Variable Envelope Return Paths
D. J. Bernstein, djb@pobox.com
19970201


1. Introduction

   The fundamental problem in managing a large mailing list is matching
   bounce messages to subscription addresses.

   Often a bounce message refers to a failing address that does not
   appear on the mailing list. One of the mailing list subscribers is
   forwarding messages to that address. Which subscriber? As the list
   grows, this question becomes more and more difficult to answer.

   Sometimes a bounce message doesn't identify the address that failed.
   On occasion it doesn't even include a copy of the original message.
   See RFC 1211 for an extensive collection of horror stories.

   In theory, one could solve this problem with the DSN option and DSN
   format described in RFC 1891, RFC 1892, and RFC 1894. Unfortunately,
   the DSN option is useless unless it is supported by every
   intermediate MTA. The complexity of RFC 1891 means that it will be
   many years, perhaps infinitely many, before DSNs are universally
   supported. Furthermore, the complexity of RFC 1894 means that parsing
   the subscriber address is difficult even on the occasions that the
   address is available.

   Variable envelope return paths (VERPs) completely eliminate this
   problem _right now_. They automatically and reliably identify the
   subscription address relevant to each bounce message. They provide
   the address in a form that is trivial for automated bounce handlers
   to parse. They require support from the local mailer, but they do not
   require support from any other hosts.


2. Variable envelope return paths

   Here is how VERPs work: each recipient of the message sees a
   different envelope sender address. When a message to the
   djb-sos@silverton.berkeley.edu mailing list is sent to
   God@heaven.af.mil, for example, it has the following envelope sender:

      djb-sos-owner-God=heaven.af.mil@silverton.berkeley.edu

   If the message bounces, the bounce message will be sent back to
   djb-sos-owner-God=heaven.af.mil@silverton.berkeley.edu.

   If God is forwarding His mail, the bounce message will still go to
   djb-sos-owner-God=heaven.af.mil@silverton.berkeley.edu. No matter how
   uninformative the bounce message is, it will display God's
   subscription address in its envelope.

   Another benefit of VERPs is that God Himself can see what address He
   used to subscribe.

   Making VERPs work requires two pieces of local software support.
   First: it must be easy to modify the outgoing sender address
   separately for each envelope recipient. For example, with one mailer,
   qmail, a user can simply touch ~/.qmail-list-owner and
   ~/.qmail-list-owner-default to apply VERPs to user-list.

   Second, and more important: it must be easy to identify a collection
   of addresses, such as djb-sos-owner-*, and send all mail for those
   addresses to one place, while preserving the * information. Under
   qmail, all user-list-owner-* mail will be sent to the user once he
   touches ~/.qmail-list-owner-default. Sending the mail through an
   automated bounce-handling program is just as easy.

   With older mailers, applying VERPs would require setting up a new
   user-list-owner-recipient alias for each new recipient. This
   inconvenience has prevented VERPs from being widely exploited, even
   though the idea is not new.


3. Per-message VERPs

   VERPs are not restricted to distinguishing mailing list subscribers;
   they can also be used to distinguish messages.

   For example, a user can send one message with an envelope sender
   address of user-dsn-1, the next message with user-dsn-2, and so on.
   As long as the local mailer gives all user-dsn-* back to that user,
   he can reliably match up incoming bounces with outgoing messages.

   Per-message VERPs can be combined with per-recipient VERPs. Every
   application of RFC 1891's ORCPT and ENVID can be handled with
   VERPs---easily, reliably, and right now.