Need help with email forwarding to external/internal domains - DMARC rejection error with Sieve redirect

Shaikh_Abdul_Hamid_M · June 16, 2026, 1:31pm

Your question

is there any one help me on forwarding
right now i am using docker based v0.16 stalwart

i want to do 2 thinks
1 froward email to external domain and internal domain without copy
2 froward email to external domain and internal domain with copy

i create sieve script but the problem is sieve script forward email and re-write it but the end of the recivepeint i got this error
Diagnostic-Code: smtp; 550-5.7.26 Unauthenticated email from yashworldproducts.in is not accepted due
550-5.7.26 to domain’s DMARC policy. Please contact the administrator of
550-5.7.26 yashworldproducts.in domain if this was a legitimate mail. To learn
550-5.7.26 about the DMARC initiative, go to
550 5.7.26 Control unauthenticated mail from your domain - Gmail Help 41be03b00d2f7-c86653f42e0si20727505a12.265 - gsmtp
Status: 5.7.26

i know that the issue is

relaying i think i am sending email from my side insted of rewriting it but i do not know how and where is there any single documentation or some think where i learn this

goal is simple
1 forward with copy
2 forward without copy

thats it

helpbot · June 16, 2026, 1:32pm

This is a classic DMARC forwarding problem. When Stalwart’s Sieve redirect action forwards a message to an external address (e.g. Gmail), it sends the original message as-is but from your server’s IP. Since the From: header still says @yashworldproducts.in and your server’s IP is not in that domain’s SPF record, and there’s no aligned DKIM pass from their domain, DMARC rejects it.

Here’s what’s actually happening and how to fix it:

Why DMARC rejects forwarded mail

When you redirect a message, your Stalwart server re-injects it to the external recipient. The recipient’s mail server (Gmail) sees:

From: [email protected] (original sender’s domain)
Sending IP: your server (not authorized by yashworldproducts.in)
Result: SPF fails, DKIM may be broken or missing for that domain → DMARC p=reject fires

This is a fundamental DMARC/forwarding compatibility issue, not a Stalwart bug. The standard solution is SRS (Sender Rewriting Scheme) - rewriting the envelope MAIL FROM to your own domain so SPF passes for your domain instead.

Solution: Rewrite the envelope sender (SRS-style)

In Stalwart, you can rewrite the envelope.from in a Sieve script at the MAIL FROM or DATA stage. This makes your server the accountable sender for SPF purposes.

Here is the pattern using a system Sieve script hooked to the DATA stage:

require ["variables", "envelope", "editheader"];

# Rewrite envelope.from to your domain to pass SPF on forwarded mail
if envelope :domain :is "from" "yashworldproducts.in" {
    set "envelope.from" "[email protected]";
}

But more practically, for a general forwarding rule you want to rewrite the return path to your own domain for all forwarded messages. The Sieve envelope extension lets you do set "envelope.from" "..." to replace it.

Forward without copy (redirect only)

require ["redirect"];

redirect "[email protected]";
# No "keep" = original is NOT kept locally

Forward with copy (redirect + keep local)

require ["redirect", "copy"];

redirect :copy "[email protected]";
# :copy means the original is ALSO delivered locally (implicit keep)

The redirect :copy action (RFC 3894) sends a copy to the external address while still delivering to the original mailbox. Without :copy, the message goes only to the redirected address.

The critical fix: rewrite `envelope.from` before redirecting

Put together, a user-level Sieve script that forwards with copy AND fixes DMARC looks like:

require ["copy", "redirect", "variables", "envelope"];

# Fix envelope sender so SPF passes from your server
set "envelope.from" "[email protected]";

# Forward with copy (keeps in local inbox too)
redirect :copy "[email protected]";

For forward without copy:

require ["redirect", "variables", "envelope"];

set "envelope.from" "[email protected]";
redirect "[email protected]";

You can manage your personal Sieve scripts via the WebUI, ManageSieve, or JMAP. System-level scripts that apply server-wide are configured under Settings > Sieve > System Scripts in the WebUI.

Relevant docs:

This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong.

stalwart · June 19, 2026, 1:51pm

The script itself is fine; this is the inherent forwarding-and-DMARC problem. When you redirect a message, the original From header still shows the sending domain (yashworldproducts.in here), so Gmail evaluates that domain’s DMARC on the forwarded copy, and since your server’s IP isn’t in its SPF and the DKIM no longer aligns, it rejects with 5.7.26. That’s not something the script can fix, and Stalwart doesn’t do SRS, so the visible From can’t be rewritten without breaking the message identity.

The with/without copy part is just the redirect form:

require ["copy"];

# forward, no local copy:
redirect "[email protected]";

# forward and keep a local copy:
redirect :copy "[email protected]";

So set expectations accordingly: forwarding mail whose original sender publishes a strict DMARC policy (Gmail and similar) to another DMARC-enforcing provider will be rejected, and that’s industry-wide, not specific to Stalwart. Where you control the sending domain, make sure the forwarding host is in its SPF and the message is DKIM-signed by an aligned domain. For arbitrary external-to-external forwarding there’s no clean knob short of SRS, which isn’t available. Sieve docs are at stalw.art/docs/sieve.

Topic		Replies	Views
Mail Redirect to remote server Questions	3	55	May 12, 2026
Redirect without keep in user Sieve script creates implicit local copy (RFC 5228 violation) Issues	2	16	June 15, 2026
Sieve scripts are still wonky Issues	3	64	May 19, 2026
Sieve scripts don't work in 0.16.3 Issues no-ai	14	155	May 19, 2026
Duplicate "From:" header when using Sieve in body modification Issues	6	32	May 19, 2026