SRS is a technique for rewriting the sender address of an email message that is forwarded by a service that is not authorized to send messages on behalf of the sender domain
What is SRS?
SRS stands for Sender Rewriting Scheme, a technique for rewriting the sender address of an email message. SRS is used by email forwarding services, such as mailing lists or aliases, to ensure that the forwarded messages can pass the SPF (Sender Policy Framework) check. SPF is a mechanism for verifying the authenticity of the sender domain by comparing it with the IP address of the mail server that sent the message. If the sender domain and the mail server do not match, the message may be rejected or marked as spam by the recipient's mail server.
How do SRS and DMARC work together?
SRS and DMARC work together to improve the email authentication and deliverability, especially for messages that are forwarded by third-party servers. Without SRS, forwarded messages may fail the SPF check, because the envelope sender domain does not match the original sender domain. This can result in the messages being rejected or marked as spam by the receiver's server.
With SRS, the envelope sender domain is rewritten to match the forwarding server's domain, which can pass the SPF check. However, this may cause the DKIM signature to break, because the message headers are modified by the forwarding server. To prevent this, the forwarding server can either re-sign the message with its own DKIM key, or use a relaxed canonicalization algorithm that ignores the changes in the headers.
By using SRS and DMARC, the original sender's domain is still visible in the message, and the receiver can verify the message authenticity and integrity. Moreover, the original sender can receive feedback reports from the receiver's server, which can help to identify and fix any issues with the email delivery and security.
How does SRS work?
SRS works by changing the sender address of a forwarded message to a new address that belongs to the forwarding service. The new address contains the original sender address encoded in a special format, along with a cryptographic signature to prevent tampering. The new address also has a prefix that indicates that it is an SRS address, such as "SRS0" or "SRS1". For example, if Alice sends a message to Bob, and Bob forwards it to Charlie using an SRS-enabled service, the sender address of the message that Charlie receives will look something like this:
- Original sender address: alice@example.com
- Forwarded sender address: SRS0=XYZ=example.com=alice@example.net
The SRS address has three parts: the prefix, the signature, and the encoded original address. The prefix indicates the number of times the message has been forwarded using SRS. The signature is a hash of the encoded original address and a secret key that is known only to the forwarding service. The encoded original address consists of the original sender domain and the original sender local part, separated by an equal sign. The equal sign is used to avoid confusion with the at sign (@) that is normally used to separate the local part and the domain of an email address.
When Charlie replies to the message, his mail server will send the reply to the SRS address, which will be received by the forwarding service. The forwarding service will then decode the original sender address from the SRS address, verify the signature, and forward the reply to Alice. The forwarding service will also rewrite the sender address of the reply to an SRS address, so that Alice can reply back to Charlie. This process can be repeated as many times as needed, as long as the prefix does not exceed a certain limit (usually SRS9).
How does SRS affect email headers?
SRS affects the email headers by rewriting the sender address in the "From" header, and adding a new header called "Resent-From" that contains the SRS address. The "Resent-From" header is used to indicate that the message has been forwarded by an intermediate agent, and to provide the address for reply. The "From" header is rewritten to match the SRS address, so that the message can pass the SPF check. The original sender address is preserved in the "Sender" header, which is used to indicate the actual identity of the sender. For example, the email headers of the message that Charlie receives from Alice via Bob's forwarding service would look something like this:
- From: SRS0=XYZ=example.com=alice@example.net
- Resent-From: SRS0=XYZ=example.com=alice@example.net
- Sender: alice@example.com
- To: charlie@example.org
- Subject: Hello
The email headers of the reply that Alice receives from Charlie via Bob's forwarding service would look something like this:
- From: SRS0=ABC=example.org=charlie@example.net
- Resent-From: SRS0=ABC=example.org=charlie@example.net
- Sender: charlie@example.org
- To: SRS0=XYZ=example.com=alice@example.net
- Subject: Re: Hello
Why is SRS important?
SRS is important because it allows email forwarding services to comply with the SPF policy of the sender domains, without compromising the identity of the original senders. Without SRS, the forwarded messages would fail the SPF check, because the forwarding service's mail server would not be authorized to send messages on behalf of the sender domain. This would result in the messages being rejected or marked as spam by the recipient's mail servers, or the sender domains being blacklisted by the SPF records. SRS preserves the sender identity by encoding it in the SRS address, and allows the forwarding service to act as a proxy for the sender domain.
What are the limitations of SRS?
SRS has some limitations that may affect its usability and security. Some of these limitations are:
- SRS addresses are longer and more complex than normal email addresses, which may cause confusion or mistrust among users. Users may not recognize the SRS address as belonging to the original sender, or may think that it is a phishing attempt. Users may also have difficulty typing or copying the SRS address, or may exceed the length limit of some email clients or servers.
- SRS addresses are vulnerable to spoofing or forging, if the secret key of the forwarding service is compromised or guessed. An attacker could create a fake SRS address that encodes a different sender address than the original one, and use it to send malicious messages to the recipients. The recipients would think that the messages are coming from the original sender, and may trust them or reply to them. The forwarding service would not be able to detect the fake SRS address, unless it keeps a record of all the SRS addresses that it generates.
- SRS addresses are not compatible with some email features or standards, such as DKIM (DomainKeys Identified Mail), DMARC (Domain-based Message Authentication, Reporting and Conformance), or ARC (Authenticated Received Chain). These features or standards rely on the sender address or the message headers to verify the authenticity or the delivery path of the message, and may not work well with the SRS address or the rewritten headers. This may cause the messages to fail the verification or the alignment checks, and be rejected or marked as spam by the recipient's mail servers.
Need Help?
support@sendmarc.com is standing by to assist!