Variable Envelope Return Paths
D. J. Bernstein, firstname.lastname@example.org
The fundamental problem in managing a large mailing list is matching
bounce messages to subscription addresses.
Often a bounce message refers to a failing address that does not
appear on the mailing list. One of the mailing list subscribers is
forwarding messages to that address. Which subscriber? As the list
grows, this question becomes more and more difficult to answer.
Sometimes a bounce message doesn't identify the address that failed.
On occasion it doesn't even include a copy of the original message.
See RFC 1211 for an extensive collection of horror stories.
In theory, one could solve this problem with the DSN option and DSN
format described in RFC 1891, RFC 1892, and RFC 1894. Unfortunately,
the DSN option is useless unless it is supported by every
intermediate MTA. The complexity of RFC 1891 means that it will be
many years, perhaps infinitely many, before DSNs are universally
supported. Furthermore, the complexity of RFC 1894 means that parsing
the subscriber address is difficult even on the occasions that the
address is available.
Variable envelope return paths (VERPs) completely eliminate this
problem _right now_. They automatically and reliably identify the
subscription address relevant to each bounce message. They provide
the address in a form that is trivial for automated bounce handlers
to parse. They require support from the local mailer, but they do not
require support from any other hosts.
2. Variable envelope return paths
Here is how VERPs work: each recipient of the message sees a
different envelope sender address. When a message to the
email@example.com mailing list is sent to
God@heaven.af.mil, for example, it has the following envelope sender:
If the message bounces, the bounce message will be sent back to
If God is forwarding His mail, the bounce message will still go to
djb-sos-owner-Godfirstname.lastname@example.org. No matter how
uninformative the bounce message is, it will display God's
subscription address in its envelope.
Another benefit of VERPs is that God Himself can see what address He
used to subscribe.
Making VERPs work requires two pieces of local software support.
First: it must be easy to modify the outgoing sender address
separately for each envelope recipient. For example, with one mailer,
qmail, a user can simply touch ~/.qmail-list-owner and
~/.qmail-list-owner-default to apply VERPs to user-list.
Second, and more important: it must be easy to identify a collection
of addresses, such as djb-sos-owner-*, and send all mail for those
addresses to one place, while preserving the * information. Under
qmail, all user-list-owner-* mail will be sent to the user once he
touches ~/.qmail-list-owner-default. Sending the mail through an
automated bounce-handling program is just as easy.
With older mailers, applying VERPs would require setting up a new
user-list-owner-recipient alias for each new recipient. This
inconvenience has prevented VERPs from being widely exploited, even
though the idea is not new.
3. Per-message VERPs
VERPs are not restricted to distinguishing mailing list subscribers;
they can also be used to distinguish messages.
For example, a user can send one message with an envelope sender
address of user-dsn-1, the next message with user-dsn-2, and so on.
As long as the local mailer gives all user-dsn-* back to that user,
he can reliably match up incoming bounces with outgoing messages.
Per-message VERPs can be combined with per-recipient VERPs. Every
application of RFC 1891's ORCPT and ENVID can be handled with
VERPs---easily, reliably, and right now.