Home / Blogs

Review Your Email Forwarding Practices

Alessandro Vesely

As unusual as it may be for a lawyer to speak at a IETF meeting, Ian Walden gave a lecture on Data Protection Directives and updates thereof. He said they affect some 90 jurisdictions. A difference between email addresses and cookies — the latter are the main subject of the January 2012 update of the directives — is that after more than a decade of enforcement, specific browser extensions may allow users to browse what cookies they have, while no record states whom they conferred their email addresses to. The law doesn't cover this aspect of fair user information. Prof. Walden just said that the procedures that collect and use personally identifiable information need to be revised carefully.

Email forwarding is a particular use of email addresses. SMTP considers related privacy issues in Section 3.4 Forwarding for Address Correction or Updating:

Silent forwarding of messages (without server notification to the sender), for security or non-disclosure purposes, is common in the contemporary Internet.

In both the enterprise and the "new address" cases, information hiding (and sometimes security) considerations argue against exposure of the "final" address through the SMTP protocol as a side effect of the forwarding activity.

However, silent forwarding is not disclosure-proof as it may be expected, because an occasional error at the target side, such as exceeding mailbox quota, might cause a non-delivery notification to be sent to the unaltered envelope sender, thereby disclosing the forwarding mechanism.

Another downside of not altering the envelope sender comes from SPF. If the message originator publishes a strict SPF policy, and the final receiver rejects on failure, forwarding won't work, formal SMTP compliance notwithstanding. Andrew Sullivan, chairing this morning's SPFBIS meeting, said he views this as a deployment recommendation, rather than a protocol specification feature. Although it is formally licit to do otherwise, servers that are meant to actually work need an SPF record attached to the label that they use as helo identity if they forward that way. The upcoming standard-track SPF specification will hopefully state that as clearly as possible. It may be published as soon as fall, Andrew said.

SPF always provided for records attached to each label having an A or AAAA record, which makes sense as such labels can be used as mail domains. However, a minority of sites take care of actually doing so. Laziness is also responsible for not cluttering dot-forward files with -f sender options that would direct bounces to someone who can maintain the dot-forward file itself when the target mailbox gets torn down. The bottom line is, if upon reviewing forwarding practices, you decide to forward with unaltered envelope sender, at least publish a host SPF record.

By Alessandro Vesely, Tiny ISP and freelance programmer

Related topics: Email, Law, Privacy, Spam

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


To post comments, please login or create an account.

Related Blogs

Related News


Industry Updates – Sponsored Posts

Afilias Supports the CrypTech Project - Ambitious Hardware Encryption Effort to Protect User Privacy

Non-English "IDN Email" Addresses Are Finally Working!

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

Verisign Named to the OTA's 2014 Online Trust Honor Roll

MarkMonitor Named a Top Trusted Website in OTA's 2013 Online Trust Honor Roll

A Look Inside Dyn's 1.2 Billion Monthly Email Delivery Statistics

INTA 2013: Gearing Up for Dallas

Dyn to Host Email Analytics Webinar With Ongage

Dyn Adds Claudia Santoro, Dave Connors and Andrew Sullivan to Technical Team

Dyn Receives $38M Investment from North Bridge

Thomson Reuters to Acquire MarkMonitor

Neustar Names Becky Burr as its Chief Privacy Officer

Nominum Launches Comprehensive Suite of DNS-Based Security Solutions for Russian Service Providers

Nominum Sets New Record for Network Speed and Efficiency

DNS on Defense, DNS on Offense

Managing Outbound Spam: A New DNS-based Approach For Stopping Abuse (Webinar)

MarkMonitor Fraud Intelligence Report, Q4 2011

Afilias Says "No" to SOPA

Minds + Machines to Announce New .brand gTLD Pricing at INTA

MarkMonitor Fraud Intelligence Report Released for Q2 2011

Sponsored Topics



Sponsored by

DNS Security

Sponsored by


Sponsored by
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines