The Sender Rewriting Scheme (SRS) is a scheme for bypassing the

Sender Policy Framework Sender Policy Framework (SPF) is an email authentication method that ensures the sending mail server is authorized to originate mail from the email sender's domain. This authentication only applies to the email sender listed in the "envelope from ...

's (SPF) methods of preventing forged sender addresses. Forging a sender address is also known as

email spoofing Email spoofing is the creation of email messages with a forged sender address. The term applies to email purporting to be from an address which is not actually the sender's; mail sent in reply to that address may bounce or be delivered to an unre ...

Background

In a number of cases, including change of email address and mailing lists, a

message transfer agent Within the Internet email system, a message transfer agent (MTA), mail transfer agent, or mail relay is software that transfers electronic mail messages from one computer to another using the Simple Mail Transfer Protocol. In some contexts, the a ...

(MTA) accepts an email message that is not destined to a local mailbox but needs to be forwarded. In such cases, the question arises of who should receive any related

bounce message A bounce message or just "bounce" is an automated message from an email system, informing the sender of a previous message that the message has not been delivered (or some other delivery problem occurred). The original message is said to have "boun ...

. Generally, that is the author, or a person or other entity who administers the forwarding itself. Sending bounces to the author is administratively simpler and was previously accomplished by keeping the original envelope sender. However, if the author address is subject to a strict SPF policy () and the target MTA enforces SPF, the forwarding transaction can be rejected. As a workaround, it is possible to synthesize a temporary bounce address on the fly that will direct any bounce back to the current MTA. The scheme provides a way to recover the original envelope address so that if a bounce does arrive, it can be forwarded along the reverse path, but this time with an empty envelope sender. While there are other workarounds, SRS is a fairly general one. Its notion of reversing the path resembles the original routing dispositions for email, see

below Below may refer to: *Earth *Ground (disambiguation) *Soil *Floor * Bottom (disambiguation) *Less than *Temperatures below freezing *Hell or underworld People with the surname * Ernst von Below (1863–1955), German World War I general * Fred Belo ...

. Using the SRS protocol will fail the SPF Alignment check on

DMARC Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. Th ...

records by design. DMARC records can still pass with a DKIM check.

The rewriting scheme

SRS is a form of variable envelope return path (VERP) inasmuch as it encodes the original envelope sender in the local part of the rewritten address. Consider ' forwarding a message originally destined to to his new address : ORIGINAL : : REWRITTEN : : The example above is adapted from Shevek. With respect to VERP, the local part () is moved after her domain name (), further adding a prefix (), a hash ('), and a timestamp ('). This reflects an operational difference: Eventual bounces back to a VERP address are handled within the rewriting domain, and forged messages can at most unsubscribe some users, a kind of abuse that hasn't seen significant exploits in the last decades. Instead, SRS aims at re-mailing a possible bounce back to ''Alice'', so that forged bounces can become an alluring technique for injecting spam apparently originating from the rewriting sender. * The local part, in this case , is moved because it may contain equal signs (=), so putting it at an extremity of the rewritten local part makes the latter parseable. * The timestamp (') has a one-day resolution in order to make the address invalid after a few days. Computed as , it can be stored as a two

base32 Base32 is an encoding method based on the Radix, base-32 numeral system. It uses an alphabet of 32 Numerical digit, digits, each of which represents a different combination of 5 bits (25). Since base32 is not very widely adopted, the question of no ...

characters, with a recycling period of about 3.5 years. * The hash-based message authentication code (') is computed against a local secret, but only a part of it is used; for example, storing the first 4 characters of a

base64 In computer programming, Base64 is a group of binary-to-text encoding schemes that transforms binary data into a sequence of printable characters, limited to a set of 64 unique characters. More specifically, the source binary data is taken 6 bits ...

representation provides 24

bits of security In cryptography, security level is a measure of the strength that a cryptographic primitive — such as a cipher or hash function — achieves. Security level is usually expressed as a number of " bits of security" (also security strength ...

. The hash is checked by the domain who generated it, in case a bounce arrives. * The prefix, , is meant to disambiguate regular addresses from rewritten ones; it is up to ''example.com'' to ensure that none of its users has an email address starting with . SRS provides for another prefix, , to be used for rewriting an already rewritten address, in a multi-hop scenario. If ' has to forward the message in turn, it can spare adding another timestamp and repeating the original local part (). That is, each new forwarder adds its own hash (') and the domain name of the preceding forwarder: FURTHER REWRITTEN : :

Database alternative

Using a database can control the growth of rewritten addresses, since it is sufficient to insert a unique key in the rewritten local part. It also allows for a certain amount of anonymity in the resending process, if this is desired. However, a database requires centralization and can be a single point of failure.

Header field alternative

Another possibility is to store the long rewritten address somewhere in the message header. The = tag of a DKIM-Signature may be a good place, as such choice considerably improves the security, and this technique has been observed. Unless there is a backup mechanism, it can only work if the bounce message is in a standard format.

Historical background

Historically, all mail transfer agents (MTAs) added their host name to the '' reverse path''. In the

Simple Mail Transfer Protocol The Simple Mail Transfer Protocol (SMTP) is an Internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typ ...

(SMTP) this ''reverse path'' is also known as , but paths were also used before and outside of SMTP, e.g. as '' bang paths'' in

UUCP UUCP (Unix-to-Unix Copy) is a suite of computer programs and communications protocol, protocols allowing remote execution of commands and transfer of computer file, files, email and netnews between computers. A command named is one of the prog ...

and

Usenet Usenet (), a portmanteau of User's Network, is a worldwide distributed discussion system available on computers. It was developed from the general-purpose UUCP, Unix-to-Unix Copy (UUCP) dial-up network architecture. Tom Truscott and Jim Elli ...

(Net-News). All news articles still contain a header, example: : The same information in an RFC 5321 e-mail ''envelope'' - that is the SMTP info like - would be: # : # : The 1st step reflects the sender, the 2nd step the next MTA, etc. In this example, the 2nd MTA forwards the mail to a 3rd MTA, where it is finally delivered. The final MTA is also known as

Mail delivery agent A message delivery agent (MDA), or mail delivery agent, is a computer software component that is responsible for the delivery of e-mail messages to a local recipient's mailbox. It is also called a local delivery agent (LDA). Within the Internet ...

(MDA), putting the mail into the mailbox of the recipient. The MDA transforms the ''reverse path'' into the known header field: : SMTP uses

MX record A mail exchanger record (MX record) specifies the mail server responsible for accepting email messages on behalf of a domain name. It is a resource record in the Domain Name System (DNS). It is possible to configure several MX records, typically ...

s for its forward routing. Explicit source routes as in... : ...to route mail from via MTA to MDA were cumbersome. In some cases, the ''new'' (1982) style of addresses was mixed with old UUCP ''bang paths'' in constructs like... ...and various other kludges. SMTP and MX records rendered this method unnecessary. Therefore, source routing was deprecated in 1989 in RFC 1123. One special case in RFC 1123 are gateways from or to other networks like UUCP and NetNews, where the first sending MTA cannot reach the final receiver directly with TCP. It is solved by MX records and if necessary rewriting foreign addresses at the gateway. MX is an acronym for Mail eXchanger. Another special case are

mailing list A mailing list is a collection of names and addresses used by an individual or an organization to send material to multiple recipients. Mailing lists are often rented or sold. If rented, the renter agrees to use the mailing list only at contra ...

s, where the list server rewrites all ''reverse paths'' to its own error handling address for bounces (error messages) by recipients. The list server could automatically unsubscribe bouncing recipients. This type of address rewriting is known since RFC 821 and still used today (RFC 5321, as well as RFC 2821, updated the SMTP chapter in RFC 1123). Forwarding to another address has always worked by rewriting the address in the ''forward path'' also known as , if and only if the forwarding MTA accepted the responsibility for both forwarding the mail and returning potential bounce messages to the sender. RFC 821 and all later SMTP specifications offer two result codes for this situation: * * For privacy reasons, these result codes are today rarely used; they include the or . As noted, RFC 1123 deprecated source routing, thus implicitly deprecating the reverse routing of bounces. Since RFC 1123, forwarders to third parties still rewrite the address, but keep the as is. As a side effect, MTAs wishing to accept mail from forwarders generally accept any address. RFC 5321, as well as RFC 2821, states that non-delivery reports ( bounces) must be sent to the ''originator'' as ''indicated in the reverse path'' after an MTA accepted the responsibility for delivery. However, the bounce message may be suppressed when the original content is ''hostile'' (cf. spam or virus mail) or the message is forged (RFC 5321, Section 6). Note that all current forgery detection methods require the mailbox owner to supply information for them to work. Failing to supply the criteria should not make any bounce message classifiable as

backscatter In physics, backscatter (or backscattering) is the reflection of waves, particles, or signals back to the direction from which they came. It is usually a diffuse reflection due to scattering, as opposed to specular reflection as from a mirror, ...

, although some people mistakenly think it should. Open relays and forwarders generally cannot guarantee that the address indicates the ''originator'', and cannot guarantee that final delivery will succeed. This SMTP problem caused as a side effect of RFC 1123 is addressed by SPF. Receivers can arrange their forwarding in a way that works with SPF with a variety of strategies: # not checking SPF behind their border, e.g. ''white list'' forwarders # rejecting, resulting in a bounce () # rewriting the at the forwarder (as done by mailing lists) Sender Rewriting Scheme (SRS) is one way for the third strategy.

References

{{Reflist