Return-Path aligned with From domain
Why it matters
SPF authenticates the envelope sender (Return-Path), not the visible From header. When an ESP handles bounces from a different domain than your From address — e.g., From is noreply@company.com but Return-Path is bounce@esp-platform.net — SPF passes for the ESP's domain but fails alignment with your From domain. Under strict DMARC (adkim=s; aspf=s), misaligned SPF causes DMARC to fail even when SPF itself passes, per RFC7489-s3.1. The practical result is that emails landing in Gmail and Outlook are more likely to be filtered, defeating the purpose of your authentication stack.
Severity rationale
High because Return-Path misalignment causes SPF alignment failure under strict DMARC, undermining authentication across major mailbox providers even when SPF itself passes for the ESP's bounce domain.
Remediation
Configure a custom bounce subdomain that you own and authenticate independently. In SendGrid, complete Domain Authentication which sets the Return-Path to bounces@em.company.com. In nodemailer, set the envelope sender explicitly:
const mailOptions = {
from: '"Company" <noreply@company.com>',
envelope: {
from: 'bounces@mail.company.com', // subdomain of company.com — aligned
to: recipient
},
subject: 'Your message'
}
Then publish SPF for mail.company.com to authorize the bounce-handling infrastructure. Verify alignment programmatically by checking that the envelope sender domain shares a registered domain with the From header domain.
Detection
-
ID:
return-path-alignment -
Severity:
high -
What to look for: Enumerate all email send configurations and for each, examine how email messages are constructed. Check the
envelope.fromorreturnPathfield passed to the ESP or SMTP transport. Look for whether the Return-Path domain matches (or is a subdomain of) the From header domain. SPF alignment requires this — if From is@yourdomain.comand Return-Path is@esp-bounce-handler.com, SPF alignment will fail DMARC. Check for custom Return-Path / bounce address configuration (e.g.,bounces.yourdomain.com). -
Pass criteria: 100% of email send paths have Return-Path (envelope sender) domain as the same domain or a subdomain of the From header domain — at least 1 send path exists, ensuring SPF alignment. Custom bounce domains are configured as subdomains of the sending domain (e.g.,
bounces.yourdomain.com). -
Fail criteria: Return-Path uses a different base domain than the From header (e.g., From is
noreply@company.combut Return-Path isbounce@esp-platform.net), causing SPF alignment failure under strict DMARC. -
Skip (N/A) when: DMARC is set to relaxed alignment (
aspf=r) or the ESP is configured to handle bounce routing transparently. -
Detail on fail:
"Return-Path domain 'sg-bounce.example.net' does not align with From domain 'example.com' — SPF alignment will fail under strict DMARC"or"No Return-Path configuration found — using ESP default bounce domain which does not match From domain" -
Remediation: Configure a custom Return-Path subdomain and set up bounce forwarding:
// SendGrid — set custom Return-Path in message const msg = { to: recipient, from: 'noreply@company.com', replyTo: 'support@company.com', // Return-Path subdomain that you control via SendGrid's domain authentication // Set up at: Settings → Sender Authentication → Domain Authentication // This makes Return-Path: bounces@em.company.com (subdomain of company.com) subject: 'Your message', text: 'Body' } // For nodemailer, set envelope explicitly: const mailOptions = { from: '"Company" <noreply@company.com>', envelope: { from: 'bounces@mail.company.com', // subdomain of company.com to: recipient }, subject: 'Your message' }
External references
- external · RFC7208 — Sender Policy Framework (SPF) — SPF alignment for DMARC
- external · RFC7489-s3.1 — DMARC §3.1 SPF alignment
- cwe · CWE-346 — Origin Validation Error
Taxons
History
- 2026-04-18·v1.0.0·Initial import from deliverability-engineering·automated