Delivery to External Email Addresses
An increasing number of external email providers (like Google, AOL, Time-Warner, etc.) are using a policy (meant to stop fraudulent emails) that may prevent the delivery of forwarded messages.
If you choose to forward your email, you do so at your own risk.
Everything on this page could be placed in boxes with exclamation points and other attention-getting devices. But, at a bare minimum, please read this: If you choose to forward your email, you do so at your own risk.
Some (many) messages may not be delivered - for the reasons outlined below - and you will not even know they were sent.
Everyone with an @cornell.edu address has the option to forward their mail to an external (something not @cornell.edu) address. Students can set a forwarding address through Cmail (Gear icon - Settings - Forwarding tab). Faculty and staff through Outlook on the web (Gear icon - Mail Settings - Forwarding).
However, an increasing number of external email providers (like Google, AOL, Time-Warner, etc.) are using a policy (meant to stop fraudulent emails) that may prevent the delivery of forwarded messages. The What is DMARC section below describes this policy.
Once mail leaves the Cornell servers, we have no way of knowing if it was successfully delivered, nor do we have any way of determining what happened to a message that was not delivered. Please be aware of the risks involved in forwarding your email to another address.
Cornell is not responsible for forwarded mail that is lost. During the first week of June 2016, we put in place a change in the way we handle forwarded mail that allowed it to be forwarded successfully, but campus leaders determined that the side effects of our change were too undesirable, so that change has been reversed.
The DMARC policy as implemented by external email providers can cause other complications as well. For example, when Facebook sends a notification to a Cornell address which is then forwarded to a Gmail address, Gmail rejects the message AND notifies Facebook. Facebook then stops sending notifications to the Cornell address. At no point is the Cornell email system notified, so there's nothing we can do to prevent or change this. This type of behavior will become more common (and more complicated) as more email services enforce this policy.
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It verifies whether an email message actually came from the place it was supposedly sent from. The administrators of an email system can use this policy to defend against email spoofing (spoofing is when a message appears to come from one place but actually came from somewhere else).
The administrators of the external email system can either Reject or Quarantine messages that trigger DMARC.
- Reject: When an email provider chooses the DMARC “reject” policy, any message that fails this test will be bounced back to the sender.
- Quarantine: When an email provider chooses the DMARC “Quarantine” policy, the email will not bounce, but rather be put in a quarantine area or in a junk folder. When mail is quarantined, the sender never learns of the interception and the recipient might never know to go looking for it.