If you go to https://forwardemail.net/fr/faq?domain=some.domain.com&email=some.email%40gmail.com#questions-fr%C3%A9quemment-pos%C3%A9es and then click on the first header, the DOM will give you this error in DevTools console:

jquery.js:1560 Uncaught Error: Syntax error, unrecognized expression: #questions-fr%C3%A9quemment-pos%C3%A9es
    at Function.Sizzle.error (jquery.js:1560)
    at Sizzle.tokenize (jquery.js:2216)
    at Sizzle.select (jquery.js:2643)
    at Function.Sizzle [as find] (jquery.js:862)
    at jQuery.fn.init.find (jquery.js:2896)
    at new jQuery.fn.init (jquery.js:3006)
    at jQuery (jquery.js:152)
    at changeHashOnScroll (change-hash-on-scroll.js:10)
    at dispatch (jquery.js:5237)
    at elemData.handle (jquery.js:5044)

It is hard to change link(ed) social account (like github), so adding link(ed) social accounts on profile page on site, so users can easily add/change/delete linked accounts?

• The emoji above "our features" should be the same emoji as the one on the home page

I'm seeing a ton of people configure this incorrectly, so until free plan offered for everyone has enhanced protection, a job with this email to go out should be sent.

If I check the pricing page, it seems like the "Enhanced protection" costs $3 per month. But if I switch a domain to this it seems like it's per domain.

That wasn't clear to me upfront.

On this page https://forwardemail.net/ru/my-account/domains/__domain__/advanced-settings

• Change the purple orb emoji - looks unprofessional
  • Maybe use a mail emoji instead

Hello everyone,

first thanks for this great service, its very useful!

I set up a webhook and found out the raw attribute of the json data send to my webhooks contains malformed data. In FAQ it seems raw should look like this:

"raw": "DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forwardemail.net;\r\n q=dns/txt; ...

however in the actual http request they look like this

"raw":{"type":"Buffer","data":[65,82,67,45,83,101,97,108,58,32,105,61,49,59,32,97,61,114,115,97,45,115,104,
97,50,53,54,59,32,116,61,49,54,51,50,52,56,48,57,50,52,59,32,99,118,61,110,111,110,101,59,32,100,61,102,
111,114,119,97,114,100,101,109,97,105,108,...

This causes the webhook requests to be huge and often refused by services like requestbin.com with expcetions claiming request is too large (in this particular case The body of the request is too large. Requests must be smaller than 100k (413).

Some splits are very bad for translation.

Not sure how the system try to check if a password is strong or not, but 64 characters with 256bit key autogenerated password should be enough.
But it is not.
I suggest to change the way to check the passwords on the system.

Thanks

configuration is exposed in the TXT records in plain text

This is not clearly explained on the website. Not only ought it be stated during signup not-burried in a link, but the impact ought be explained. DNS is harvested for any number of privacy demeaning free services since 2008. Free users can ironically expect spam.

• Change "We don't store logs nor emails." to "We do not keep logs nor store emails."
  • Make sure this change is made everywhere that phrase is shown
• "Stay Protected" button should be blue and in all caps to stand out and call attention for action (similar to the "SIGN UP FOR FREE" button
• Under "100% open-source" section make these changes:
  • change "we don't store logs never read emails" to "we do not keep logs, never read nor store emails"
• Our feature buttons should be blue instead of grey when you hover over it (this is to keep in line with branding and make blue associated with call-to-action buttons)
  
• "View source code" should be blue and in all caps as well
• If possible, make the "Our Numbers" section add up like a stopwatch to final numbers

• Add step before step 6 called "Double-check and make sure you have the following MX and TXT records set in your registrar's DNS management page:"

• After this added step, please add this step below
  • "After you've saved all your changes, please purge your cache at https://1.1.1.1/purge-cache/"
  • Tip: Make sure you purge all MX, TXT, and DNS records

I trying to one-time cancel subscription for changing payment mehod,
but I got 500 internal server error with this message:

Cannot read property 'paypalSubscriptionID' of undefined

Background

Today (2021-01-17 JST), I want change subscription method from Paypal to Credit card (via Revolut),
but I cannot found changing to payment method on forwardemail.net.

So, I think:

Maybe, I'm enable to change of payment method,
one-time cancel subscription, and re-subscribe to different payment method...?

and trying that, but I got 500 error.

And note, I'm ok that I cannot change to payment method at today or later,
but that error probablly makes trouble another people I think.

How to reproduce

1. Go to billing page on My account
2. Click Cancel Subscription button and OK on confirm dialog
3. I got 500 internal server error with Cannot read property 'paypalSubscriptionID' of undefined

Environments

• Windows 10 Pro 20H2 (Japanese Edition)
• Firefox 84.0.2 by PortableApps (Japanese locale)
• Currenly, My subscription method is payment at monthly via Paypal

and,

• I got this error both Normal and Private mode on Firefox
• My main locale is Japanese, but I used by English on forwardemail.net
• When I trying to one-time cancel subscription, I registered two own domain my account.

I have been using the freeplan for quite a while and the only thing I would like to improve a bit is the fact that the configuration is exposed in the TXT records in plain text. I know the paid plan has a feature that fixes this, but there is another option:

Store the configuration in publicly exposed DNS records, but in an encrypted form. The DNS record could then look for example like this:

Option 1 - Symmetric algorithm

Given that the key for symmetric encryption must be kept secret, the encryption would have to be done by the site. The user would sign into their account in forwardemail.net, enter the desired value and the website would return an encrypted version of the value. User would then just copy-paste this value into their DNS configuration.

Option 2 - Asymmetric algorithm

In this case, the public key could be really publicly exposed and therefore the encryption could be done by the users manually, it can be done on users' machines, it could be used in automated scripts etc. Decryption of asymmetrically encrypted data is usually more complex though.

I know this means development of new functionality (e.g. encryption key storage), but it does not require additional storage which would grow with the number of users (you can just rotate the keys every couple of weeks/months and the keys can be shared) and it does not require additional network calls when processing a forwarded e-mail.

Another benefit of this feature is that DNS records for webhooks could then also contain shared secret for signing the payload (like GitHub uses for their webhooks) which makes security the webhook consuming endpoint a lot simpler.

I case you decided to give this one a try, I am happy to assist.

Hi, after registering a domain I don't see information needed to set TXT and MX records. I added MX from FAQ, it was verifed succesfully. Additionaly, after free domain upgrade, i see error while entering domains:

Błąd
/var/www/production/source/app/views/my-account/domains/retrieve.pug:72 70| h5.card-header= t('Enhanced Protection Verification Record') 71| .card-body > 72| p!= t('Please ensure that a TXT record exists for %s with the following value:', domain.name) 73| .input-group 74| input(type='text', readonly, value=${config.recordPrefix}-site-verification=${domain.verification_record}).form-control#verification-record 75| .input-group-append [sprintf] unexpected placeholder

Could mailgun be used as the underlying provider forwarding messages? I have no interest running a public instance. I would want the upside of DEA [for a small group of personally known basic-auth users] without the not-awesomeness of catch-all email sieves.

gmail would be extremely opposite of respecting users' privacy concerns

In the Enhanced Protection plan's features, one of the features is a "Browser extension", but I can't find any other info about it... is this feature still in development?

Interested to see what the extension will be for – is it for generating new aliases?

Hello, and thanks for your great service!

It appears that some of the mail messages that are supposed to be forwarded to Gmail fail to arrive.

Here are the facts:

My bank sends me a mail notification for every transaction in my account. When it's sent directly to my Gmail address, it arrives without any problem (it passes SPF and DMARC, but doesn't have DKIM). When I configure my bank account to send the notification to my custom-domain address (which is supposed to be forwarded by ForwardEmail.net to the same Gmail address) I stop getting those messages all-together.

All SpamScanner features are disabled for this domain.

I tested what happens when I forward the messages to a Protonmail address instead of Gmail. They do arrive, but to the spam folder, and with the warning "This email has failed its domain's authentication requirements. It may be spoofed or improperly forwarded!" (Ironically, when the bank sends the notifications directly to the Protonmail address, they don't arrive at all).

For my specific use case, I found a workaround: I configured the bank account to send the notifications to a special address on my domain, which (using ForwardEmail.net) triggers a webhook. This webhook on my web server crafts a new message, and sends it to the "real" custom-domain address I want (and then ForwardEmail.net forwards it to my Gmail). Since I just want to know that a notification was received (and don't need to see the content), this is fine for me.

However, I suppose you may want to take a look at the problem, and find why it happens. I can send you (privately) examples of:

• A notification mail from the bank (as received directly in my Gmail);
• A forwarded notification as received in my Protonmail;
• A payload that was received by the webhook.

Please let me know if I can be of any assistance.

421 SPF validation failed with result "permerror" and explanation "SPF Permanent Error: Two or more type TXT spf records found." - if you need help please forward this email to [email protected] or visit https://forwardemail.net

Domain is https://www.csteachingtips.org/

I'd really appreciate help getting this figured out. I have the MX and SPF record in place.

In

different bad tlds get declared. Trying to use one of them for emailforwarding will require a piad plan. Looking throught the given sources these lists do not correlate to them. E.g .email and .ga can not be found on one of the three lists while others that are on the lists are not on there.

I would also like to see a way to be capable of using theme, as the only free available tlds out there are all on the list, so someone who would like to create a hobbypage could not use it. Maybe make it a one time payment at least in order of some kind of verification process.

Where do i get the dkim record that I need to add in my domain DNS txt record?
I am using cloudflare for dns

Import And Export Alias On Enhanched Version! ForwardEmail Already have import from "TXT" Record but if someone who used alternative like simplelogin before! They can import from csv file! It would be great if this feature get added!

Hi, after registering a domain I don't see information needed to set TXT and MX records. I added MX from FAQ, it was verifed succesfully. Additionaly, after free domain upgrade, i see error while entering domains:

Błąd
/var/www/production/source/app/views/my-account/domains/retrieve.pug:72 70| h5.card-header= t('Enhanced Protection Verification Record') 71| .card-body > 72| p!= t('Please ensure that a TXT record exists for %s with the following value:', domain.name) 73| .input-group 74| input(type='text', readonly, value=${config.recordPrefix}-site-verification=${domain.verification_record}).form-control#verification-record 75| .input-group-append [sprintf] unexpected placeholder

Hi,

New user here.
Im moving over to your service from mailgun (I'm sure I am not alone due to mailgun change to free tier).
One of the things I found very valuable in mailgun is the ability to call a webhook on forwarding failure. This allowed my to (via IFTTT) email an alternative account to advise there have been forwarding issues.
Why is this so important is that my provider (outlook.com) occasionally blocked mailgun due to their IPs being flagged as spam distributors (which MG were swift to address) but in the interim it allowed me to change routing to avoid further email losses.

I checked in your faq and github issues but I didnt find mention of such a capability in forwardemail.net

Is forwarding failure notification something you are considering to add?
Does not need to be a webhook - could also be simple email, SMS etc.

e.g. niftylettuce.com gets replaced to whatever the domain is

• Main Page
• Feature Page
• Our Story Page
• Privacy Page
• Pricing Page

Hi there, thank you for this great service!

Is it possible to forward emails to another host (in conjunction with the forward-email-port setting) without rewriting the domain? If I am using forward-email=mx2.domain.com for my domain domain.com, then emails like [email protected] will be rewritten to [email protected], but I want them stay the same.

Scenario: using forwardemail as backup mx to a host with blocked port 25

Thank you very much!

When i try to enter domain settings, this popup displays:

/var/www/production/source/app/views/my-account/domains/retrieve.pug:72 70| h5.card-header= t('Enhanced Protection Verification Record') 71| .card-body > 72| p!= t('Please ensure that a TXT record exists for %s with the following value:', domain.name) 73| .input-group 74| input(type='text', readonly, value=${config.recordPrefix}-site-verification=${domain.verification_record}).form-control#verification-record 75| .input-group-append [sprintf] unexpected placeholder

And i can't enter the page.

• Remove "TLDR;"
  *Make the layout the same as the home page
  • Include dark grey boxes, like the one shown below (perhaps for the Foreward)
    • Change "Foreward" to "Introduction"
      
• Make a timeline for the history where you can hover over the important dates and read about them (will look more organized and actually show our progress)

It's pretty easy to create a DNS scraper that checks if the top-level MX records are pointing to mx1.forwardemail.net and mx2.forwardemail.net. In these cases we can run another DNS query to obtain all the aliases. When you type: dig TXT example.com, then it would show all the email forwardings and expose the private email address.

This could easily be prevented by creating a secret during domain registration with forwardemail.net. Instead of looking up the TXT record on the root-level, it could check for the secret TXT record. Both forwardemail.net knows about this secret and the user that registered the email domain. Nobody else knows the secret and therefore can't find the forwarding records and the private email addresses stay private.

The only catch is when AXFR is configured incorrectly and accepts requests from any IP addresses (which is flawed anyway). Most cloud providers (i.e. Azure DNS, AWS Route53) don't support AXFR at all, so this is hardly a problem in real-life.

Hey !, I'm super naive to how emails work, but tolerate me here.

say I want to set a DMARC policy to only allow emails if they pass SPF checks, what would such a DMARC policy look like, is it possible to set such a DMARC policy ?

I recently learnt about DMARC policies and I want to ensure people can't send emails using my domain by spoofing

I use API to add and delete aliases. No problems with ADDING aliases. I'm not able to have the DELETE command working.

I use a command like this with the objective to delete alias "pluto" : from the domain ACME.com

curl -X DELETE https://api.forwardemail.net/v1/domains/ACME.com/aliases/pluto -u 4xxxxxxxxxxcb74d52:

answer is always:
{
"statusCode": 404,
"error": "Not Found",
"message": "Alias does not exist on the domain."
}

• Make sure to change "we don't store logs nor emails" to "we do not keep logs or store emails"
• Remove "TLDR;"

Thanks for setting this service up and open source it.
I'd like to add some translations as PRs if possible.
Where do I start best?
The website shows CN and ES translations but I can't seem to find them here in the repo.

https://travis-ci.com/github/forwardemail/forwardemail.net/builds/174660057

• Fix translation of Markdown files
• Log in as seems to hang (in admin)
• POST to create aliases should allow multiple at once
• the check for mx1 and mx2 should also check that no other mx records exist (we should also update FAQ probably for this, and only permit if user has pass through mx option, which is a future feature)
• Automatic abuse@ ARF reporting parsing
• Add List-Unsubscribe header to all emails (only on free plan?)
• Make auth clearer (#6)
• Better spam filtering (per email thread with SpamAssassin team and possibly dclassify Bayes filter)
• Priority user email subjects need to be prefixed with Priority
• Queue job for DNS check (with email alerts on changes)
• /disposable-addresses landing page
• Mail relay setup
• Ensure that IDN/EAI validation is working (per https://en.m.wikipedia.org/wiki/International_email and discussion at https://webmasters.stackexchange.com/a/127447/84805)
• Non-standard port forwarding (e.g. forward-email-port=2525)
• Refer a friend
• Gift cards
• Ensure DNSSEC is setup on all domains (https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-configure-dnssec.html)
• Swag shop
• delete aliases for users when they delete their accounts
• Email temp password for FAQ signups
• HEAD / (e.g. support UptimeRobot)
• Too many DNS lookups (SPF cap of 10 should be increased to 20 maybe)
• "Leave us a review on G2 https://www.g2.com/categories/other-email Trust Pilot https://www.capterra.com/p/166646/SMTP2GO/ and capterra https://www.trustpilot.com/review/www.smtp2go.com" (in footer of emails)
• rg "TODO" in codebase
• Slack notifications with errors (anonymous data/omit fields)
• When account is upgraded, verification error message should appear
• if > 10 on the recipients list for an alias or catch-all, then add List-Unsubscribe and Feedback-ID header information
• Handle limitations of 'User cannot have more than (5) aliases on global domains.' more friendly/managed
• Savings slider comparison + alternative to pages (aliases # + domains #) vs Google Business, Zoho, competitors, etc
• Guide + Alternative To XYZ at footer + pages

When using multiple aliases with random addresses (dice feature - very nice by the way!), the order of rows is therefore random as well. It would be desirable to have the option (ideally saved in some way) to order by the Description & Labels column so that it's easier to scroll to the correct position. Find on page works well but column ordering would be better in my opinion.

Ref: 📣 Your Help Request #1603392707262

The website claims 100% open-source, which the server-side is not (source-available, yes, but not open source).

The license is clearly not open source. Which is ok, just be honest about it because the website is confusing

I suggest to correct the website.

I in particular .pl does not (no longer?) appear on any of the mentioned misused TLD lists. Also, it is only 20% cheaper than .com from most registrars (never got any spam from .pl, .pl is more expensive than .eu, which is not banned, nor listed on any of the lists, and I got tons of spam from .eu and .com domains, don't ban them right away, just sayin').

There is much more TLDs that are used way more for shady business, spam or scam.

Did someone try registering a malicious domain? Did they indeed benefit from the free service's resources? If so, you can restrict free-plan sus domains to incoming mail only, like improvmx.com does (it is currently unable to forward mail to IPv6-only servers, and is closed-source, so I dropped them a bug notice and moved on to checking the alternatives).

As always, it is all about the money, so my ulterior motive is that I am unable to set up my personal domain mail on https://arusekk.pl/ for free because of that. (And I don't like online payments, but this is a different story.)

Imagine banning .com because of 'many malicious sites being there' and it being cheap, come on.

It looks like it was never changed besides 02b9437.

I would like to say something positive, but I am yet to even try the service out, so for now... a huge plus for the website working quite well with scripts disabled, and for localization support.

I have an address registered with forwardemail and disabled spam filter. I plan to use it to register to forums.

I disabled spam filters because I want all the emails to come! I don't want to get legitimate emails not delivered to me because they were misidentified as spam. My problem with FE spam filter is there is no folder where I can see what emails were caught!

I see 2 potential problems.

1. If spam does come from my domain, gmail may report my domain as a spam sender.
2. If spam does come from my domain, gmail may report forwardemail.net smtp servers as spam senders.

Is this a real problem or am I imagining things? Am I harming FE by disabling spam filters? What choices do I have if I want everything to be delivered but don't want to harm either FE or my domain?