Home / Blogs

Review Your Email Forwarding Practices

Alessandro Vesely

As unusual as it may be for a lawyer to speak at a IETF meeting, Ian Walden gave a lecture on Data Protection Directives and updates thereof. He said they affect some 90 jurisdictions. A difference between email addresses and cookies — the latter are the main subject of the January 2012 update of the directives — is that after more than a decade of enforcement, specific browser extensions may allow users to browse what cookies they have, while no record states whom they conferred their email addresses to. The law doesn't cover this aspect of fair user information. Prof. Walden just said that the procedures that collect and use personally identifiable information need to be revised carefully.

Email forwarding is a particular use of email addresses. SMTP considers related privacy issues in Section 3.4 Forwarding for Address Correction or Updating:

Silent forwarding of messages (without server notification to the sender), for security or non-disclosure purposes, is common in the contemporary Internet.

In both the enterprise and the "new address" cases, information hiding (and sometimes security) considerations argue against exposure of the "final" address through the SMTP protocol as a side effect of the forwarding activity.

However, silent forwarding is not disclosure-proof as it may be expected, because an occasional error at the target side, such as exceeding mailbox quota, might cause a non-delivery notification to be sent to the unaltered envelope sender, thereby disclosing the forwarding mechanism.

Another downside of not altering the envelope sender comes from SPF. If the message originator publishes a strict SPF policy, and the final receiver rejects on failure, forwarding won't work, formal SMTP compliance notwithstanding. Andrew Sullivan, chairing this morning's SPFBIS meeting, said he views this as a deployment recommendation, rather than a protocol specification feature. Although it is formally licit to do otherwise, servers that are meant to actually work need an SPF record attached to the label that they use as helo identity if they forward that way. The upcoming standard-track SPF specification will hopefully state that as clearly as possible. It may be published as soon as fall, Andrew said.

SPF always provided for records attached to each label having an A or AAAA record, which makes sense as such labels can be used as mail domains. However, a minority of sites take care of actually doing so. Laziness is also responsible for not cluttering dot-forward files with -f sender options that would direct bounces to someone who can maintain the dot-forward file itself when the target mailbox gets torn down. The bottom line is, if upon reviewing forwarding practices, you decide to forward with unaltered envelope sender, at least publish a host SPF record.

By Alessandro Vesely, Tiny ISP and freelance programmer

Related topics: Email, Law, Privacy, Spam

 
   
WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Industry Updates – Sponsored Posts

An Update on Port25 and the Future of PowerMTA - One Year Later​

Encrypting Inbound and Outbound Email Connections with PowerMTA

US Court Grants DCA Trust's Motion for Preliminary Injunction on .Africa gTLD

V12 Group Sustains Customer Satisfaction by Deploying PowerMTA for Launchpad Platform

PowerMTA Now Offers Scheduled Delivery Control

DKIM for ESPs: The Struggle of Living Up to the Ideal

Reactivation Campaign: Shared vs. Dedicated IPs

To Where are Bounce Messages Sent?

An Open Source Perspective on Commercial MTAs

Five Essential PowerMTA Configuration Tips

Protect Your Privacy - Opt Out of Public DNS Data Collection

What's New With Port25's PowerMTA v4.5

Introducing Verisign Public DNS: A Free Recursive DNS Service That Respects Your Privacy

New Feature in PowerMTA v4.5: IP Based Rate Limiting

Case Study: Emergency Response Systems Rely on Timely Messaging Through PowerMTA

Port25 Announces Next Major Release of Its Email Delivery Solution, PowerMTA

Case Study: How PowerMTA Transparent Deliverability Metrics Paves Way for Email Service Provider

Case Study: MailChimp Achieves Efficient Execution and Reliability with PowerMTA

Verisign Named to the Online Trust Alliance's 2015 Honor Roll

Case Study: Emma Swaps Its SMTP Infrastructure for PowerMTA to Handle Growing Mail Volume

Sponsored Topics

Port25

Email

Sponsored by
Port25
Verisign

Security

Sponsored by
Verisign
Afilias - Mobile & Web Services

Mobile

Sponsored by
Afilias - Mobile & Web Services
Afilias

DNS Security

Sponsored by
Afilias