Because it’s a catch all for the domain, only one email is being used for discourse.
Not necessarily, I’m currently using it without VERP and it’s working. My issue is that I can’t have have the user respond directly to gmail without a SPF / DMARC failure due to the way discourse sets the envelope-from
and reply-to
addresses. Instead I have to have the MTA forward it to gmail. If I could have it reply directly to gmail (without a DMARC/SPF failure) then I can use VERP for securing the responses but yes the VERP will be ignored for bounced email. It’s still more secure than the current implementation.
That’ not an option as I explained here. It’s only practical to use gmail it for inbound. Setting up your own direct inbound MX when you already have a MX from your hosting provider can be challenging for the uninitiated. Direct gmail replies is far easier and less error prone.
Maybe I’m missing something in your line of thought. I can only see upsides to separating the envelope-from
and reply-to
addresses, it supports more diverse ecosystems and it’s more secure while helping to avoid SPF/MARC failures.