D. J. Bernstein
Internet mail infrastructure
Responsibilities and envelopes
The fundamental responsibility of a mailer is
The sender and recipient are identified by their
Internet mail addresses.
This pair of addresses is called an envelope.
- to deliver a specified
to a specified recipient, or
- to notify a specified sender if delivery is not made.
Notifying a sender
means sending a new message,
called a bounce message,
to the envelope sender address.
Bounce messages almost always
identify the undelivered envelope recipient address,
explain why delivery failed,
and include a copy of the header of the undelivered message.
There are dozens of popular formats for this information.
Most mailers, under most circumstances,
will include a copy of the entire undelivered message,
not just the header.
Many users rely on this;
they do not save copies of their outgoing mail.
many mailers do not return copies of large messages,
and some mailers never return copies.
Empty return paths
An envelope may contain an empty string instead of a sender address.
This means that the mailer is relieved of its responsibility
of sending a bounce message in case of failure.
Some mailers notify the local postmaster in this case.
When a mailer sends a bounce message,
it is required to use an empty string in the new envelope.
This prevents bounce loops.
A few sites violate this requirement.
A sender can mail a message to several recipients.
For each recipient, the mailer is responsible for
If several of the deliveries fail,
the mailer can send a single bounce message
showing all the addresses that failed
and explaining what went wrong in each case.
- delivering the message to that recipient, or
- notifying the sender if delivery is not made.
The collection of envelopes here,
each with the same sender address,
is sometimes thought of as a single ``envelope''
showing the sender address and the list of recipient addresses.
It is completely unacceptable for a mailer to lose a message
after it has accepted responsibility for delivering it.
Users do not tolerate frivolous excuses
such as ``the mailer ran out of memory'' or ``the computer crashed.''
The mailer must write the message safely to disk,
in a form that is guaranteed to be recoverable after a crash,
before it accepts responsibility for delivering the message.
the first attempt to deliver a message is stymied by
a temporary problem such as a network outage or a full disk.
High-quality mailers do not
give up on delivery after a single temporary failure;
they wait for a while and then try again.
They give up only if the ``temporary'' problem persists for several days.
Note that, if delivery is made,
the mailer is not responsible for notifying the sender.
This is true even if delivery is delayed.
if the recipient is at the other end of a part-time dialup connection,
and delivery occurs several hours after the message was mailed,
a high-quality mailer will not pester the sender with a deferral notice.
Some mailers corrupt the envelope sender address,
and send subsequent bounces to the wrong address.
This is a violation of the fundamental responsibility of the mailer.
fetchmail, by default,
copies the From address to the envelope sender address.
Note that, for typical mailing-list messages, the From address is a
contributor while the correct envelope sender address is a list manager.
Contributors are generally quite annoyed at receiving bounces
that should have been sent to the list manager.
One sendmail host has been observed changing
user@host into user%host@mx
where mx is the first MX record for host.