Check the Return-Path
The "From" name is a lie. Check the actual return-path header to see the truth.
The Anatomy of a Phishing Email
Email has a fundamental design flaw: the "From" name you see in your inbox is not verified. Any mail server can send an email claiming to be from "PayPal Security Team" or "Your Bank". The display name is cosmetic — it's set by whoever sends the email.
What the display name hides is the actual sending infrastructure. That's where the truth lives.
How to Check the Return-Path
The Return-Path (also called the "envelope from" or "bounce address") is where delivery failures get sent. It's set by the sending mail server and is much harder to convincingly fake.
In Gmail:
- Open the email
- Click the three-dot menu → "Show original"
- Look for
Return-Path:in the raw headers - The domain in that address is who actually sent the email
In Apple Mail:
- View → Message → All Headers
- Find
Return-Path:
Red flags to look for:
- From: PayPal
bounce@random-server123.com - Mismatched domains (paypal.com vs paypa1.com vs paypal-secure.net)
- Return-Path from a country-code domain you don't recognize
What Legitimate Return-Paths Look Like
Real companies have aligned FROM and Return-Path domains, and they'll pass SPF, DKIM, and DMARC checks. In Gmail's "Show original" view, look for:
SPF: PASS
DKIM: PASS
DMARC: PASSIf any of these fail on an email claiming to be from your bank, treat it as a phishing attempt.
Training Your Eye
The best defense is pattern recognition built over time:
- Does the greeting use your actual name or "Dear Customer"?
- Is there urgency pressure ("Act now or your account will be closed")?
- Does the link domain match the company when you hover over it?
- Is the return-path domain aligned with the from domain?
One right-click on "Show original" takes five seconds and can save you from a credential-stealing phishing page.
Get your site properly hardened.
The Voice of Cash delivers professional security audits and hands-on implementation.
Speak to a Specialist →