You set up email alias forwarding — contact@yourdomain.com pointing to your Gmail — and it worked for months. Then a client emails you about a signed contract. You never see it. You find out three weeks later when the deal is already gone.
No bounce. No spam folder entry. Nothing. Just a missing email and a missed opportunity.
This is what the alias + forwarding combo does when it runs into strict DMARC policies. The failure is silent, predictable, and completely avoidable — if you understand what's actually happening at the protocol level. This guide maps every failure point, gives you the exact error codes to look for in your logs, and explains the two protocols that make email alias forwarding actually work reliably.
If you need the setup basics first, start with the email forwarding setup and fix guide. This article is about the failure modes.
What Email Alias Forwarding Actually Does
An email alias is a routing label — no inbox, no login, no storage quota. When someone emails sales@yourdomain.com, your mail server receives the message and immediately redirects it somewhere else: usually a personal Gmail or Outlook account. It's the most common "good enough" solution for role addresses at small businesses. It's also the most common source of silently dropped mail.
Email alias forwarding routes incoming mail from an alias address to an external destination by opening a new SMTP connection. That new connection is where everything breaks down — because your server is now sending an email it didn't originate, with authentication headers it doesn't own.
The Two-Layer Email Problem
Every email has two distinct parts that most people never think about. Understanding them is the key to understanding why forwarding breaks authentication.
| Layer | RFC | Contains | Used By |
|---|---|---|---|
| Envelope | RFC 5321 | MAIL FROM (Return-Path) | Servers — routing and SPF checks |
| Header | RFC 5322 | From: address | Mail clients and DMARC alignment |
When client@bank.com emails your alias sales@yourdomain.com, bank.com's server sends it. SPF passes — bank.com authorized its own sending IPs.
When your server forwards that message to founder@gmail.com, it opens a new SMTP connection. Your server is now the sender on the Envelope. But the Header still says client@bank.com.
Gmail checks SPF for bank.com. It sees your server's IP — which bank.com never authorized. SPF fails. If bank.com has p=reject in its DMARC record, Gmail is instructed to delete the message immediately. The original sender gets no bounce. You get no notification. The email ceases to exist.
Three Ways Email Alias Forwarding Fails
Forwarding doesn't fail all at once — it fails in layers. Each failure mode has different symptoms and a different fix.
1. SPF Failure
SPF checks whether the sending server's IP is authorized by the sender domain's DNS record. When you forward, your IP replaces the original sender's IP in the new SMTP hop. Your IP isn't in their SPF record. SPF fails at the destination. This is the first domino.
2. DMARC Rejection
DMARC requires either SPF or DKIM to pass and align with the From: domain. SPF has already failed. If the forwarded message had its content modified in transit — appended footers, rewritten headers — the original sender's DKIM signature verification fails too. With both authentication methods broken, DMARC policy enforcement kicks in: p=quarantine routes mail to spam, p=reject deletes it outright.
3. Silent Drops
The worst outcome: the destination server quietly discards the message with no NDR (non-delivery report) sent back. No bounce to the original sender. Nothing in your inbox. This is why email alias forwarding feels reliable until suddenly it isn't — the failures are invisible by design.
Error Codes to Look for in Your SMTP Logs
If forwarded mail is going missing, check your SMTP logs or ask your host for NDR records. These three codes point directly to forwarding failures.
Microsoft 365 Block (5.7.520)
Microsoft Exchange Online blocks external auto-forwarding at the tenant level by default. This is an anti-data-exfiltration policy — and it catches legitimate forwarding too.
550 5.7.520 Access denied, Your organization does not allow external forwarding.Fix: In the Microsoft 365 Defender portal, modify the Outbound Spam Filter Policy to allow external forwarding, or switch to an explicit redirect rule instead of transport-level auto-forwarding.
Routing Loop (5.4.14 / 5.4.6)
A loop happens when two aliases forward to each other, or when a catch-all forwards to an address that sends something back to your domain.
554 5.4.14 Hop count exceeded - possible mail loopFix: Audit your transport rules. The classic trap: a catch-all on *@yourdomain.com forwarding to an address that has an out-of-office auto-reply configured to reply to all incoming mail.
DMARC Auth Failure (550 5.7.1)
The destination server rejected the forwarded message because forwarding broke the sender's DMARC authentication chain.
550-5.7.1 Unauthenticated email from bank.com is not accepted due to domain's DMARC policy.This is the canonical forwarding-breaks-DMARC error. The fix isn't in your DNS panel. It's SRS and ARC, implemented at the mail server level.
The Fix: SRS and ARC
You can't whitelist around a DMARC rejection. The destination server is executing the original sender's published policy. The only reliable fix for email alias forwarding is implementing two complementary protocols at the MTA (mail transfer agent) level — your hosting provider has to do this, not you.
SRS (Sender Rewriting Scheme)
SRS rewrites the Envelope Sender (Return-Path) to your own domain before forwarding the message. SPF checks at the destination now pass — they're checking your domain's record, and your server is authorized for your domain.
Without SRS:
Envelope From:client@bank.com
Sending IP: your forwarding server
SPF result: FAIL — your IP is not in bank.com's recordWith SRS:
Envelope From:SRS0=Hash=TT=bank.com=client@yourdomain.com
Sending IP: your forwarding server
SPF result: PASS — your IP is authorized for yourdomain.com
SRS also encodes a hash and timestamp into the rewritten address to prevent replay attacks. The SRS address expires after a few days, so it can't be harvested and reused.
ARC (Authenticated Received Chain)
SRS fixes SPF at the destination — but DMARC alignment is still broken. DMARC compares the From: header domain (bank.com) against authentication results. With SRS, the Envelope says yourdomain.com but the From: header still says bank.com. They don't match. DMARC SPF alignment fails.
ARC, defined in RFC 8617, adds a cryptographic chain of custody. Your server signs the forwarded message before sending it on, effectively telling the destination: "When I received this message, SPF and DKIM were valid. Here's my cryptographic seal as proof."
Gmail and Outlook both honor ARC seals from reputable forwarders. Instead of enforcing the DMARC failure, they evaluate the ARC chain, verify your seal, and trust the original authentication results. The message delivers.
| Protocol | What It Fixes | What It Doesn't Fix |
|---|---|---|
| SRS alone | SPF check failure at destination | DMARC alignment mismatch |
| ARC alone | DMARC alignment when DKIM survives | SPF check failure at destination |
| SRS + ARC | Full auth chain for forwarded mail | Catch-all spam amplification |
Neither protocol is a DNS setting. If your hosting provider hasn't implemented SRS rewrites and ARC sealing at the transport layer, external email alias forwarding will remain unreliable against any sender with a strict DMARC policy.
Two Operational Traps
Even with SRS and ARC in place, two common configurations will still cause problems.
The Reply-To Identity Leak
Forwarding is one-way. When you receive a forwarded email in Gmail and hit Reply, your From address is founder@gmail.com — not sales@yourdomain.com. The client sees your personal address instead of your professional one.
Workaround: in Gmail, configure "Send mail as" under Settings → Accounts. Enter your alias address and your domain's outbound SMTP credentials. Gmail routes outbound mail through your domain's server, so replies show your domain address. For connection details, see TrekMail's managed SMTP settings.
It works — but it's three extra config steps per account, and it breaks whenever you change your SMTP password.
The Catch-All Forwarding Trap
Never set a catch-all (*@yourdomain.com) to forward externally. Spammers routinely enumerate random local parts at known domains — billing@, admin@, noreply12345@. Every hit lands on your catch-all and gets forwarded out.
Gmail sees your server forwarding thousands of spam messages per day. Your sending IP gets flagged. Legitimate mail starts landing in spam — including mail sent from your real mailboxes. You're now spending weeks rebuilding a reputation that took months to establish.
If you need a catch-all for coverage, route it to a local inbox and check it manually. See mailbox forwarding in TrekMail for how to configure this safely without exposing your IP to spam amplification.
Alias Forwarding vs. a Real Mailbox: Which One to Use
For the full decision framework, the domain email alias vs mailbox guide covers every scenario. Here's the condensed version for forwarding specifically:
| Use Case | Use Forwarding | Use a Mailbox |
|---|---|---|
| Temporary redirect for an old address | ✓ | |
| Single-recipient role address (support@, info@) | Possible, with SRS + ARC | ✓ Simpler |
| Multiple people need to receive it | ✓ | |
| Need to reply from that address natively | Workaround only | ✓ |
Sender uses strict DMARC (p=reject) | Only if host has SRS + ARC | ✓ No issue |
| No-login backup address | ✓ |
The pattern to avoid: using email alias forwarding as a permanent substitute for a real mailbox to cut costs. If your provider charges per user, that tradeoff makes sense. If they don't, it's operational debt — extra configuration, edge cases, and authentication failures waiting to surface at the worst possible time.
How TrekMail Handles Forwarding
Configuring SRS and ARC yourself means editing Postfix transport maps, managing ARC signing keys, and keeping up with key rotation. That's a full server admin task — not something most operators want to touch.
On TrekMail's Pro and Agency plans, mailbox forwarding runs through an OpenARC-enabled transport layer. ARC sealing is applied automatically on all forwarded traffic. You configure the destination address in the dashboard. The authentication stack is handled at the MTA level — you don't touch DNS for this.
For most cases, though, the cleaner answer is skipping forwarding entirely. TrekMail uses flat-rate pricing — no per-user or per-mailbox fee. A support@yourdomain.com mailbox costs the same whether one person logs in or ten. There's no financial reason to use email alias forwarding to a personal Gmail account and then fight "Send As" configuration every time you onboard a new domain.
- SMBs: Give
support@its own IMAP login. Direct access. No identity leaks. No "Send As" reconfiguration every password change. - Agencies: Create dedicated mailboxes for client role addresses instead of forwarding to team members' personal accounts. Your team logs in directly, replies from the right address, and clients see a consistent sender.
If you're also setting up SPF, DKIM, and DMARC from scratch on your domains, the secure email baseline for business covers the full authentication stack in one place.
The Bottom Line
Email alias forwarding works fine in low-stakes setups. It fails predictably in these situations:
- The original sender uses strict DMARC (
p=quarantineorp=reject) - Your forwarding server doesn't implement SRS — SPF fails at the destination
- Your forwarding server doesn't implement ARC — DMARC alignment fails even after SRS
- You're forwarding a catch-all externally, which turns your server into a spam relay
- You need to reply from the alias address — forwarding doesn't support this natively
The fix is either proper protocol support at your host level (SRS + ARC together), or replacing the forwarding alias with a real mailbox that has a direct login. If you're paying per user, forwarding looks attractive on paper. On TrekMail's flat-rate plans, there's no cost reason to choose forwarding over a real mailbox.
TrekMail's Pro plan starts at $10/month — up to 100 domains, mailbox forwarding with ARC sealing, and no per-mailbox fees. The 14-day free trial requires a credit card; the Nano plan doesn't.
