On 7/11/23 2:09 PM, Sebastian Nielsen via mailop wrote:
I think sender adress should be changed.
I think that /forwarding/, as in altering the envelope recipient
address(es), probably should have the envelope sender address changed.
I say /probably/ because I'm sure there are some situations where it
should not be done. I just can't think of them now.
The reason is, you didn't compose the email, you shouldn't use the
sender's identity.
Arguably none of the following composed the message:
- Outbound MSA re-sends the message it receives from the submitter
ostensibly using the submitted envelope from address.
- Inbound spam filter re-sends the message on to the ultimate mailbox
server re-using the inbound envelope from address.
- Outbound compliance filter re-sends the message out to the world
re-using the inbound envelope from address.
I think that the envelope from address SHOULD NOT be changed in any of
these scenarios.
Fortunately, none of these scenarios are email terminal points even
though they are SMTP terminal points.
When forwarding a email, you overtake the spam responsibility for
that email in any case, so you ought to ensure your server isn't used
for spam.
I mostly agree.
On the other hand, you have the responsibility to ensure a forwarding
user doesn't set up anyones else's address as forward, by for example
using double-opt-in verification or where you really know they hold
that email adress (even when authorized users are using the forward
system, for example employees of a company).
Agreed.
Couple these 2 together and you don't risk up ending up on blacklists
because a user forwards a spam through your forward, because spam is
both filtered AND forward is confirmed only.
Confirmation is completely independent of spam.
Spam filters can fail open or email can be quite above board but
unwanted by the ultimate recipient. Ergo spam can slip through a forwarder.
I have always tought it’s a ugly practice to forward the email as-is,
as its same as forging someone's signature.
I don't know if I would consider it proper or what I would choose to do
in a vacuum. However I didn't make the choice in a vacuum. I had prior
art both with physical postal mail being forwarded and years of eMail /
SMTP before me that I started by matching behavior.
At some point I switched to SRS when forwarding. I think I did that as
part of supporting and advocating for SPF.
You use someone elses identity, because you CLAIM to have received a
email from their server.
I've said similar using slightly different words. E.g. a mailing list
generates a new email that is substantively based on the message that it
received, purportedly from a given sender.
The receiving server on the other end cannot know this.
Agreed.
This is why sender address should ALWAYS be rewritten when forwarding
an email.
I can't agree with the absolute nature of this.
There is also the question of what is forwarding. Do the MSA, ESP, and
compliance relays listed above count as forwarding? Does me creating a
script to receive messages from the LDA and attach them to a new
outbound message to a different recipient count as forwarding?
Aside: The last bit about attachments is what I want to end up doing
for my personal accounts on the various systems I have accounts on.
Originate and send a new email from my account on a remote system to an
email address of my choosing elsewhere in a way that does not run afoul
of SPF / DKIM / DMARC filtering.
Grant. . . .
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
