Envelope-From vs Header-From

Email has two From addresses, and most people only know about one of them. The visible "From:" in your inbox is one. The SMTP envelope sender — invisible to the user, but the only address that matters for SPF, bounce routing, and Return-Path — is the other. They can be the same, and for most personal mail they are. For bulk mail, mailing lists, and transactional services, they're routinely different. The mismatch is fine if you understand it, dangerous if you don't.

The two From addresses

Name	Defined in	Where it appears	What it does
Envelope-From (MAIL FROM)	RFC 5321 (SMTP)	SMTP envelope, then Return-Path header	Bounce destination; SPF check target
Header-From	RFC 5322 (Internet Message Format)	Visible From: header	What the user sees; DMARC alignment target

The mail-as-physical-letter analogy

The two addresses correspond to the two From addresses on a physical letter:

The envelope-from is the return address on the outside of the envelope. Used by the postal system to return undeliverable mail. The recipient may or may not even look at it.
The header-from is the "From:" line on the letter inside the envelope. What the recipient reads to know who wrote to them.

Mail-room workers route by the envelope. Recipients read the letter. The two need not agree, and historically often didn't (think bulk mail returned to "Box 12345" while the visible letter is from "Acme Corporation").

How they appear in an SMTP exchange

S: 220 mail.example.com SMTP
C: EHLO sender.example.com
S: 250-mail.example.com
S: 250 OK

C: MAIL FROM:<bounces-12345@sender.example.com>     # envelope-from
S: 250 OK

C: RCPT TO:<alice@example.com>
S: 250 OK

C: DATA
S: 354 End data with <CR><LF>.<CR><LF>
C: From: "Acme Corp" <noreply@acme.com>             # header-from
C: To: alice@example.com
C: Subject: Your receipt
C: ...
C: .
S: 250 OK

Note the envelope-from is bounces-12345@sender.example.com and the header-from is noreply@acme.com. Bounces will go to the envelope-from; the recipient will see the header-from.

Return-Path: where envelope-from goes

When a mail server delivers a message to its final destination, it adds a Return-Path: header containing the envelope-from. That's how the recipient mail server records what was on the SMTP envelope. So in the delivered message:

Return-Path: <bounces-12345@sender.example.com>
From: "Acme Corp" <noreply@acme.com>
To: alice@example.com
Subject: Your receipt

Most mail clients hide Return-Path. View-source or "show headers" reveals it.

Why bulk mail uses different addresses

For high-volume senders, the envelope-from is used for bounce processing automation. Common patterns:

VERP (Variable Envelope Return Path). Each recipient gets a unique envelope-from encoding the recipient's address. When a bounce comes in, the sender knows immediately which recipient it was without parsing the bounce body.
BATV (Bounce Address Tag Validation). Add a signed tag to envelope-from to detect forged bounces.
Subaddressing. Use plus-style addressing (bounces+listid+messageid@example.com) to encode metadata.

The header-from stays as the user-visible brand. The envelope-from carries operational metadata.

SPF and envelope-from

SPF answers: "is the IP that's sending this allowed to send for the envelope-from's domain?" The check uses the envelope-from's domain, not the header-from's. So:

If envelope-from is bounces@sender.example.com and the IP is in sender.example.com's SPF, SPF passes.
The header-from being noreply@acme.com is irrelevant to this SPF check.

This means SPF alone doesn't protect against the visible From being a different domain. That's where DMARC comes in.

DMARC alignment

DMARC requires alignment between the header-from domain and either the SPF-authenticated envelope-from domain or the DKIM-signing domain. Two modes:

Mode	SPF alignment	DKIM alignment
Strict	Exact match: envelope-from domain == header-from domain	Exact match: DKIM d= domain == header-from domain
Relaxed	Same organizational domain (e.g., mail.example.com matches example.com)	Same organizational domain

If at least one of SPF-with-alignment or DKIM-with-alignment passes, DMARC passes. If neither does, DMARC fails — even if SPF and DKIM each technically passed for their respective domains.

The bulk-mail alignment challenge

For mail where envelope-from and header-from are different domains, SPF alignment is impossible. DMARC then depends entirely on DKIM. So bulk-mail senders must:

Sign mail with DKIM using a key published in the header-from domain (i.e., your brand's DNS).
Set the DKIM d= tag to match the header-from domain.

This requires coordination with your sending service. Most major transactional providers offer "delegated DKIM" — they sign with your domain's key, which you authorize via DNS CNAME records.

Sender header and the From: rewriting problem

When a mailing list relays mail, it can rewrite the From: header to be the list's address rather than the original poster's. This breaks DMARC for the original poster's domain but lets DMARC pass for the list. ARC (Authenticated Received Chain) is an attempt to preserve the original authentication results across forwarding. Modern mail receivers gradually adopt ARC; many still don't.

From-spoofing in phishing

Most consumer-visible phishing attacks set the visible From to look like a trusted brand while the envelope-from is from a domain the attacker controls. SPF passes (the attacker's domain's SPF), DKIM may pass (the attacker's signature on their own domain), but DMARC alignment fails because the header-from is the brand's domain. A DMARC-enforcing recipient quarantines or rejects. A DMARC-permissive recipient may show the message.

This is the entire reason DMARC enforcement matters. The two-From-addresses architecture allows spoofing; DMARC pins them together.

Frequently Asked Questions

What is the difference between envelope-from and header-from?

Envelope-from (also called MAIL FROM, Return-Path, or RFC 5321 from) is the address SMTP uses for bounces and delivery routing. Header-from (also called RFC 5322 from) is the address displayed to the recipient in the email's From: header. They can be different — and often are for bulk mail, where bounces go to a tracking address but the visible From shows the brand.

Which one does SPF check?

SPF checks the envelope-from domain — specifically, whether the connecting IP is authorized to send mail for that domain. It does not directly check the header-from. This means SPF can pass even if the header-from is a completely different domain, which is why DMARC was created to enforce alignment between the two.

What is DMARC alignment?

DMARC requires that the domain in the visible From header aligns with either the SPF-authenticated domain (envelope-from) or the DKIM-signing domain. Aligned means same domain, or in "relaxed" alignment, same organizational domain. Without alignment, the message fails DMARC even if SPF and DKIM technically passed.

Where do email bounces actually go?

To the envelope-from address (the Return-Path). The visible From header is irrelevant for bounce routing. This is why mailing list software typically sets envelope-from to a list-specific bounce-handling address (e.g., bounces+listid+messageid@example.com) while the visible From shows the original poster or the list address.

Can I send mail with different envelope-from and header-from?

Yes, and it's normal for bulk and transactional mail. The pattern is called Variable Envelope Return Path (VERP) when bounces go to unique per-recipient addresses. The catch: DMARC alignment must still work — either DKIM signs with the header-from domain, or you accept that DMARC won't pass.

Run a Speed Test

Related Guides

Email Headers Explained

The headers that hold both From addresses.

How SPF Works

The check that uses envelope-from.

How DMARC Works

The alignment rules that tie the two addresses together.

SMTP Bounce Codes

Where bounces go and what they say.