What is a Sender Rewriting Scheme (SRS)

SRS stands for Sender Rewriting Scheme and is a technique allowing users to forward emails received for one domain to a different domain. This page discusses SRS, when you want to turn it on, and how to do it.

Definition

The sender's email address appears in two locations when emails are exchanged between two SMTP servers:

  1. In the SMTP envelope. The remainder of this document will call this value F1.
  2. In the FROM header of the email message. The remainder of this document will call this value F2.

Refer to this document for details about the differences between these values.

To avoid sender forgeries, spam filters, and email servers use technologies like SPF and DKIM. SPF relies on the value of F1, while DKIM's signature is based on F2. When SRS is enabled, the sending SMTP server changes the value of F1 before the message is sent to the next hop.

Why do you need SRS?

Consider the following scenario:

  • Assume your domain name is mydomain.com.
  • An SMTP server, let's call this S1, handles incoming messages for this domain and also acts as a spam filter.
  • For redundancy purposes, you want to set up a secondary SMTP server with a lower MX priority. If emails come to this secondary server, you want to forward them to S1, which we'll call S2.
  • Now, assume you receive an incoming email from someone@gmail.com that is for userA@mydomain.com.
  • Your primary SMTP server will perform an SPF lookup to ensure this message originated from Google's IP addresses. If it comes from an authorized IP address, it will be considered a forgery.
  • Since S2 is running behind an IP address not part of Google's authorized servers, S1 will treat emails arriving from S2 as forged.
  • Using SRS can solve this problem.

When SRS is enabled, the MAIL FROM value in the envelope (F1) is modified to contain a domain authorized to send emails from the assigned IP.

Refer to the before and after examples below.

Before SRS

EHLO mail-ed1-f54.google.com
MAIL FROM: <someone@gmail.com>
RCPT TO: <userA@mydomain.com>

After SRS

EHLO mail-ed1-f54.google.com
MAIL FROM: <SRS=12345=67890=gmail.com=someone@gateway.mydomain.com>
RCPT TO: <userA@mydomain.com>

Notice the sender's email address is changed from someone@gmail.com to SRS=12345=67890=gmail.com=someone@gateway.mydomain.com, which belongs to a domain other than gmail.com. When S1 receives this message, it will perform an SPF lookup against gateway.mydomain.com rather than gmail.com, which will pass.

The actual composition of the email address (SRS=12345=67890=gmail.com=someone@gateway.mydomain.com) is beyond the scope of this article. However, if you are interested, you can refer to this page.

How to Enable SRS

Enabling SRS is a three-step process:

  • Step 1 - assign an SPF record for the FQDN where you're running S2.
  • Step 2 - Configure Xeams for this FQDN. Go to Server Configuration/SMTP Configuration, select the Advanced tab, and enter the FQDN in the SRS Domain field.
  • Step 3 - SRS in Xeams is enabled per profile. Go to Home/Switch Profiles. Modify the desired profile by clicking the Edit button in the upper right-hand corner of the profile box. Finally, check the Enable SRS box.

Note

SRS is not enabled for the default profile and cannot be done using the web GUI, which is designed to prevent accidental SRS enabling. If you need to enable SRS on the default profile, add the following line in server.properties file.

enable.srs.for.default.profile=true