On 11 Apr 2019, at 15:01, Autumn Tyr-Salvia wrote:
Hello,
I'm looking at headers for a particular message, and noticed two
different
Return-Path headers. The message is being sent by an ESP. One
Return-Path
uses a VERP address with the ESP's domain, and the other uses the same
address as the friendly From:.
I haven't seen this in other headers before - is this common?
Not in non-spam. Not even in non-spam bulk mail. It is a symptom of
immature/amatuer list exploder software.
Why would
there be 2?
A message is sent via SMTP to a mailing list system. It is delivered to
a mailbox by a terminal MTA which does the right thing in delivery and
adds a Return-Path header with the SMTP envelope sender address in it.
The list exploder software picks up that message for resending and sends
it out with a unique VERP envelope sender for each recipient, neglecting
to strip the existing Return-Path. Terminal MTAs doing final delivery
MAY (but generally do not) strip existing Return-Path headers when doing
their own final delivery, at which time they add their own Return-Path
header containing the VERP address.
Responsibility for stripping out the original Return-Path belongs to the
entity that resends a delivered message via SMTP with a new envelope
sender.
I spent some quality time with RFC 2822 and couldn't determine
if it's spec-legal to have two Return-Path headers or not.
In both RFC2822 and RFC5322:
3.6.7. Trace Fields
The trace fields are a group of header fields consisting of an
optional "Return-Path:" field, and one or more "Received:" fields.
Note that it does not say "one or more" about Return-Path.
Section 4.4 of both RFC5321 & RFC2821 discuss the meaning of
Return-Path, wherein the key text is:
[...] This use of return-path is required; mail systems MUST support
it. The return-path line preserves the information in the <reverse-
path> from the MAIL command.
[...]
The primary purpose of the Return-path is to designate the address
to
which messages indicating non-delivery or other mail system failures
are to be sent. For this to be unambiguous, exactly one return path
SHOULD be present when the message is delivered.
More to the
point, it's using the one with the ESP domain for checking SPF, which
is
not what the desired behavior.
I'm not able to parse out an identity for your use of "it" here...
SPF applies to the envelope sender in an SMTP transaction, not to ANY
header, however it could in theory be used post-delivery on a
well-formed message, applying to the ONE Return-Path header that such a
message will have.
Anything checking SPF before final delivery should ONLY be using the
SMTP sender address, which I expect in this case would be the VERP
address.
I can reach out directly to the ESP in question to get more info, but
wanted to ask this group first if there's some other resource I should
consult for a firm understanding of using multiple Return-Path headers
before I have that conversation.
Multiple Return-Path headers is bad and wrong. It both causes confusion
and violates the language of the specification of message format in the
2 latest revisions of that spec.
--
Bill Cole
[email protected] or [email protected]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
_______________________________________________
mailop mailing list
[email protected]
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
