There are many reasons why the From: address and the envelope sender (which is the address mail servers see) may not match.
Legitimate reasons include:
- it's a mailing list message. The From: will show the person who sent the message, but the envelope sender will be an address at the company that provides the list.
- it's a forwarded message. Pobox messages use SRS (sender rewriting scheme) to forward mail, so that errors and complaints come back to us.
- it's an automated message. Your company might send calendar notices, for instance, from a real person's address, so they can get replies, but bounces and other computer-generated replies should go to another place.
However, there are also malicious reasons. Phishing is the number one malicious reason to have a different envelope sender and From: address.
When sending a phish, you need to bypass as many spam checks as possible. Some email authentication protocols check the envelope sender. Most banks and other financial institutions use all the authentication protocols out there, to catch as many fakes as possible. Using a different envelope sender allows the malicious sender to bypass those checks.
You can see the envelope sender of messages we catch as spam by adding a column from the "Edit Columns" button.