Question
How does cPanel's SRS (Sender Rewriting Scheme) feature work?
Answer
cPanel's SRS feature is designed to allow messages that have been forwarded through a cPanel hosted email account to pass SPF verification checks at the destination email server.
The mechanism by which this is accomplished is the addition of the Return-Path header to the forwarded message with the domain of the cPanel hosted email account. The Return-Path header that is added by the SRS feature contains a fictitious email address that is composed of a combination of the original email address, a notice that the SRS feature was used, an authentication hash, and the domain of the cPanel hosted email address. To best understand please review the following example.
In this example:
The message will be sent from this address: originalSender@senderDomain.tld.
The message will be sent to this address: originalRecipient@OrigRecipient.tld.
The message will be forwarded to this address: forwardRecipient@FwdRecipient.tld.
A cPanel server with the SRS feature turned ON is hosting originalRecipient@OrigRecipient.tld.
When the message arrives at the cPanel server that hosts email for originalRecipient@OrigRecipient.tld, the SRS feature will add the following Return-Path header before forwarding the message to forwardRecipient@FwdRecipient.tld:
Return-Path: <SRS0=/4SVgk=LD=senderDomain.tld=originalSender@OrigRecipient.tld>
The following breaks down the SRS Return-Path header piece by piece:
Return-Path:
<- This is the header name.<SRS0
<- This is the portion of the fictitious email address that SRS adds to indicate that it has generated the Return-Path header.=
<- The various sections of the SRS fictitious email address are delimited by an equals symbol./4SVgk
<- This is an authentication hashLD
<- This is another portion of the hashsenderDomain.tld
<- This is the domain of the original sender.originalSender
<- This is the username portion of the original sender's email address.OrigRecipient.tld
<- This is the domain of the cPanel hosted email account that is forwarding the message.
The key portion of the SRS-generated fictitious email address is the last section that contains the domain of the cPanel hosted email account.
This works to allow the message to pass SPF checks when it arrives at the forwardRecipient@FwdRecipient.tld inbox because the mail server that handles mail for fwdRecipient.tld will use the domain found after the @ symbol in the fictitious email address as the domain to verify SPF checks against.
The use of the Return-Path header for SPF validation is outlined in section 2.2 of RFC4408.
The SRS feature makes no other modifications to the message.