Home / Blogs

Review Your Email Forwarding Practices

As unusual as it may be for a lawyer to speak at a IETF meeting, Ian Walden gave a lecture on Data Protection Directives and updates thereof. He said they affect some 90 jurisdictions. A difference between email addresses and cookies—the latter are the main subject of the January 2012 update of the directives—is that after more than a decade of enforcement, specific browser extensions may allow users to browse what cookies they have, while no record states whom they conferred their email addresses to. The law doesn’t cover this aspect of fair user information. Prof. Walden just said that the procedures that collect and use personally identifiable information need to be revised carefully.

Email forwarding is a particular use of email addresses. SMTP considers related privacy issues in Section 3.4 Forwarding for Address Correction or Updating:

Silent forwarding of messages (without server notification to the sender), for security or non-disclosure purposes, is common in the contemporary Internet.

In both the enterprise and the “new address” cases, information hiding (and sometimes security) considerations argue against exposure of the “final” address through the SMTP protocol as a side effect of the forwarding activity.

However, silent forwarding is not disclosure-proof as it may be expected, because an occasional error at the target side, such as exceeding mailbox quota, might cause a non-delivery notification to be sent to the unaltered envelope sender, thereby disclosing the forwarding mechanism.

Another downside of not altering the envelope sender comes from SPF. If the message originator publishes a strict SPF policy, and the final receiver rejects on failure, forwarding won’t work, formal SMTP compliance notwithstanding. Andrew Sullivan, chairing this morning’s SPFBIS meeting, said he views this as a deployment recommendation, rather than a protocol specification feature. Although it is formally licit to do otherwise, servers that are meant to actually work need an SPF record attached to the label that they use as helo identity if they forward that way. The upcoming standard-track SPF specification will hopefully state that as clearly as possible. It may be published as soon as fall, Andrew said.

SPF always provided for records attached to each label having an A or AAAA record, which makes sense as such labels can be used as mail domains. However, a minority of sites take care of actually doing so. Laziness is also responsible for not cluttering dot-forward files with -f sender options that would direct bounces to someone who can maintain the dot-forward file itself when the target mailbox gets torn down. The bottom line is, if upon reviewing forwarding practices, you decide to forward with unaltered envelope sender, at least publish a host SPF record.

By Alessandro Vesely, Tiny ISP and freelance programmer

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC


Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign