SMTP allows for multiple FROM addresses in the RFC. Was this ever useful, why does this exist?

CHI Coder 007 asked:

SMTP allows for multiple FROM addresses on the body (not the envelope) according to the RFCs.

Has this feature ever been used for a legitimate purpose?

Is it safe to discard messages that have multiple FROM addresses?

My answer:

RFC 822 actually gives an example of this usage. It required (Section 4.4) that the Sender: header be present when it was used.

     A.2.7.  Agent for member of a committee

             George's secretary sends out a message which was authored
        jointly by all the members of a committee.  Note that the name
        of the committee cannot be specified, since <group> names  are
        not permitted in the From field.

            From:   [email protected],
                    [email protected],
                    [email protected]
            Sender: [email protected]

RFC 2822, which obsoleted it, continued to explicitly allow this particular construction (Section 3.6.2).

from            =       "From:" mailbox-list CRLF

mailbox-list    =       (mailbox *("," mailbox)) / obs-mbox-list

In the current standard, RFC 5322, this is unchanged, and multiple addresses are still explicitly allowed (Section 3.6.2).

   The from field consists of the field name "From" and a comma-
   separated list of one or more mailbox specifications.  If the from
   field contains more than one mailbox specification in the mailbox-
   list, then the sender field, containing the field name "Sender" and a
   single mailbox specification, MUST appear in the message.

Was it ever useful? Yes, and it still is, for exactly the sort of scenario shown in the ancient example. Messages with multiple authors are supposed to have all of them listed in the From: header, with the Sender: set to the person who actually hit Send in their email program.

   The originator fields indicate the mailbox(es) of the source of the
   message.  The "From:" field specifies the author(s) of the message,
   that is, the mailbox(es) of the person(s) or system(s) responsible
   for the writing of the message.  The "Sender:" field specifies the
   mailbox of the agent responsible for the actual transmission of the
   message.  For example, if a secretary were to send a message for
   another person, the mailbox of the secretary would appear in the
   "Sender:" field and the mailbox of the actual author would appear in
   the "From:" field.  If the originator of the message can be indicated
   by a single mailbox and the author and transmitter are identical, the
   "Sender:" field SHOULD NOT be used.  Otherwise, both fields SHOULD

In practice on the public Internet, messages in which this is done are uncommon, though they do occur especially in enterprise and academic environments where it’s much more common for one person to send email on behalf of another, or of a group.

I’ve never actually seen spam that does this (and got through all my other controls). I would generally consider it unsafe to discard or raise the spam score of such a message.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.