You set up sales@yourcompany.com as
a domain alias, expecting it to route leads to your inbox. Instead, you are
dealing with silent failures, bounce loops, or the realization that you’ve been
replying from your personal address for weeks.
When a domain alias breaks, it is
rarely a simple typo. It is usually a collision between legacy routing rules
and modern authentication protocols like SPF, DKIM, and DMARC.
If you are seeing error codes like
550 5.7.520 or 5.4.14, or if mail is simply vanishing, stop guessing. This
guide deconstructs the mechanics of alias routing, identifies the specific
failure modes, and provides the exact fixes.
For a foundational overview of alias
architecture, refer to Email Alias: What It Is, When to Use It, and How to Set It
Up on Your Domain (2026).
The
"Is It Broken?" Diagnostic Checklist
Before modifying DNS records, match
your symptom to the root cause.
|
Symptom |
Error Code |
Root Cause |
Immediate Fix |
|
Sender gets "Access Denied" |
550 5.7.520 |
M365 Outbound Policy.
Microsoft blocks external forwarding by default. |
Update M365 Outbound Spam Filter policy to "On - Forwarding
is enabled". |
|
Sender gets "Hop Count Exceeded" |
554 5.4.14 |
Routing Loop.
A forwards to B, and B forwards back to A. |
Check inbox rules on the destination mailbox.
Remove auto-replies or circular forwards. |
|
Sender gets "User Unknown" |
550 5.1.1 |
Ghost Target.
The destination mailbox does not exist or was deleted. |
Verify the target address in your alias map. |
|
Mail vanishes (Silent Drop) |
None (250 OK) |
Spam/DMARC Fail.
Forwarding broke SPF alignment; receiver quarantined it. |
Check the destination's Spam folder. Inspect headers for
spf=fail. |
|
Reply shows wrong email |
N/A |
Identity Leak.
Client is sending as the primary mailbox, not the alias. |
Configure "Send As" settings in your client or
M365/Gmail admin panel. |
The
Core Mechanics: Why Aliases Break
To fix an alias, you must understand
that email has two "From" addresses. Misconfigurations happen when
these two get out of sync during routing.
- The Envelope Sender (RFC 5321): This is the "Return-Path." It is used by
servers to route bounces. SPF checks this address.
- The Header Sender (RFC 5322): This is the "From" address you see in
Outlook or Gmail. DMARC checks this address.
When you use a domain alias
internally (routing sales@ to bob@ on the same server), both addresses usually
stay aligned.
When you forward an alias
externally (routing sales@domain.com to bob@gmail.com), the receiving server
(Gmail) sees the connection coming from your forwarding server, not the
original sender.
- Result:
The Envelope Sender (original sender) does not authorize your forwarding
server's IP. SPF fails.
- Consequence:
If the original sender has a strict DMARC policy (p=reject), Gmail rejects
the message.
Top
5 Domain Alias Misconfigurations
1.
The "New Hop" Failure (External Forwarding)
This is the most common failure mode
in 2026. You alias contact@yourdomain.com to forward to a personal Gmail or
Yahoo account.
- The Scenario:
A customer (alice@bank.com) emails contact@yourdomain.com. Your server
forwards it to you@gmail.com.
- The Failure:
Gmail sees an incoming connection from your server IP. It checks
the SPF record for bank.com. Your IP is not listed. SPF fails.
- The Fix (Hard Way):
You must implement SRS (Sender Rewriting Scheme) on your mail
server. SRS rewrites the Envelope Sender to your domain (e.g.,
SRS0=hash=bank.com=alice@yourdomain.com), so SPF passes against your
domain's record.
- The Fix (Easy Way):
Stop forwarding to external providers. Use a hosted mailbox on your
domain.
2.
The Microsoft 365 "Block by Default"
Microsoft has aggressively tightened
security on automatic forwarding to prevent data exfiltration.
- The Error:
550 5.7.520 Access denied, Your organization does not allow external
forwarding.
- The Cause:
The default "Outbound spam filter policy" in Exchange Online is
often set to "Automatic - System-controlled," which now defaults
to Block.
- The Fix:
- Go to the Microsoft 365 Defender portal.
- Navigate to Email & collaboration > Policies
& rules > Threat policies > Anti-spam.
- Edit the Anti-spam outbound policy (Default).
- Set "Automatic forwarding rules" to On -
Forwarding is enabled.
3.
The Routing Loop of Death
Loops occur when logic conflicts.
- The Scenario:
- Alias Rule: info@ → admin@.
- Mailbox Rule: admin@ is set to "Out of
Office" or has a rule to forward all mail to info@ for archiving.
- The Mechanism:
The server bounces the message back and forth until it hits the "Hop
Count" limit (usually 15-20 hops).
- The Fix:
- Audit Rules:
Check client-side rules (Outlook) and server-side transport rules.
- Use "Redirect" vs. "Forward": In some systems, "Redirect" preserves the
original recipient, potentially causing a loop if the alias resolves
again. Ensure your alias expansion happens before user-level
rules.
4.
The "Send As" Identity Leak
Receiving mail is only half the
battle. If you reply to a lead sent to sales@ and they see bob.smith@ in the
"From" line, you have broken the professional illusion.
- Google Workspace Fix:
- User Settings > Accounts > "Send mail
as".
- Add the alias.
- Crucial Step:
Uncheck "Treat as an alias." If this is checked, Google may
expose your primary address in the headers or "Reply-To" field.
- Microsoft 365 Fix:
- By default, sending as an alias might show "Bob
on behalf of Sales."
- You must enable SendFromAliasEnabled via PowerShell to
make it seamless:
Connect-ExchangeOnline
Set-OrganizationConfig
-SendFromAliasEnabled $true
5.
The Catch-All Collision
A "Catch-All"
(*@domain.com) is a wildcard. If configured poorly, it can override specific aliases.
- The Scenario:
You have a Catch-All set up, but you also created a specific alias
billing@.
- The Failure:
Depending on your mail server's priority logic (e.g., Postfix
virtual_alias_maps order), the wildcard might grab the message before the
specific alias rule triggers, routing it to the wrong inbox.
- The Fix:
Ensure explicit aliases are defined before wildcard entries in your
routing table or database.
Advanced
Troubleshooting: The "Isolate and Correct" Protocol
If the checklist didn't solve it,
you need to look at the raw data.
Step
1: Analyze the Headers
If a forwarded message arrives in
Spam, view the "Original" or "Raw" source. Look for
Authentication-Results.
Bad Result (Forwarding Broken):
Authentication-Results: mx.google.com;
spf=softfail (google.com: domain of
transition does not designate 192.0.2.1 as permitted sender)
smtp.mailfrom=alice@bank.com;
dmarc=fail action=quarantine
header.from=bank.com;
- Analysis:
The smtp.mailfrom is still the original sender (bank.com), but the IP
(192.0.2.1) is your forwarding server. SRS is missing or broken.
Good Result (SRS Active):
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of ...
designates 192.0.2.1 as permitted sender)
smtp.mailfrom=SRS0=HHH=TT=bank.com=alice@yourdomain.com;
- Analysis:
The smtp.mailfrom has been rewritten (SRS0...). SPF passes against your
domain.
Step
2: Check DNS Propagation
If you just created the alias, it
might not be live.
- Command:
There is no DNS record for an alias (it's internal logic), but you
must ensure your MX records are correct.
- Test:
Use swaks (Swiss Army Knife for SMTP) or Telnet to test the address
existence manually.
swaks --to sales@yourdomain.com --from test@external.com
--server mx.yourdomain.com
- Look for 250 OK. If you get 550 User Unknown, the
alias does not exist on the server.
Prevention:
The "Smart Operator" Architecture
The best way to fix alias problems
is to avoid the fragile configurations that cause them.
1.
Eliminate External Forwarding
Forwarding business mail to Gmail is
a relic of the 2010s. In 2026, it is a liability. It breaks DMARC, leaks data
to third-party servers, and looks unprofessional when you reply.
- Policy:
All business mail stays on the business domain. Use a mobile app to check
it; do not forward it.
2.
Flatten Your Routing
Avoid chains.
- Bad:
contact@ → info@ → bob@
- Good:
contact@ → bob@ AND info@ → bob@
Every hop increases the risk of header modification and spam flagging.
3.
Use Plus Addressing for Temporary Needs
Instead of asking IT to create
bob-newsletter@, use bob+newsletter@domain.com.
- Supported by TrekMail, Gmail, and Exchange.
- Requires zero configuration.
- Great for filtering, but note that some poorly coded
web forms may reject the + symbol.
The
"Easy Button" for Email Routing
If you are reading this, you are
likely fighting with PowerShell scripts, debugging SRS headers, or paying
$6/month/user to Microsoft just to have a functional support@ inbox.
The root cause of your pain is the Per-User
Pricing Model.
- In M365/Google, you use aliases because you don't want
to pay for another seat.
- This forces you to route sales@ to bob@, creating the
"Reply-As" identity leak and routing complexity.
TrekMail solves this by changing the math.
We charge a flat rate for the
domain, not the user.
- For SMBs:
You can create sales@, support@, and billing@ as real, dedicated
mailboxes. They have their own login, their own storage, and their own
"From" address. No alias routing required. No "Send
As" configuration. No identity leaks.
- For Agencies:
You can manage 100+ domains from a single dashboard. If a client needs a
new address, you create it instantly without worrying about license counts
or billing adjustments.
TrekMail Technical Specs:
- Protocols:
Pure IMAP/SMTP (No POP3 legacy junk).
- Outbound:
Managed SMTP included (Starter plan) or BYO SMTP (Amazon SES/SendGrid) for
total control.
- Migration:
Built-in IMAP migration tool pulls history from Gmail/cPanel in minutes.
Stop engineering workarounds for a
pricing problem.
Try TrekMail for free and build an email infrastructure that actually works.
Comments
Post a Comment