[quote user="PaulW"][quote user="Sheepdog"]

And then there's the fundamental question of How Bcc Works. I believe that the underlying mechanism is that you ALWAYS send the email to your mail server with the whole list of intended recipients attached. This saves you sending the message 5 times if you have 5 people Bcc'd. It is a concession to efficiency. If some mail-servers are not set up to do what I think everyone would expect, then I would call that a badly managed mail-server.

[/quote]

I believe Pegasus Mail sends two mails if you have BCC recipient(s) - one with just the TO & CC addresses, and the other with BCC addresses.[/quote]

Correct, unless you have Suppress BCC field listings in outgoing mail checked. If so, all you have in the headers is BCC: (Suppressed).

, .

I'm experimenting with Pegasus 4.7. I sent an email to to adress "X" with a BCC to "A" and "B". (All three addresses are mine with different email providers.) To my surprise, I noticed, when reading it as recipient A and then as recipient B, that in the detailed headers there is a BCC field with adressees A and B, both listed in the clear in a comma separated list. This should not be happening. Addressee A should never see addressee B and vice versa. BCC means (or should mean) that it is not only blind to X, the recipient in the "To" field, but also to each of the BCC recipients. Mailers other than Pegasus respect this principle.

When I am not using Pegasus, my mail client of choice is Yahoo mail. Yahoo does this correctly. It strips out the BCC field before sending, then it sends a copy to A and B, so that  neither sees the address of the other, and of course, X sees none of the others. X's address is visible to A and B, but that is the norm and is expected behaviour, unlike Pegasus's behaviour described above, which is not expected and contrary to all accepted email etiquette.

Below is an extract  of the relevant section in the detailed headers of the copy received by B, with the personal information redacted.  I also have a transcript of the TCP session. If that is of interest to anyone, let me know and I'll post it here.

Moongazer.

Subject: test 1 with multiple BCCs
Reply-to: xxxxxxxxxxxxx.xxx.xx
BCC: aaaaaaaaaaaaaaa@aaaaa.aaa.aa, bbbbbbb@bbbbb.bbb
Message-ID: <5A9CA2DB.1587.11111111@xxxxxxx.xxxxx.xxx.xx>
X-Confirm-Reading-To: xxxxxxx@xxxxx.xxx.xx
X-pmrqc: 1
Return-receipt-to: xxxxxxx@xxxxx.xxx.xx
Priority: normal
X-mailer: Pegasus Mail for Windows (4.72.572)

This is weird. The behaviour I described in the first post of this thread is not occurring uniformly. It seems to depend on which SMTP host Pegasus is connecting to to send the mail.

 This makes me wonder: Whose responsibility is it to strip out the BCC field? Should it be done by the email client residing on my PC before sending (in this case Pegasus Mail), or should it be done by the SMTP server that Pegasus connects to?

I have two identities set up in Pegasus, each using a different SMTP definition: (1) uses my ISP's SMTP server (smtp.ozemail.com.au), (2) uses Yahoo's SMTP server (smtp.mail.yahoo.com). The behaviour described in my first post occurred using (1). When I did the same thing using (2), it did not occur - there was no BCC field in the received emails.

I thought maybe my ISP has not configured its SMTP server correctly. So I went to my ISP's website and sent a similar email from its online webmail client. I presume that that client is using IMAP, not SMTP, so that experiment may not be conclusive, but, wherever it was occurring (within the webmail client or the mail transport system it uses) it did the right thing and stripped out the BCC field.

This still leaves me wondering where I should be laying the blame for the behaviour described in my first post - the authors of Pegasus or my ISP?

I suspect more likely that as you have multiple ISP;s you also have many Id's to go with them (?)

If so have you checked that you set  "Suppress BCC field listings in outgoing mail"  for each?

See:

http://community.pmail.com/forums/thread/9227.aspx

and

http://community.pmail.com/forums/thread/29832.aspx

To summarise from 10 years ago:

The primary purpose of BCC is to hide addresses from the TO and CC recipients, not from each BCC address.

Pegasus also provides a mechanism to suppress the BCC line altogether if that's what you want.

Thank you, Shades, for that information.

I only have one ISP (iiNet, which owns the Ozemail domain), and only two Pegasus identities - one for use with my ISP's mail servers and the other for when I'm using my Yahoo mail account. (AFAIK, Yahoo is not an ISP.)

 So I checked both id's and in both of them that setting was unchecked (probably the default value, because I didn't get around to setting all the options yet. After about half way down, I just skimmed through the rest and thought they don't look too crucial, I'll come back and do them later). So thank you for pointing me to the right setting. I ticked it, and then repeated the test with id (1), and now that header appears as "BCC: (Suppressed)"

 However, I'm not marking this as the definitive answer just yet, because it still leaves open the question: Whose responsibility is it to ensure that the BCC recipients' privacy is not breached? Should it be up to the mail client or the SMTP host? Is there a standard or at least a convention for this? In the previous tests described in my second post, when using id (2) (Yahoo) the complete absence of the BCC field indicates that Yahoo's SMTP server must have stripped it out of the headers. (Remember that option was unchecked in both id's at that time.) So that might suggest that by convention, it is done by the SMTP host. In which case, I ask, Why didn't my ISP's SMTP host do it? So it's unclear to me whose responsibility it is. And I question why Pegasus doesn't at least make the suppression of the BCC field's contents the default setting.

Moongazer

Sorry Dilberts and Paul, your replies came through as I was writing my response to Shades. I see now, from following those links that the rules are quite flexible on this, so I guess it's not such a surprise after all to discover that different internet companies handle this differently from one another. I believe RFC stands for Request For Comment. Did they subsequently harden into rules that all software publishers and network operators are expected to follow? This too is a bit of a mystery to me, but having seen on one of those linked threads that the RFC officially provides for three ways of handling the BCC field, covering all possibilities, I guess there is no fixed rule.

Moongazer

[quote user="Moongazer"]I believe RFC stands for Request For Comment. Did they subsequently harden into rules that all software publishers and network operators are expected to follow?[/quote]

See the Wikipedia article's elaborations on this, e.g.

Correct me if I am wrong, and I may well be, but I suspect the question reveals two misunderstandings....

"Should I blame the authors of Pegasus or my ISP for not stripping out the names in the BCC list?"

I believe that should be "Should I blame the authors of Pegasus or the people who manage the server where my outgoing email is processed?"

Now... that server may well be a server managed by your ISP. But those roles are not joined at the hip. If you use Gmail, for instance, then the email server your mail passes through is certainly not run by your ISP.

And then there's the fundamental question of How Bcc Works. I believe that the underlying mechanism is that you ALWAYS send the email to your mail server with the whole list of intended recipients attached. This saves you sending the message 5 times if you have 5 people Bcc'd. It is a concession to efficiency. If some mail-servers are not set up to do what I think everyone would expect, then I would call that a badly managed mail-server.

If we sent a piece of ordinary mail... you know, ink on paper, a stamp... we are used to using just one "channel"- the (old fashioned) Post Office.

The answers to many email questions become easier to understand if you understand that the path an email FROM you takes is quite different from the path an email TO you takes.

[quote user="Sheepdog"]

And then there's the fundamental question of How Bcc Works. I believe that the underlying mechanism is that you ALWAYS send the email to your mail server with the whole list of intended recipients attached. This saves you sending the message 5 times if you have 5 people Bcc'd. It is a concession to efficiency. If some mail-servers are not set up to do what I think everyone would expect, then I would call that a badly managed mail-server.

[/quote]

I believe Pegasus Mail sends two mails if you have BCC recipient(s) - one with just the TO & CC addresses, and the other with BCC addresses.

The mail server then just does what it's told as the envelope addressing knows nothing about the difference between any of the addresses.