PHPmailer custom header set, but not shown on delivery

Question

I am using PHPMailer6.2.0 and I am having issues setting the return path.

I have added the custom header via PHPmailer function addCustomHeader()

$mail->addCustomHeader("Return-Path", $fromemail);

and for debugging I have printed out the header content in \PHPMailer\PHPMailer.php function mailSend($header, $body) on line 1794;

var_export($header);
die();

this prints out the header content before it will be sent and it verifies that the custom header return-path is set correctly, however in action, when i receive an email to my outlook, the header return path callbacks to the domains default email [email protected]. Perhaps this is not the last place before the email is sent and it gets lost later on?

I am using DirectAdmin as my server manager

Answer 1

Stop right there! Senders should not set a return-path header. That header is added by the receiver, and what goes into it is dependent on the SMTP envelope sender, the address that's used in the SMTP MAIL FROM command that delivered the message. Setting this header as a sender is a straightforward contravention of the RFCs. So what should you do instead? Set the envelope sender, and in PHPMailer you do that like this:

$mail->Sender = $fromemail;

Even when you do this, whether the server your'e sending through will accept it is a different matter. For example gmail will not allow you to use anything other than your account username address or predefined aliases, not arbitrary addresses.

Answer 2

Have you seen the comment above in mailSend function? The sender gets turned into a return-path header by the receiver!

<?php
    $params = null;
    //This sets the SMTP envelope sender which gets turned into a return-path header by the receiver
    //A space after `-f` is optional, but there is a long history of its presence
    //causing problems, so we don't use one
    //Exim docs: http://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_exim_command_line.html
    //Sendmail docs: http://www.sendmail.org/~ca/email/man/sendmail.html
    //Qmail docs: http://www.qmail.org/man/man8/qmail-inject.html
    //Example problem: https://www.drupal.org/node/1057954
    // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
    if (!empty($this->Sender) && static::validateAddress($this->Sender) && self::isShellSafe($this->Sender)) {
        $params = sprintf('-f%s', $this->Sender);
    }

I do not think you should set the return-path header by yourself. I believe PHPMailer uses the sender to handle this automatically. But correct me if i am wrong.