User Guide
24-52
AsyncOS 9.1.2 for Cisco Email Security Appliances User Guide
Chapter 24 Configuring Routing and Delivery Features
Bounce Verification
Note that you can use Bounce Verification to manage incoming bounce messages based on your outgoing
mail. To control how your appliance generates outgoing bounces (based on incoming mail), see
Directing Bounced Email, page 24-35.
Related Topics
• Overview: Tagging and Bounce Verification, page 24-52
• Accepting Legitimate Untagged Bounced Messages, page 24-53
• Preventing a Bounced Message Storm Using Bounce Verification, page 24-54
Overview: Tagging and Bounce Verification
When sending email with bounce verification enabled, your appliance will rewrite the Envelope Sender
address in the message. For example, MAIL FROM:
joe@example.com becomes MAIL FROM:
prvs=joe=123ABCDEFG@example.com. The 123... string in the example is the “bounce verification tag”
that gets added to the Envelope Sender as it is sent by your appliance. The tag is generated using a key
defined in the Bounce Verification settings (see Bounce Verification Address Tagging Keys, page 24-53
for more information about specifying a key). If this message bounces, the Envelope Recipient address
in the bounce will typically include this bounce verification tag.
You can enable or disable bounce verification tagging system-wide as a default. You can also enable or
disable bounce verification tagging for specific domains. In most situations, you would enable it by
default, and then list specific domains to exclude in the Destination Controls table (see Working with
Destination Controls, page 24-44).
If a message already contains a tagged address, AsyncOS does not add another tag (in the case of an
appliance delivering a bounce message to an appliance inside the DMZ).
Related Topics
• Handling Incoming Bounce Messages, page 24-52
• Bounce Verification Address Tagging Keys, page 24-53
Handling Incoming Bounce Messages
Bounces that include a valid tag are delivered. The tag is removed and the Envelope Recipient is restored.
This occurs immediately after the Domain Map step in the email pipeline. You can define how your
appliances handle untagged or invalidly tagged bounces — reject them or add a custom header. See
Configuring Bounce Verification Settings, page 24-55 for more information.
If the bounce verification tag is not present, or if the key used to generate the tag has changed, or if the
message is more than seven days old, the message is treated as per the settings defined for Bounce
Verification.
For example, the following mail log shows a bounced message rejected by the appliance:
Fri Jul 21 16:02:19 2006 Info: Start MID 26603 ICID 125192
Fri Jul 21 16:02:19 2006 Info: MID 26603 ICID 125192 From: <>
Fri Jul 21 16:02:40 2006 Info: MID 26603 ICID 125192 invalid bounce, rcpt address
<bob@example.com> rejected by bounce verification.