David Collantes

Verified ($6.50/year for the domain)

Email Forwarding Broken on iCloud

I have been getting occasional bounces from an iCloud+ Custom Domain email filter I have, which forwards certain emails I receive to wife. The first one I got looked like this:

<wife.email@mydomain.com>: host mx01.mail.icloud.com[17.57.156.30] said: 554 5.7.1
   [HM07] Message rejected due to local policy. Please visit
   https://support.apple.com/en-us/HT204137 (in reply to end of DATA command)

I sent an email to the iCloud Postmaster, stating:

I am getting this more often that I would want to, as a result of a rule I have which forwards certain emails I receive to my partner. Both of us, that’s partner and I, have our email on iCloud+ Custom Domain. This shouldn’t be happening.

Within a week I got their reply, which was straight and to the point:

We have investigated your report and made appropriate changes. Please try resending and let us know if you still encounter the issue.

I didn’t get any more bounces for a while, so I considered the issue as resolved. On 15 July 2025 I got another bounce, this time it looked like this:

<wife.email@mydomain.com>: host mx01.mail.icloud.com[17.42.251.62] said: 554 5.7.1
   Your message was rejected due to usps.com's DMARC policy. See
   https://support.apple.com/en-us/HT204137 for info (in reply to end of DATA command)

Once again I sent an email to the iCloud Postmaster, and got a reply—surprisingly—the next day:

The rejection you are seeing is a result of USPS’s DMARC instructing email receivers to reject messages that fail email authentication checks. This is an anti-spoofing and anti-phishing measure.

It appears that the DKIM signature for these messages end up getting broken when they are forwarded from your “my.email@mydomain.com” account to your iCloud account. Unfortunately, the issue lies with the forwarding server so we are unable to do anything on our end to address it. If you see it occurring frequently, we recommend contacting USPSs’ technical support for assistance.

That didn’t sound right to me because I use iCloud for my family emails, so I replied:

Please take a closer look. The email “my.email@mydomain.com” is an iCloud Custom Domain email. The forwarding server is iCloud’s.

The filter simply forwards the USPS email from “my.email@mydomain.com” to “wife.email@mydomain.com”. The “mydomain.com” domain is an iCloud+ Custom Domain.

The iCloud’s Postmaster replied:

Due to an email authentication mechanism (DKIM and DMARC) that is deployed by the USPS, the forwarding that you set up causes the email from USPS to bounce.

Please receive this email directly on the recipient mailbox “wife.email@mydomain.com” and it should get through.

Sadly, USPS Informed Delivery only accepts one email address, so that would not work in this case. So I replied:

An email is received on an iCloud account. It is then forwarded to another iCloud account. Please, could you explain how USPS relates? This doesn’t happen all the time.

Their final reply (because I stopped replying at this point) was:

USPS has specified some email authentication policies that ensure that email is received direct from USPS’ servers to the actual recipient and not exposed to potential “spoofing” that is, USPS mail is received from a source other than USPS.

When the email is forwarded, these policies don’t validate the email as being direct from USPS (in this case it becomes an email from iCloud to another email address on iCloud, Gmail or any other email service) and so, the email is rejected.

These email authentication (for example DKIM, DMARC) policies are configured by USPS and all recipient providers not just iCloud that support email authentication would honor them.

Based on this we would recommend that you do not auto forward USPS email as it risks being bounced as a result.

I have to admit that I still don’t understand it fully, but it seems DMARC and DKIM can indeed impact email forwarding (which is what my filter does). It looks to me that something Apple’s iCloud+ Custom Domain is doing is breaking1 USPS DKIM, but I am not absolutely sure.

Meanwhile, following my friend George recommendation, and to make forwards work reliably, I have created a CloudFlare email worker that acts as a distribution group, and used it instead.

  1. Gemini agrees with the iCloud Postmaster: “The iCloud Postmaster’s reply is accurate. This is indeed a consequence of how email authentication, specifically DMARC, SPF, and DKIM, interacts with email forwarding, and it’s not iCloud ‘breaking’ USPS DKIM.” The explanation that follows is lenghty and educational, but the previous is the gist of it. 

5bc00c5d1edbaf4eed3838185be82d45963b3732