← RFC Reference

RFC 3834: Automatic Responses in Email

Why This Exists

Automatic email responses are everywhere: vacation/out-of-office messages, read receipts, challenge-response spam filters, ticket system acknowledgments, and notification digests. Without rules, auto-responders create dangerous feedback loops:

1. Alice's auto-responder replies to Bob's message.
2. Bob's auto-responder replies to Alice's auto-reply.
3. Alice's auto-responder replies to Bob's auto-reply.
4. Repeat forever, flooding both mailboxes and the network.

RFC 3834 prevents this by defining the Auto-Submitted header field and a set of rules that every automatic responder must follow.

How It Works

The Auto-Submitted Header

Every automatically generated message must include an Auto-Submitted header. The defined values are:

; Vacation auto-reply
From: alice@example.com
To: bob@example.com
Subject: Re: Project update
Auto-Submitted: auto-replied
In-Reply-To: <msg-id-from-bob@example.com>

I'm out of the office until January 15.
For urgent matters, contact charlie@example.com.

The Core Rule: Never Auto-Reply to Auto-Replies

Before sending any automatic response, the responder must check whether the incoming message is itself automatic. If it is, no auto-response is sent. The checks are:

1. Check Auto-Submitted header. If present and not equal to no, do not respond.
2. Check for empty return path. If the envelope sender (MAIL FROM) is <>, do not respond. Bounces and DSNs use an empty return path.
3. Check Precedence header. If the value is bulk, junk, or list, do not respond. (This is a legacy convention predating RFC 3834 but still widely used.)

; Incoming message has Auto-Submitted header
Auto-Submitted: auto-replied

; Decision: DO NOT auto-respond
; This prevents the infinite loop scenario

Rate Limiting

RFC 3834 requires auto-responders to limit responses to the same sender. The standard practice:

• Send at most one auto-response per sender per time period (typically one per day, or one per vacation period).
• Track which senders have already received an auto-response.
• Do not send duplicate auto-responses to the same person for the same vacation period.

Envelope and Header Requirements

An automatic response must:

• Use an empty envelope sender (MAIL FROM:<>) or use the responder's address. Never use the original sender's address as the envelope sender of the auto-reply.
• Set Auto-Submitted: auto-replied (or auto-generated for non-reply automations).
• Include In-Reply-To and References headers pointing to the original message, so the auto-response threads correctly.
• Direct the response to the Return-Path or envelope sender, not to the From address. This ensures that bounces from the auto-reply do not hit the original human sender.

Key Technical Details

Messages That Should Not Trigger Auto-Responses

RFC 3834 lists specific cases where auto-responses must be suppressed:

• Messages with Auto-Submitted set to any value other than no
• Messages with an empty envelope sender (MAIL FROM:<>)
• Messages sent to a mailing list (check for List-Id, List-Unsubscribe, or Precedence: list)
• Messages where the sender appears to be a daemon or system address (e.g., MAILER-DAEMON, postmaster)
• Messages that are themselves bounce notifications (DSNs)

Auto-Submitted vs. Precedence

The older Precedence header predates RFC 3834 and is not formally standardized, but remains widely used:

; Legacy approach (still common)
Precedence: bulk

; Standards-compliant approach
Auto-Submitted: auto-generated

; Best practice: include both for maximum compatibility
Precedence: bulk
Auto-Submitted: auto-generated

Auto-responders should check both headers. Some older systems only set Precedence; some newer systems only set Auto-Submitted. Checking both prevents loops with either.

The X-Auto-Response-Suppress Header

Microsoft Exchange introduced a non-standard but widely supported header:

X-Auto-Response-Suppress: All

Possible values include DR (delivery reports), NDR (non-delivery reports), RN (read notifications), NRN (non-read notifications), OOF (out-of-office), and AutoReply. Many sending systems set All on transactional and marketing email to suppress all auto-responses from Exchange/Outlook.

Detecting Mailing List Messages

Auto-responses to mailing list messages are particularly problematic — they go to the entire list. Check for:

; Any of these indicate a list message
List-Id: <dev.lists.example.com>
List-Unsubscribe: <mailto:unsub@lists.example.com>
Precedence: list
X-Mailing-List: dev@lists.example.com

Examples

A Well-Formed Vacation Reply

; Envelope
MAIL FROM:<>
RCPT TO:<bob@example.com>

; Headers
From: alice@example.com
To: bob@example.com
Date: Mon, 10 Mar 2025 09:00:00 +0000
Subject: Re: Q1 Planning
Auto-Submitted: auto-replied
In-Reply-To: <orig-msg-id@example.com>
References: <orig-msg-id@example.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8

Thank you for your email. I am out of the office from
March 8-15 with limited access to email.

For urgent matters, please contact charlie@example.com.

A System Notification

From: noreply@monitoring.example.com
To: ops-team@example.com
Subject: [ALERT] CPU usage above 90% on web-prod-03
Auto-Submitted: auto-generated
Precedence: bulk
X-Auto-Response-Suppress: All

Server web-prod-03 has exceeded the CPU threshold.
Current usage: 94%. Investigate immediately.

Common Mistakes

• Not setting Auto-Submitted on automated messages. This is the single most important thing. Without it, every recipient's vacation responder will reply to your automated message, and their replies may trigger further automation on your end.
• Auto-responding to messages with empty return path. Bounces use MAIL FROM:<>. Replying to them creates a bounce loop: your reply bounces, generating another bounce, which your system tries to reply to again.
• Auto-responding to mailing lists. Sending an out-of-office reply to a mailing list spams every subscriber. Always check for List-Id and Precedence headers before auto-responding.
• No rate limiting. Without rate limiting, a user who sends you 50 messages gets 50 identical vacation replies. Limit to one auto-response per sender per time period.
• Using the From address as the auto-reply target. Auto-responses should go to the Return-Path (envelope sender), not the From address. The From address may be a mailing list, a no-reply address, or different from the actual sender.
• Including the original message body in auto-replies. Some auto-responders quote the entire original message. This is a privacy risk (the auto-reply may be forwarded) and wastes bandwidth.
• Not setting X-Auto-Response-Suppress: All on transactional email. If you send order confirmations or password resets, add this header to prevent Exchange/Outlook users from sending out-of-office replies to your automated messages.

Deliverability Impact

• Auto-reply loops damage sender reputation. If your system creates a loop, the volume spike looks like a spam run to receiving servers. Your sending IP can be blacklisted within hours.
• Properly marked auto-responses are filtered by recipients. Gmail and other providers automatically classify messages with Auto-Submitted headers, reducing the chance that your auto-response is flagged as spam.
• Set Auto-Submitted and Precedence on all automated mail. This includes transactional email, alerts, reports, and any message not composed by a human. It prevents vacation replies from flooding your inbound queue.
• Empty return path prevents bounce cascades. Using MAIL FROM:<> for auto-responses ensures that if the response itself bounces, the bounce is not delivered anywhere — breaking the potential cascade.
• Monitor your inbound for auto-reply floods. A spike in incoming vacation replies or delivery receipts often indicates you forgot to set auto-response suppression headers on a new message template.

Related RFCs