D. J. Bernstein
Internet mail
Internet mail infrastructure

Responsibilities and envelopes

The fundamental responsibility of a mailer is The sender and recipient are identified by their Internet mail addresses. This pair of addresses is called an envelope.


Notifying a sender means sending a new message, called a bounce message, to the envelope sender address.

Bounce messages almost always identify the undelivered envelope recipient address, explain why delivery failed, and include a copy of the header of the undelivered message. There are dozens of popular formats for this information.

Most mailers, under most circumstances, will include a copy of the entire undelivered message, not just the header. Many users rely on this; they do not save copies of their outgoing mail. However, many mailers do not return copies of large messages, and some mailers never return copies.

Empty return paths

An envelope may contain an empty string instead of a sender address. This means that the mailer is relieved of its responsibility of sending a bounce message in case of failure. Some mailers notify the local postmaster in this case.

When a mailer sends a bounce message, it is required to use an empty string in the new envelope. This prevents bounce loops. A few sites violate this requirement.

Multiple recipients

A sender can mail a message to several recipients. For each recipient, the mailer is responsible for If several of the deliveries fail, the mailer can send a single bounce message showing all the addresses that failed and explaining what went wrong in each case.

The collection of envelopes here, each with the same sender address, is sometimes thought of as a single ``envelope'' showing the sender address and the list of recipient addresses.

Quality issues

It is completely unacceptable for a mailer to lose a message after it has accepted responsibility for delivering it. Users do not tolerate frivolous excuses such as ``the mailer ran out of memory'' or ``the computer crashed.'' The mailer must write the message safely to disk, in a form that is guaranteed to be recoverable after a crash, before it accepts responsibility for delivering the message.

Sometimes the first attempt to deliver a message is stymied by a temporary problem such as a network outage or a full disk. High-quality mailers do not give up on delivery after a single temporary failure; they wait for a while and then try again. They give up only if the ``temporary'' problem persists for several days.

Note that, if delivery is made, the mailer is not responsible for notifying the sender. This is true even if delivery is delayed. For example, if the recipient is at the other end of a part-time dialup connection, and delivery occurs several hours after the message was mailed, a high-quality mailer will not pester the sender with a deferral notice.

Some mailers corrupt the envelope sender address, and send subsequent bounces to the wrong address. This is a violation of the fundamental responsibility of the mailer. Examples: