| ▲ | Arnt 8 hours ago |
| SHOULD is a requirement. It means that you have to do it unless you know some specific reason that the requirement doesn't apply in your case. "I don't want to" is not a valid excuse, "I don't see a reason to" isn't either. IIRC this particular rule is a SHOULD because MUAs often send messages without a Message-ID to their submission server, and the submission server adds one if necessary. https://www.rfc-editor.org/rfc/rfc6409.html#section-8.3 The SHOULD lets those messages be valid. Low-entropy devices that can't generate a good random ID are rare these days, but old devices remain in service, so the workaround is IMO justified. |
|
| ▲ | BeetleB 4 hours ago | parent | next [-] |
| > SHOULD is a requirement. I once had a job where reading standards documents was my bread and butter. SHOULD is not a requirement. It is a recommendation. For requirements they use SHALL. My team was writing code that was safety related. Bad bugs could mean lives lost. We happily ignored a lot of SHOULDs and were open about it. We did it not because we had a good reason, but because it was convenient. We never justified it. Before our code could be released, everything was audited by a 3rd party auditor. It's totally fine to ignore SHOULD. |
| |
| ▲ | calvinmorrison an hour ago | parent | next [-] | | Email is about standards like browsers were about standards in 2017... | |
| ▲ | seb1204 3 hours ago | parent | prev | next [-] | | Yes, except there seems to be a move on the best words from SHALL to MUST and from SHOULD to MAY.
IANAL but I recall reading this in e.g. legal language guidance sites. | | |
| ▲ | aunderscored 2 hours ago | parent [-] | | RFC language is expmicltly defined in 2119[0]. Any other interpretation is incorrect. [0] https://www.rfc-editor.org/rfc/rfc2119 | | |
| ▲ | Alive-in-2025 2 hours ago | parent [-] | | Thank you for that. So should is optional, people! | | |
| ▲ | strken 34 minutes ago | parent | next [-] | | Pulling exact quotes out, SHOULD means "there may exist valid reasons in particular circumstances to ignore a particular item" while MAY means "an item is truly optional." I don't think this can be interpreted as simply "should is optional". | |
| ▲ | sisve an hour ago | parent | prev [-] | | I think that is a bit to easy. MAY is described ar optional. SHOULD - Should really be there. It's not MUST, you can ignore it but do not come crying if your email is not delivered to some of your customers !
you should have though about that before. |
|
|
| |
| ▲ | dsl 2 hours ago | parent | prev [-] | | Maybe the standards documents you are used to differ from RFCs, but here is the official language: 3. SHOULD This word, or the adjective "RECOMMENDED", mean that there
may exist valid reasons in particular circumstances to ignore a
particular item, but the full implications must be understood and
carefully weighed before choosing a different course.
SHOULD is effectively REQUIRED unless it conflicts with another standards requirement or you have a very specific edge case. | | |
| ▲ | jcelerier an hour ago | parent | next [-] | | I just don't understand how you get from the text you pasted to "required". Nowhere does it say that anything is effectively required. Words have meaning. | | |
| ▲ | zdragnar an hour ago | parent [-] | | > the full implications must be understood and carefully weighed before choosing a different course. Note the use of the word "must" used twice there. Barring a sufficiently good reason and accepting the consequences, this becomes a very poorly worded "required". The spec would have been far better starting with SHALL and then carving out the allowance for exceptions. | | |
| ▲ | shakna an hour ago | parent | next [-] | | No, its not a "required"... It means someone may have reasons not to use something, and so spec implementors need to allow for circumstances where it is not present. Those reasons can be anything. Legal, practical, technological, ideaological. You don't know. All you know is not using it is explicitly permitted. | |
| ▲ | WJW 37 minutes ago | parent | prev [-] | | I don't even know how you got to "used twice" tbh. Both your own comment AND the post you quoted from only have a single "must". The only thing that text demands is understanding and carefully weighing the implications. If, having done that, you conclude that you don't want to then there is absolutely nothing in the spec stopping you. Maybe the spec would have been better off putting more stuff in SHALL and less in SHOULD, but as written that is definitely not the case. |
|
| |
| ▲ | andoando 3 minutes ago | parent | prev | next [-] | | required means it must exist, not that it may or may not exist depending on the reason | |
| ▲ | BeetleB 43 minutes ago | parent | prev [-] | | Nope, it's exactly what it says: RECOMMENDED. Any time any document (standards or otherwise) says something is recommended, then of course you should think it through before going against the recommendation. Going from their verbiage to: > SHOULD is effectively REQUIRED unless it conflicts with another standards requirement or you have a very specific edge case. is a fairly big leap. |
|
|
|
| ▲ | st_goliath 8 hours ago | parent | prev | next [-] |
| > "I don't want to" is not a valid excuse for the client. If you're implementing a server, "the client SHOULD but didn't" isn't a valid excuse to reject a client either. You can do it anyway, you might even have good reasons for it, but then you sure don't get to point at the RFC and call the client broken. |
| |
| ▲ | geocar 6 hours ago | parent | next [-] | | > isn't a valid excuse to reject a client either. Yes it absolutely is: https://www.rfc-editor.org/rfc/rfc2119 is quite clear. 3. SHOULD This word, or the adjective "RECOMMENDED", mean that there
may exist valid reasons in particular circumstances to ignore a
particular item, but the full implications must be understood and
carefully weighed before choosing a different course.
If the client SHOULD do something and doesn't, and your server does not know why, you SHOULD disconnect and move on.If the server has considered fully the implications of not having a Message-ID header, then it MAY continue processing. In general, you will find most of the Internet specifications are labelled MUST if they are required for the protocol's own state-processing (i.e. as documented), while specifications are labelled SHOULD if they are required for application state-processing in some circumstances (i.e. other users of the protocol). | | |
| ▲ | Dylan16807 4 hours ago | parent | next [-] | | > If the client SHOULD do something and doesn't, and your server does not know why, you SHOULD disconnect and move on. That is not a rule. In this situation the server can reject any message if it wants to, and not doing a SHOULD tests the server's patience, but it's still ultimately in the "server wanted to" category, not the "RFC was violated" category. | | |
| ▲ | geocar 3 hours ago | parent [-] | | You are confused. The RFC is a request for comments. The specific one in question is about Internet Mail. If server implementers want their mail to be delivered these are things they SHOULD do. That's it. It isn't something you can give to your lawyer, and nobody cares about your opinion about what you think "should" means you can make someone else do. This is how it is. | | |
| ▲ | Dylan16807 an hour ago | parent [-] | | You are confused about what I'm doing. I'm not telling anyone what to do. I'm saying what category their actions fall into. And the line of yours I quoted is still not supported by anything. |
|
| |
| ▲ | drecked 3 hours ago | parent | prev | next [-] | | That clearly means it’s not required. How does Google know whether or not the sender has a valid reason? They cannot know that so for them to reject an email for it means they would reject emails that have valid reasons as well. | | |
| ▲ | conductr 2 hours ago | parent | next [-] | | How would the sender know the consequences of sending without the header? You shouldn’t assume anything here. As a sender, you should include it unless you’ve already worked out what the recipient is expecting or how it will be handled. Doing this with email is silly because the client is sennding to so many different servers they know nothing about so it’s basically a requirement to include it. | |
| ▲ | geocar 3 hours ago | parent | prev [-] | | > That clearly means it’s not required. You and I have different definitions of "clearly" It is not required for the protocol of one SMTP client sending one message to one SMTP server, but it is required for many Internet Mail applications to function properly. This one for example, is where if you want to send an email to some sites, you are going to need a Message-ID, so you SHOULD add one if you're the originating mail site. > How does Google know whether or not the sender has a valid reason? If the Sender has a valid reason, they would have responded to the RFC (Request For Comments) telling implementers what they SHOULD do, rather than do their own thing and hope for the best! Google knows the meaning of the word SHOULD. > it means they would reject emails that have valid reasons as well. No shit! They reject spam for example. And there's more than a few RFC's about that. Here's one about spam that specifically talks about using Message-ID: https://datatracker.ietf.org/doc/html/rfc2635 |
| |
| ▲ | buran77 3 hours ago | parent | prev | next [-] | | > If the server has considered fully the implications The server "considers" nothing. The considerations are for the human implementers to make when building their software. And they can never presume to know why the software on the other side is working a certain way. Only that the RFC didn't make something mandatory. The rejection isn't to be compliant with the RFC, it's a choice made by the server implementers. | |
| ▲ | hsbauauvhabzb 5 hours ago | parent | prev [-] | | Either the server must explicitly confirm to servers or the clients must accept everything. Otherwise message delivery is not guaranteed. In the context of an email protocol, this often is a silent failure which causes real-world problems. I don’t care what the protocol rfc says, the client arbitrarily rejecting an email from the server for some missing unimportant header (for deduction detection?) is silly. | | |
| ▲ | behringer 4 hours ago | parent [-] | | If it was unimportant it would be MAY. | | |
| ▲ | hsbauauvhabzb 3 hours ago | parent [-] | | Is the server somehow unable to inject an ID if the sender did not send one? Stop hiding behind policy and think for yourself. | | |
| ▲ | geocar 2 hours ago | parent [-] | | > Is the server somehow unable to inject an ID if the sender did not send one? Yes. https://www.rfc-editor.org/rfc/rfc2821#section-6.3 refers to servers that do this and says very clearly: These changes MUST NOT be applied by an SMTP server that
provides an intermediate relay function.
That's Google in this situation.> Stop hiding behind policy and think for yourself. Sometimes you should think for yourself, but sometimes, and friend let me tell you this is one of those times, you should take some time to read all of the things that other people have thought about a subject, especially when that subject is as big and old as email. There is no good reason viva couldn't make a Message-ID, but there's a good reason to believe they can't handle delivery status notifications, and if they can't do that, they are causing bigger problems than just this. |
|
|
|
| |
| ▲ | Veserv 6 hours ago | parent | prev | next [-] | | You are describing MAY. “MAY This word, or the adjective "OPTIONAL", mean that an item is truly optional… An implementation which does not include a particular option MUST be prepared to interoperate with another implementation which does include the option, though perhaps with reduced functionality. In the same vein an implementation which does include a particular option MUST be prepared to interoperate with another implementation which does not include the option (except, of course, for the feature the option provides.)” Note how it explicitly calls out interoperation with implementations that do or do not implement MAY. As a exception that proves the rule, we can reasonably assume that not interoperating with a system ignoring a SHOULD rule is a correct implementation and it is the fault of whoever is not implementing SHOULD. | |
| ▲ | Arnt 7 hours ago | parent | prev [-] | | Hearsay has it that the reason is spam. Spam messages are said to have massively higher chances of minor RFC violations when they arrive at the destination server. | | |
| ▲ | shadowgovt 6 hours ago | parent [-] | | Most of the time, in my experience, when one encounters a situation like this in Internet tech (i.e. "why is this suggestion treated like a hard requirement?"), this is the answer: "because attackers found a way to exploit the lack of the suggestion's implementation in the wild, so it is now a hard requirement." The standards, to my observation, tend to lag the CVEs. Side-note: If someone has built a reverse-database that annotates RFCs with overriding CVEs that have invalidated or rendered harmful part of the spec, I'd love to put that in my toolbox. It'd be nice-to-have in the extreme if it hasn't been created yet. | | |
| ▲ | atherton94027 6 hours ago | parent [-] | | How is not having a message-id a security risk? It seems that Gmail is being pedantic for no reason | | |
| ▲ | geocar 6 hours ago | parent | next [-] | | > How is not having a message-id a security risk? CVE classify a lot of things that have nothing to do with security. Not having a Message-ID can cause problems for loop-detection (especially on busy netnews and mailing lists), and with reliable delivery status notification. Dealing with these things for clients who can't read the RFC wastes memory and time which can potentially deny legitimate users access to services > It seems that Gmail is being pedantic for no reason Now you know that feeling is just ignorance. | | |
| ▲ | hsbauauvhabzb 5 hours ago | parent [-] | | So add a message id at the first stop, or hard ban the sender server version until they confirm. A midway point that involves a doom switch is not a good option. | | |
| ▲ | geocar 3 hours ago | parent [-] | | > So add a message id at the first stop That should have already happened. Google is not the "first stop". > hard ban the sender server version until they confirm SMTP clients do not announce their version. Also I don't work for you, stop telling me what to do. > A midway point that involves a doom switch is not a good option. No shit. That's almost certainly a big part of why Google blocks messages from being transited without a Message-ID. |
|
| |
| ▲ | shadowgovt 3 hours ago | parent | prev [-] | | Because in practice it showed up for a period of time as a common thing in spam-senders. They were trying to maximize throughput and minimize software maintenance costs, so they leave out things that the spec says are optional. But that makes "a commonly-implemented optional thing was left out" into a stronger spam signal. Is it still a strong spam signal? Hard to say. Sources disagree. But as with laws, heuristics, once added, are often sticky. |
|
|
|
|
|
| ▲ | L_226 8 hours ago | parent | prev | next [-] |
| As someone who does systems engineering, the only valid requirements include the word "shall". |
| |
| ▲ | stackskipton 8 hours ago | parent | next [-] | | As someone else who does System Engineering, when dealing with ancient protocols, "shall" is extremely difficult barrier to get over since there is always ancient stuff out there and there might be cases not to do it, esp if it's internal communication. "SHOULD" is basically, if you control both sides of conversation, you can decide if it's required looking at your requirements. If you are talking between systems where you don't control both sides of conversation, you should do all "SHOULD" requirements with fail back in cases where other side won't understand you. If for reason you don't do "SHOULD" requirement, reason should be a blog article that people understand. For example, "SHOULD" requirement would be "all deployable artifacts SHOULD be packaged in OCI container". There are cases where "SHOULD" doesn't work but those are well documented. | | |
| ▲ | josephg 4 hours ago | parent [-] | | > … when dealing with ancient protocols I’m doing some work with an email company at the moment. The company has been in the email space for decades. Holy moly email is just full of stuff like this. There is an insane amount of institutional knowledge about how email actually works - not what the specs say but what email servers need to actually do to process real emails and deal with real email clients and servers. The rfcs try to keep up, but they’re missing a lot of details and all important context for why recommendations are as they are, and what you actually need to do to actually process real email you see in the wild. (And talk to the long tail of email software). This conversation makes me think about cornering some of the engineers with a microphone. It’d be great to talk through the specs with them, to capture some of that missing commentary. |
| |
| ▲ | opto 8 hours ago | parent | prev | next [-] | | In a completely different field, navigating ships at sea, the Collision Regulations which define how people must conduct ships at sea, they use the words "Shall" and "May" to differentiate legal requirements and what may just be best practice. "Should" intuitively means something more like "May" to me | | |
| ▲ | Arnt 7 hours ago | parent [-] | | Happily, the meanings in RFCs are clearly specified, see https://www.rfc-editor.org/rfc/rfc2119. Note "the full implications must be understood and carefully weighed before choosing a different course". Gmail and the other big hosters have full-time spam teams who spend a lot of time weighing implications, so I assume the implications of this was weighed. | | |
| |
| ▲ | sas224dbm 6 hours ago | parent | prev [-] | | "shall" and "must" |
|
|
| ▲ | gerdesj 6 minutes ago | parent | prev | next [-] |
| SHOULD is not MUST |
|
| ▲ | 2 hours ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | SecretDreams 4 hours ago | parent | prev | next [-] |
| Should = internal target Must = external requirement I cannot fathom how you think should* would act as a requirement in any sense of the world. |
|
| ▲ | almosthere 7 hours ago | parent | prev [-] |
| The original email RFC is also completely unaware of how bad spam is. Sure it might mention it but it's not really AWARE of the problem. The truth is, companies like Google, Microsoft and a few others have de-facto adjusted the minimum requirements for an email. Signing, anti-spam-agreements, etc.. are the true standard if you want an email to get from point a to b. (none of which are going to be REQUIRED in the RFC) |
