Opened 2 months ago

Last modified 6 days ago

#35365 assigned New feature

Add RFC 3834 Auto-Submitted header to emails by default

Reported by: Tobias Bengfort Owned by: cgracin
Component: Core (Mail) Version: dev
Severity: Normal Keywords:
Cc: Florian Apolloner, Russell Keith-Magee Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description

RFC 3824 (https://www.rfc-editor.org/rfc/rfc3834) defines the Auto-Submitted header for emails to avoid mail loops. The vast majority of mails sent by Django should use Auto-Submitted: auto-generated. The only exceptions I can think of are:

  • Django is used in a bigger system that also receives emails. In that case it may also be appropriate to use Auto-Submitted: auto-replied in some cases.
  • Django is used to implement an email client. In that case Auto-Submitted should not be used.

Since these are rare exceptions, I think Django should use Auto-Submitted: auto-generated by default. Users who need more control should have to explicitly disable this behavior.

I did not do a larger survey, but just from the mails I currently have in my inbox I noticed that gitlab and unattended-upgrades both use Auto-Submitted.

Change History (12)

comment:1 by Sarah Boyce, 2 months ago

Cc: Florian Apolloner Russell Keith-Magee added
Triage Stage: UnreviewedAccepted
Type: UncategorizedNew feature
Version: 5.0dev

Hi Tobias, thank you for this!
Accepting as this sounds like the right thing to do to me. Added a couple of people in cc in case they have any concerns and can update the ticket accordingly.

comment:2 by Adam Johnson, 2 months ago

I found very few search results about the header (DuckDuckGo, Google). Notably, I don’t see any “Email best practices” articles discussing this header.

But on GitHub code search there are 11.4k results for "auto-submitted" "auto-generated", among which I found these tools:

It seems reasonable that Django would set it. But there’s some risk since some search results are people trying to *remove* the header (1, 2). I think we should at least document a way to opt-out, possibly by subclassing EmailMessage and overriding message() to delete the header.

comment:3 by cgracin, 7 weeks ago

Owner: changed from nobody to cgracin
Status: newassigned

comment:4 by cgracin, 7 weeks ago

Has patch: set

comment:5 by cgracin, 7 weeks ago

Hello everyone! I'm a new contributor here and just submitted a PR for this feature. I went ahead and added the default behavior to the EmailMessage class to attach the "Auto-Submitted : auto-generated" header. I took the advice of Adam and.created a subclass of EmailMessage named NoAutoSubmittedHeaderEmailMessage that removes the "Auto-Submitted : auto-generated" header to allow a user to opt-out of this default behavior.

comment:6 by Tobias Bengfort, 7 weeks ago

Thanks for the patch! I am not sure if NoAutoSubmittedHeaderEmailMessage is the best option though. The way I understood Adam we should document how to create such a class, not provide it in Django itself. Either way, having to use a different Message class is a bit awkward because you can no longer use send_mail(). My proposal would be to add a setting DEFAULT_EMAIL_HEADERS which would be more flexible. I cannot think of any other headers for which this could be useful right now, but who knows. I am not sure whether we want another setting though.

comment:7 by Sarah Boyce, 7 weeks ago

Patch needs improvement: set

I am also not a fan of NoAutoSubmittedHeaderEmailMessage as a user would need to make many updates to their code (including overwriting the EmailMultiAlternatives, mail_admins etc).
I can see the appeal of having something like a DEFAULT_EMAIL_HEADERS setting, however we try to avoid adding new setting to Django when we can. We'd need very strong agreement that this is the best way forward here.
I would recommend creating a discussion on the forum to try and get input from a wider audience as to what would be the best approach.

comment:8 by Tobias Bengfort, 7 weeks ago

Summary: Add RFC 3824 Auto-Submitted header to emails by defaultAdd RFC 3834 Auto-Submitted header to emails by default

comment:9 by Tobias Bengfort, 7 weeks ago

The documentation already contains this line:

Not all features of the EmailMessage class are available through the send_mail() and related wrapper functions. If you wish to use advanced features, such as BCC’ed recipients, file attachments, or multi-part email, you’ll need to create EmailMessage instances directly.
https://docs.djangoproject.com/en/5.0/topics/email/#the-emailmessage-class

For consistency I think we should also add the Auto-Submitted header in the wrapper functions.

The special thing here would be that dropping down to EmailMessage allows you to remove a header rather than add one. I am not sure how best to explain that in the docs. I see that most parameters are only documented once for send_mail() and not repeated for the other wrapper functions. So maybe it would be sufficient to add a note only to send_mail(). The note could be something like this:

send_mail() uses the Auto-Submitted mail header to indicate that the mail was created by software rather than a human.

comment:10 by cgracin, 7 weeks ago

Thank you guys for the comments, I'll work on implementing these requests and submit an updated PR.

comment:11 by David Smith, 7 weeks ago

Does the header need to be removed entirely? Could we advise folk to set the header to "no" to disable it?
https://www.iana.org/assignments/auto-submitted-keywords/auto-submitted-keywords.xhtml

The current patch has this to add the header:

if "Auto-Submitted" not in self.extra_headers: 
     # Default to adding the Auto-Submitted: auto-generated header 
     self.extra_headers["Auto-Submitted"] = "auto-generated"

So could we documentat this by something like...

By default EmailMessage sets the Auto-Submitted header to auto-generated to indicate that the mail was created by software rather than a human. The value of the Auto-Submitted header can be customised by the headers option. To disable the header the value of Auto-Submitted can be set to "no".

comment:12 by Florian Apolloner, 6 days ago

I don't feel good about this change. If we are to add this header by default we need a way to disable it by default as well imo (especially since one cannot patch 3rd party apps easily). This probably ties into making smtp backends configurable and for instance add options to set headers there…

Note: See TracTickets for help on using tickets.
Back to Top