October 16, 2018 Fareed Bukhari

One Year Later: Federal Mandate for Email Authentication Huge Success

Responding to BOD 18-01, agencies rally to complete the fastest sector-wide adoption of DMARC One…

Agari Blog Image

October 16, 2018 Patrick Peterson

DMARC: A 12-Month Triumph for DHS—and the Nation

Today is the deadline set by the Department of Homeland Security for all executive branch…

mobile image