SPF authenticates the envelope sender (Return-Path), not the visible From header. When an ESP handles bounces from a different domain than your From address — e.g., From is noreply@company.com but Return-Path is bounce@esp-platform.net — SPF passes for the ESP's domain but fails alignment with your From domain. Under strict DMARC (adkim=s; aspf=s), misaligned SPF causes DMARC to fail even when SPF itself passes, per RFC7489-s3.1. The practical result is that emails landing in Gmail and Outlook are more likely to be filtered, defeating the purpose of your authentication stack.
High because Return-Path misalignment causes SPF alignment failure under strict DMARC, undermining authentication across major mailbox providers even when SPF itself passes for the ESP's bounce domain.
Configure a custom bounce subdomain that you own and authenticate independently. In SendGrid, complete Domain Authentication which sets the Return-Path to bounces@em.company.com. In nodemailer, set the envelope sender explicitly:
const mailOptions = {
from: '"Company" <noreply@company.com>',
envelope: {
from: 'bounces@mail.company.com', // subdomain of company.com — aligned
to: recipient
},
subject: 'Your message'
}
Then publish SPF for mail.company.com to authorize the bounce-handling infrastructure. Verify alignment programmatically by checking that the envelope sender domain shares a registered domain with the From header domain.
ID: deliverability-engineering.dns-auth.return-path-alignment
Severity: high
What to look for: Enumerate all email send configurations and for each, examine how email messages are constructed. Check the envelope.from or returnPath field passed to the ESP or SMTP transport. Look for whether the Return-Path domain matches (or is a subdomain of) the From header domain. SPF alignment requires this — if From is @yourdomain.com and Return-Path is @esp-bounce-handler.com, SPF alignment will fail DMARC. Check for custom Return-Path / bounce address configuration (e.g., bounces.yourdomain.com).
Pass criteria: 100% of email send paths have Return-Path (envelope sender) domain as the same domain or a subdomain of the From header domain — at least 1 send path exists, ensuring SPF alignment. Custom bounce domains are configured as subdomains of the sending domain (e.g., bounces.yourdomain.com).
Fail criteria: Return-Path uses a different base domain than the From header (e.g., From is noreply@company.com but Return-Path is bounce@esp-platform.net), causing SPF alignment failure under strict DMARC.
Skip (N/A) when: DMARC is set to relaxed alignment (aspf=r) or the ESP is configured to handle bounce routing transparently.
Detail on fail: "Return-Path domain 'sg-bounce.example.net' does not align with From domain 'example.com' — SPF alignment will fail under strict DMARC" or "No Return-Path configuration found — using ESP default bounce domain which does not match From domain"
Remediation: Configure a custom Return-Path subdomain and set up bounce forwarding:
// SendGrid — set custom Return-Path in message
const msg = {
to: recipient,
from: 'noreply@company.com',
replyTo: 'support@company.com',
// Return-Path subdomain that you control via SendGrid's domain authentication
// Set up at: Settings → Sender Authentication → Domain Authentication
// This makes Return-Path: bounces@em.company.com (subdomain of company.com)
subject: 'Your message',
text: 'Body'
}
// For nodemailer, set envelope explicitly:
const mailOptions = {
from: '"Company" <noreply@company.com>',
envelope: {
from: 'bounces@mail.company.com', // subdomain of company.com
to: recipient
},
subject: 'Your message'
}