Some emails don't reach my GMail, Outlook, Yahoo, etc.

On AlternC, you configured email forwarding, meaning that all emails you receive in your Koumbit mailbox (let's call it the "Koumbit mailbox") are redirected to another GMail, Outlook, Yahoo or other mailbox (let's call it the "destination mailbox"). The problem is that someone tried to contact you from their email address (let's call it the "source mailbox") and that email did not make it to your "destination mailbox". Instead, the person received an error message in their "source mailbox" from GMail, Outlook or Yahoo saying that their email bounced. If you go to Roundcube (mail.koumbit.net), you can see the email from the "source mailbox", but it didn't make it to your "destination mailbox": it didn't fall into Spam, it just seems to have disappeared.

What is going on?

How the Internet protects itself from spammers

The problem comes from the spam protection mechanisms commonly used on the Internet, namely the SPF and DKIM mechanisms.

The SPF mechanism ("Sender Policy Framework") allows a website to confirm the IP addresses through which emails can be sent. It is a confirmation from the server that sent the email that it comes from an IP address that has the right to send emails. A hacker who took control of a computer and sent spam would have little chance of having a valid SPF, unless the server hacked has permission to send email.

The DKIM ("DomainKeys Identified Mail") mechanism allows a Website to sign an email, authenticating it as valid email. This signature comes from a piece of information (a "key") that is located on the server. A hacker who took control of a server with a valid SPF could not send signed emails unless he had access to this key, which is often well protected.

This is why hackers try to take control of existing mailboxes: these mailboxes normally have a valid SPF and can send signed emails with DKIM.

What does this have to do with email forwarding?

So here's what happens when you redirect an email:

So the SPF of the email shows the address 200.201.202, which is no longer accurate when the email is redirected from Koumbit. The email will not be blocked by Koumbit, but when it arrives at the "destination mailbox", it will definitely have an invalid SPF. The server that has the "destination mailbox" will see the email arrive from 199.58.80.40 (Koumbit's server), while the SPF included with the email indicates that the valid server is 200.201.202.

The DKIM, on the other hand, should be correct, if there were no changes to the email during its transfer. The DKIM will fail if the email was modified en route: if lines were added before being sent by the "source mailbox" server, or by the Koumbit server during transfer.

The "destination mailbox" servers use varying rules, but will generally accept an email:

• That passes SPF and DKIM (ideal situation),
• Who passes SPF and fails DKIM (which should not happen in our case),
• Who fails SPF and passes DKIM (which should be our case most of the time).

If an email fails SPF and DKIM, it is often rejected by the "destination mailbox" server.

What should we conclude from this? A redirected email will arrive at the "destination mailbox" only if its DKIM is correct. This implies two factors:

• The DKIM must be correctly configured on the server of the "source mailbox",
• The email must not be modified between the time it is signed and its arrival on the "destination mailbox" server.

Koumbit ensures that no changes are made during the transfer. However, Koumbit has no control over the servers that send the email! If that server is misconfigured and does not sign the email correctly with DKIM, or if that server changes the email after it has been signed, then the email will fail DKIM.

Solutions

The protocols for sending emails were not designed to ensure that emails remain perfectly synchronized across multiple mailboxes. This is what happens here: the emails are in two mailboxes at the same time: the "Koumbit mailbox" and the "destination mailbox". There is a mechanism that ensures that emails are synchronized between your computer and the server (the IMAP protocol), but there is no mechanism that ensures that multiple mailboxes on multiple servers have the same emails. It will always be a bit dangerous to keep your emails in several mailboxes at the same time.

We therefore propose three solutions to avoid these problems:

1. Avoid redirection entirely and use tools such as Thunderbird, Outlook or online email through the Roundcube web interface.
2. Eliminate the mailboxes at Koumbit and redirect all emails directly to the desired destination through an MX entry. This tells the internet that, for example, all emails from "yourwebsite.org" should not be routed to Koumbit, but rather to another service, like GMail. Note that all emails from the site must be redirected to the same place: for a given site, there cannot be one GMail address, one Outlook address, etc.
3. Keep the redirection as it is, but keep an eye on the Roundcube web interface to see if any emails arrived at Koumbit but did not make it to the "destination mailbox".

Another way to look at email is this: Given the ecological cost of an email, is it really relevant to want to keep it in two mailboxes at the same time?