What is the Header From address?
Of the two sender addresses on every email, the Header From is the one human beings read, trust, and get fooled by. That is why it is the address DMARC was built to protect.
Definition
The Header From is the From: line inside the message itself: the display name and address your mail client shows at the top of every email. The standards call it 5322.From, after RFC 5322, the message-format standard. It is chosen by whoever composes the message, which is both its power and its problem.
The problem: anyone can write anything there
SMTP does not verify the From line. A sender can put ceo@yourcompany.com in the Header From of a message that never touched your systems, and without DMARC most receivers would display it exactly as written. That gap is what email spoofing exploits, and it is why neither SPF nor DKIM alone fixes spoofing: SPF checks the hidden Return-Path, and DKIM checks whatever domain signed the message. Neither is required to have any connection to the From your reader sees.
How DMARC anchors to it
DMARC closes the gap by making the Header From domain the anchor for everything: an SPF or DKIM pass only counts for DMARC when the domain that passed aligns with the Header From domain. Publish a DMARC policy on your domain and receivers will refuse to inbox mail whose visible From claims to be you but whose authentication says otherwise.
Header From vs display name
One boundary worth knowing: DMARC protects the address in the From line, not the free-text display name next to it. A message from "Your CEO" <attacker@gmail.com> passes every authentication check, because it honestly is from gmail.com. Display-name impersonation is a different attack with different defenses (user training, receiver heuristics, BIMI making the real brand visually distinctive). DMARC's job ends at the address.
Keep reading
What is the Return-Path?
The hidden counterpart: the envelope address that receives bounces and decides SPF.
Envelope From vs Header From
The deep dive on the two addresses and where each one is checked.
What is email spoofing?
Why anyone can write your domain into a From line, and what stops it.
What is DMARC?
The policy layer that ties authentication back to the visible From.
Last verified 2026-07-10.
Free for one domain. Set up in five minutes. We parse the reports; you read plain-English summaries.