What is SRS (Sender Rewriting Scheme)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
When email gets forwarded, SPF fails because the forwarder's IP isn't in the original sender's SPF record. Sender Rewriting Scheme (SRS) was built to solve that specific problem.
Here's the approach. Instead of forwarding your email with the original Return-Path (the envelope sender address), SRS rewrites it to use the forwarder's domain. For example, if captain@deepcurrent.io sends to a forwarding address, SRS might rewrite the Return-Path to something like SRS0=abc123=TT=deepcurrent.io=captain@forwarder.com. The forwarder's domain is now in the envelope, so SPF checks against the forwarder's own SPF record and passes.
The original sender's address gets encoded inside the rewritten address. That's how bounces work: if the message bounces, the forwarder receives it, decodes the address, and routes the bounce back to the original sender.
SRS was a reasonable solution in a world where SPF was the main authentication signal. But the email ecosystem moved on. DKIM alignment handles forwarding better and is far simpler to implement. ARC handles the cases DKIM can't. SRS is rarely deployed today, which is why you don't see most forwarders using it.
If forwarding-related SPF failures are showing up in your DMARC reports, our free SPF checker can show you what's in your current record and flag gaps.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.