As unusual as it may be for a lawyer to speak at a IETF meeting, Ian Walden gave a lecture on Data Protection Directives and updates thereof. He said they affect some 90 jurisdictions. A difference between email addresses and cookies—the latter are the main subject of the January 2012 update of the directives—is that after more than a decade of enforcement, specific browser extensions may allow users to browse what cookies they have, while no record states whom they conferred their email addresses to. The law doesn’t cover this aspect of fair user information. Prof. Walden just said that the procedures that collect and use personally identifiable information need to be revised carefully.

Email forwarding is a particular use of email addresses. SMTP considers related privacy issues in Section 3.4 Forwarding for Address Correction or Updating:

Silent forwarding of messages (without server notification to the sender), for security or non-disclosure purposes, is common in the contemporary Internet.

In both the enterprise and the “new address” cases, information hiding (and sometimes security) considerations argue against exposure of the “final” address through the SMTP protocol as a side effect of the forwarding activity.

However, silent forwarding is not disclosure-proof as it may be expected, because an occasional error at the target side, such as exceeding mailbox quota, might cause a non-delivery notification to be sent to the unaltered envelope sender, thereby disclosing the forwarding mechanism.

Another downside of not altering the envelope sender comes from SPF. If the message originator publishes a strict SPF policy, and the final receiver rejects on failure, forwarding won’t work, formal SMTP compliance notwithstanding. Andrew Sullivan, chairing this morning’s SPFBIS meeting, said he views this as a deployment recommendation, rather than a protocol specification feature. Although it is formally licit to do otherwise, servers that are meant to actually work need an SPF record attached to the label that they use as helo identity if they forward that way. The upcoming standard-track SPF specification will hopefully state that as clearly as possible. It may be published as soon as fall, Andrew said.

SPF always provided for records attached to each label having an A or AAAA record, which makes sense as such labels can be used as mail domains. However, a minority of sites take care of actually doing so. Laziness is also responsible for not cluttering dot-forward files with -f sender options that would direct bounces to someone who can maintain the dot-forward file itself when the target mailbox gets torn down. The bottom line is, if upon reviewing forwarding practices, you decide to forward with unaltered envelope sender, at least publish a host SPF record.