How do MBPs evaluate transparency in sender metadata?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

When an email lands in someone's inbox, the mailbox provider (MBP) doesn't just look at the From name you chose. It cross-checks a whole stack of signals to figure out whether the sender is who they claim to be. Think of it as the MBP quietly asking, "Do all these pieces actually line up?"

Here's what they're checking.

Authentication alignment. Your visible From address needs to match what your authentication records say. If your From header shows hello@harborpost.net but your DKIM signature is signed under a completely different domain, that's a red flag. Gmail, Outlook, and most other MBPs flag this kind of mismatch as a potential phishing signal.

Header consistency. Your From, Reply-To, Return-Path, and envelope sender (MAIL FROM) should all tell the same story. A legitimate sender typically has these pointing to the same brand domain, or at least a domain that's clearly connected to it. When those fields start pointing in different directions, it looks like someone's trying to hide where the message actually came from.

Stable identity over time. MBPs track patterns. A From domain that's been sending consistently for months reads very differently from one that appeared last week. Constantly rotating your From address, domain, or display name resets that trust history every time. That's why consistent sender identity is such a core deliverability principle.

Accurate timestamps and formatting. Headers that have impossible timestamps, repeated Message-IDs, or fields that are obviously garbled get noticed. These aren't always intentional deception, sometimes a misconfigured sending tool causes them, but MBPs treat them as a credibility problem either way.

Known deceptive patterns. MBPs maintain models of what phishing, spoofing, and spam infrastructure look like. Headers designed to obscure the actual sending path (like routing through suspicious relay chains) get matched against those patterns. If your setup resembles known bad actors, you'll be filtered even if you personally have good intentions.

Auditing your own metadata. You don't have to guess what MBPs see. Send yourself a test email and open the full headers. In Gmail, click the three-dot menu and choose "Show original". You'll see the raw MAIL FROM, DKIM pass/fail, SPF result, and the full routing chain. If SPF and DKIM both pass and the domains align with your From address, you're in good shape. If they don't, that's where to start fixing things.

You can also run your domain through our free Email Header Analyzer to spot anything that looks off before it becomes a delivery problem. Or if something's actively broken, drop into the SOS hotline and we'll help you work through it.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Audit my sender metadata for transparency

I'm trying to understand how mailbox providers like Gmail and Outlook evaluate whether my sender metadata is transparent and consistent. Based on my sending setup, can you check whether my From address, authentication records (SPF, DKIM, DMARC), Reply-To, and Return-Path all tell a consistent story? Flag any mismatches or red flags that an MBP might penalize, and rank what I should fix first.

Edit the yellow boxes, then send to the AI of your choice.