smtp e-mail headers: return-path vs. sender vs. from
Please help me make some order with email headers.
What does each of the following mean: return-path, sender, from.
The question is being asked in the context of an email receiving app (let's say a posterous clone).
- What can be easily faked?
- What can be verified?
- Under what circumstances can the three or two of them differ?
Answer
Based on my experience -
From is the person that wrote the email. This can be set by the user's mail software.
Return-Path is the address where bounce messages (undeliverable notifications, etc.) should be delivered. It can be set by the sending or receiving mail server, or sometimes by the user's mail software. For a normal message, it is usually the same as the From address. Some messages (often system generated messages) may use a different Return-Path, and bounce messages typically leave it blank.
Sender is the person that sent the email, if different than the From ("Sent by Sender on behalf of From"). Sometimes this is set by the user's mail software, and sometimes by their mail server. This, if present, should be different from the From address.
These headers can all be faked pretty easily, so verification is pretty much out.
However, if the sending domain has an SPF record, you can verify the Received headers against the list of approved mail servers for that domain. That will at least tell you whether or not the message really came from that domain, but that doesn't guarantee that the particular user sent it (it could be spoofed by another user on the same domain). Plus, not all domains publish SPF records, so it's not always an option.