A cautionary tale

[soapergem]

I have been using this email forwarder Lambda for several years but just recently Amazon let me know it was a problem. I'm going to describe the situation but I will use fake email addresses that still illustrate the problem.

• I have been volunteering doing all the tech for a small nonprofit
• Originally they were set up with a Gmail address (smallnonprofit@gmail.com) for all of their email
• Later I got a domain for them so I wanted to set up info@smallnonprofit.com
• However they liked the ease of managing everything in Gmail
• So I set up this forwarder to send anything that comes in to info@smallnonprofit.com to forward immediately to smallnonprofit@gmail.com (it would forward as noreply@smallnonprofit.com)
• Furthermore I configured Gmail to allow me to send as the info@smallnonprofit.com address

For several years this was working fine. But then just the other day, I got this message from AWS support:

Your current bounce rate is 10.87%. We measured this rate over the last 10,244 eligible emails* you sent. Our analysis covers the last 346.1 days.

We recommend that you maintain a bounce rate below 5%. If your bounce rate exceeds 10%, we might pause your ability to send additional email.

The bounce rate is based on the number of hard bounces that occur as a result of the emails you send. A hard bounce occurs when an email address doesn't exist.

Email providers interpret a high bounce rate as a sign that you're not actively managing your customer database, or that you're sending unsolicited email. Email providers might block your email if your bounce rate is too high. To protect your reputation as a sender, we monitor this metric closely and take action if the rate gets too high.

Long story short: AWS has now paused my ability to send any emails from SES completely. The reason is because every piece of mail coming to info@smallnonprofit.com is being dutifully forwarded by this app to the Gmail account. Every piece of mail: including lots of spam. From AWS' perspective, this means I am now sending lots of spam. They assumed this meant that one of my AWS access keys got compromised, when in fact this is just normal operation of the forwarder when you use an address that has existed for any reasonable amount of time.

Unfortunately, this means I have to stop using this application altogether and come up with a different set up.

[lets-getitnow]

GPT recommended:

Change SES Forwarding to Use Sender Rewriting Scheme (SRS)
Right now, all forwarded mail appears to come from your domain (noreply@smallnonprofit.com) — which is a big red flag to spam filters and AWS.

Use SRS so that forwarded messages preserve the original sender in a compliant way. This prevents SPF/DKIM/DMARC failures.

Resources:

Postfix with SRS
Mail forwarding and SRS overview