The qmail-send Bounce Message Format (QSBMF)
D. J. Bernstein, email@example.com
When a message transport agent (MTA) finds itself permanently unable
to deliver a mail message, it generates a new message, generally
known as a bounce message, back to the envelope sender.
Bounce messages produced by the qmail-send program display the list
of failed recipient addresses, an explanation for each address, and a
copy of the original message, in a format that is easy for both
humans and programs to read. For example:
Date: 17 Mar 1996 03:54:40 -0000
Subject: failure notice
Hi. This is the qmail-send program at silverton.berkeley.edu.
I'm afraid I wasn't able to deliver your message to the
following addresses. This is a permanent error; I've given up.
Sorry it didn't work out.
Sorry, I couldn't find any host by that name.
--- Below this line is a copy of the message.
Received: (qmail 317 invoked by uid 7); 17 Mar 1996 03:54:38 -0000
Date: 17 Mar 1996 03:54:38 -0000
From: firstname.lastname@example.org (D. J. Bernstein)
Subject: are you there?
This document defines qmail-send's format for bounce messages.
In this document, a string of 8-bit bytes may be written in two
different forms: as a series of hexadecimal numbers between angle
brackets, or as a sequence of ASCII characters between double quotes.
For example, <68 65 6c 6c 6f 20 77 6f 72 6c 64 21> is a string of
length 12; it is the same as the string "hello world!".
A bounce message may be recognized as QSBMF as follows: its body
begins with the characters "Hi. This is the" exactly as shown.
The body of the message has four pieces: an introductory paragraph,
zero or more recipient paragraphs, a break paragraph, and the
Each paragraph is a series of non-blank lines followed by a single
blank line. The break paragraph begins with the character "-". All
other paragraphs begin with characters other than "-". The break
paragraph is human-readable but provides no interesting information.
The introductory paragraph is human-readable. It gives the name and
human-comprehensible location of the MTA, but parsers should not
attempt to use this information.
The only type of recipient paragraph described here is a failure
paragraph, which begins with the character "<". Paragraphs beginning
with other characters are reserved for future extensions.
The first line of a failure paragraph ends with the characters ">:".
Everything between the leading "<" and the trailing ">:" is an
(unquoted) Internet mail address.
A failure paragraph asserts that the MTA was permanently unable to
deliver the message to the mail address shown on the first line; the
MTA will not attempt further deliveries to that address. The
remaining lines of the paragraph give a human-readable description of
the reason for failure. Descriptions beginning with <20>, and
descriptions containing "#", are reserved for future extensions.
The envelope sender might not have sent his message to the address
shown. There are two reasons for this. First, the MTA may freely
replace unprintable characters with "_". Second, the original
recipient address may have been an alias for the address shown.
The original message is an exact copy of the message received by the
MTA, including both header and body, preceded by a Return-Path field
showing the envelope sender.
3. Comparison with 1892/1894
RFC 1892 and RFC 1894 together describe a format for delivery status
notifications. I have decided not to use that format, because I
believe that its complexity will prevent wide implementation and
increase the burden on people who manage mailing lists.
QSBMF is dedicated to failure reports, whereas RFC 1894 allows
success reports and deferral reports. Although it would be possible
to add deferral paragraphs and success paragraphs to QSBMF, it would
be even easier to design separate formats for such notices. I have
trouble reading mixed failure/deferral reports.
QSBMF always returns the entire original message. RFC 1892 allows
the MTA to return nothing or to return just the headers; it states
``Return of content may be wasteful of network bandwidth.'' However,
failure notices are very rare, so the overall loss of bandwidth in
this case is insignificant. A much more important issue is storage
space: someone who manages a big mailing list does not want to have
to store several copies of each message in the form of bounces. The
best solution is to have each bounce automatically fed through a
program that stores only the critical information. I expect such
programs to spring up quickly for QSBMF.
RFC 1894 provides language-independent error messages, as described
by RFC 1893. One can achieve the same results more easily by adding
structure to the human-readable failure descriptions, for example
RFC 1894 is able to communicate an ``envelope ID'' and the original
envelope recipient address specified by the sender. Unfortunately,
this information will almost never be available, since it requires
support by every intermediate MTA. All of the applications of this
information can be handled reliably, right now, with VERPs; this
requires support from the sender's MTA but not from other hosts.
RFC 1894 includes several pieces of information that might be of
human interest but can be seen just as easily from Received lines:
the name of the MTA where delivery failed, the name of the previous
MTA, timestamps, etc.
All of these RFC 1894 features have a cost: complexity. A program
cannot parse an 1894 report without parsing RFC 822 header fields
and understanding quite a bit of MIME. This will limit the
availability of parsing software. In the meantime, such reports are
annoying to mailing list maintainers, since they are full of
uninteresting information and are difficult to parse visually.
4. Security considerations
Bounce messages may be forged. Never remove someone from a mailing
list without sending him a message stating that you are doing so,
even if the reason for removal is a series of apparent bounce
messages from his address.
If you send a message along a secret path, you should change the
envelope sender address of the message to yourself, so that a bounce
will not reveal anything to the original sender. In other words: for
secret forwarding, use a mailing list, not a forwarder.
See RFC 1894 for further discussion of these points.