Home / Blogs

Review Your Email Forwarding Practices

Alessandro Vesely

As unusual as it may be for a lawyer to speak at a IETF meeting, Ian Walden gave a lecture on Data Protection Directives and updates thereof. He said they affect some 90 jurisdictions. A difference between email addresses and cookies — the latter are the main subject of the January 2012 update of the directives — is that after more than a decade of enforcement, specific browser extensions may allow users to browse what cookies they have, while no record states whom they conferred their email addresses to. The law doesn't cover this aspect of fair user information. Prof. Walden just said that the procedures that collect and use personally identifiable information need to be revised carefully.

Email forwarding is a particular use of email addresses. SMTP considers related privacy issues in Section 3.4 Forwarding for Address Correction or Updating:

Silent forwarding of messages (without server notification to the sender), for security or non-disclosure purposes, is common in the contemporary Internet.

In both the enterprise and the "new address" cases, information hiding (and sometimes security) considerations argue against exposure of the "final" address through the SMTP protocol as a side effect of the forwarding activity.

However, silent forwarding is not disclosure-proof as it may be expected, because an occasional error at the target side, such as exceeding mailbox quota, might cause a non-delivery notification to be sent to the unaltered envelope sender, thereby disclosing the forwarding mechanism.

Another downside of not altering the envelope sender comes from SPF. If the message originator publishes a strict SPF policy, and the final receiver rejects on failure, forwarding won't work, formal SMTP compliance notwithstanding. Andrew Sullivan, chairing this morning's SPFBIS meeting, said he views this as a deployment recommendation, rather than a protocol specification feature. Although it is formally licit to do otherwise, servers that are meant to actually work need an SPF record attached to the label that they use as helo identity if they forward that way. The upcoming standard-track SPF specification will hopefully state that as clearly as possible. It may be published as soon as fall, Andrew said.

SPF always provided for records attached to each label having an A or AAAA record, which makes sense as such labels can be used as mail domains. However, a minority of sites take care of actually doing so. Laziness is also responsible for not cluttering dot-forward files with -f sender options that would direct bounces to someone who can maintain the dot-forward file itself when the target mailbox gets torn down. The bottom line is, if upon reviewing forwarding practices, you decide to forward with unaltered envelope sender, at least publish a host SPF record.

By Alessandro Vesely, Tiny ISP and freelance programmer

Related topics: Email, Law, Privacy, Spam

 
   

Don't miss a thing – get the Weekly Wrap delivered to your inbox.

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Afilias Mobile & Web Services

Mobile Internet

Sponsored by Afilias Mobile & Web Services
Verisign

Cybersecurity

Sponsored by Verisign
Afilias

DNS Security

Sponsored by Afilias

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Why the Record Number of Reverse Domain Name Hijacking UDRP Filings in 2016?

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Port25 Announces Release of PowerMTA V4.5r5

New Case Study: Jobtome.com Replaces 30 Postfix Servers with a Single PowerMTA

An Update on Port25 and the Future of PowerMTA - One Year Later​

Encrypting Inbound and Outbound Email Connections with PowerMTA

US Court Grants DCA Trust's Motion for Preliminary Injunction on .Africa gTLD

V12 Group Sustains Customer Satisfaction by Deploying PowerMTA for Launchpad Platform

PowerMTA Now Offers Scheduled Delivery Control

DKIM for ESPs: The Struggle of Living Up to the Ideal

Reactivation Campaign: Shared vs. Dedicated IPs

To Where are Bounce Messages Sent?

An Open Source Perspective on Commercial MTAs

Five Essential PowerMTA Configuration Tips

Protect Your Privacy - Opt Out of Public DNS Data Collection

What's New With Port25's PowerMTA v4.5