Why must I make sure my scripts use a certain "Return-Path" address for messages?
Every e-mail message has a hidden field called the "Return-Path" address (sometimes called a "bounce address" or "envelope sender address"). This should be the address a message really came from, and it's the address to which any undeliverable message notices ("bounces") are sent.
When you send e-mail from a script on our servers, the Return-Path will be automatically set to a value that works with our servers by default.
However, it's possible for scripts to be written to override the default Return-Path. If your script does so, it must use an e-mail address that ends with your domain name. You can't send messages using a Return-Path address of domain names not hosted with us, such as aol.com or hotmail.com.
Because of that, you need to make sure your scripts don't set a custom Return-Path address unless it ends with your domain name. If you have trouble:
- If you're using a script written by someone else, contact the author of the script for instructions on setting the "envelope sender" address correctly.
- If you're writing your own script and you're using PHP, this page explains how to set the PHP Return-Path.
- If you're writing a script that uses Sendmail, this page explains how to set the Sendmail "Return-Path".
Is the "Return-Path" the same as the "From" address on a message?
One thing that often confuses people is the difference between the "Return-Path" address and the "From:" header address. These are two different things, and our servers only care about the Return-Path ("envelope sender"). Your script can set a "From:" address to be anything you want, although in practice they'll usually be the same.
Why is this necessary?
Our servers enforce the "Return-Path" rule for two main reasons, both of which make sure you don't have problems delivering mail.
First of all, if you sent messages using other domain names, many receiving servers would think your messages were spam that "forged" someone else's address, particularly if the receiving mail server uses SPF. This makes sense if you think about it: for example, only AOL's servers should be sending mail from addresses that end in "@aol.com". Many servers will reject mail claiming to be from a certain address if the message isn't sent by a server that usually handles that address.
The second reason is that it helps us minimize spam sent from our network. Occasionally, spammers try to take advantage of insecure software that customers have installed on our servers to send thousands of spam messages. When they do this, they almost always use forged "Return-Path" addresses. Our outgoing mail filters detect the invalid Return-Path and stop the mail before it leaves our network, making sure that other ISPs don't block our mail servers (and your legitimate mail).