Learn

Why Reply-To mismatches matter

Email has two sender-side addresses, and most people only ever see one. From is the display: the name and address shown at the top of the message. Reply-To is the instruction: where your client actually sends your answer when you hit reply. They're allowed to differ, sometimes legitimately, and that allowance is one of the most exploited gaps in everyday email.

The attack the gap enables

A scammer doesn't need to control a familiar address to converse as it. They set From to the address you trust, and Reply-To to a mailbox they own. You read a message "from" your vendor; you hit reply; your response, and the conversation that follows, flows to the attacker. The visible thread looks right the whole time, because the one field you watch is the one they faked, and the one that routes the conversation is the one you never see. This pairing, trusted From, foreign Reply-To, is a standing feature of payment-redirect and credential-harvest campaigns precisely because replying feels safe in a way clicking links doesn't.

When a mismatch is innocent

Plenty of legitimate mail separates the two. Newsletters send from a no-reply address with Reply-To pointed at support; ticket systems route replies into their queues; a scheduling tool may send on a person's behalf with replies going to the person. The pattern of innocence is recognizable: both addresses belong to the same organization, or to an obvious service relationship, and the message isn't asking for anything sensitive. The pattern of trouble is the opposite: a personal or unrelated domain catching replies to a corporate sender, on a message that wants money, credentials, or urgency.

How to check

Most clients reveal Reply-To only when you start replying, glance at the actual recipient line before typing, or in the message's detail view. For a message that matters, the dependable route is reading the full headers, where From, Reply-To, and Return-Path can be compared side by side, and routing plus authentication can confirm or contradict the visible sender entirely.

FAQ

Why does email even allow the two to differ?

Old, legitimate plumbing: mailing lists, send-on-behalf services, and role addresses all need replies routed somewhere other than the literal sender. The feature predates the abuse by decades.

My own emails show a Reply-To I didn't set. Should I worry?

Check your account's settings and any connected sending tools; a CRM or "send as" configuration is the usual cause. A Reply-To you can't explain from settings is worth a password reset and a look at account filters, a common compromise artifact.

Is a matching Reply-To proof an email is safe?

No, it just removes one trick. Lookalike domains and compromised accounts keep their fields aligned. Alignment is necessary for trust, never sufficient.