I wrote:
SRS breaks SES. The mail will be rejected if the mail is forwarded by a
second forwarder (not doing SRS) after being forwarded by a forwarder that
applied SRS.
David Woodhouse answered:
I don't understand why this mail would be rejected. Unless it's just
rejected due to the normal brokenness of SPF when mail is forwarded?
If no forwarder applies SRS, following happens:
example.com sends mail to forwarder1.com saying
MAIL FROM:<=XXXXXXX=name(_at_)example(_dot_)com>
forwarder1.com sends it to forwarder2.com saying
MAIL FROM:<=XXXXXXX=name(_at_)example(_dot_)com>
forwarder2.com sends it to final.com saying
MAIL FROM:<=XXXXXXX=name(_at_)example(_dot_)com>
final.com checks the signature and accepts the mail.
If the first forwarded applies SRS, following happens:
example.com sends mail to forwarder1.com saying
MAIL FROM:<=XXXXXXX=name(_at_)example(_dot_)com>
forwarder1.com sends it to forwarder2.com saying
MAIL
FROM:<SRS0=HHH=TT=forwarder1(_dot_)com=XXXXXXX=name(_at_)forwarder1(_dot_)com>
forwarder2.com sends it to final.com saying
MAIL
FROM:<SRS0=HHH=TT=forwarder1(_dot_)com=XXXXXXX=name(_at_)forwarder1(_dot_)com>
final.com checks SPF and gets the result "Fail". Since the return-path is
not signed, it rejects the mail.
Roger