What fields does MailMarshal check for User Matching?

This article applies to:

  • MailMarshal SMTP
  • MailMarshal Exchange


  • What fields does MailMarshal check for User Matching?
  • Why is the "from" or "to" address shown in my email client not matched by MailMarshal rules?


MailMarshal rules use the following data when matching addresses:

Where addressed from and Except where addressed from:
In Content Analysis rules (also known as Standard rules in earlier versions), these conditions check BOTH the originator address header field AND the envelope sender (return-path). The conditions trigger if either address is in the list you provided.

Note that in MailMarshal SMTP Connection rules (also known as Receiver rules), these conditions check only the return-path, because the header information is not available at this stage of processing.

Where addressed to and Except where addressed to:
These conditions check ONLY the envelope information (RCPT TO). A header "To" field is not required by the standards for email formatting (RFCs).


In many cases of legitimate email, the header sender field matches the return-path. However this is not always true. For instance, mailing lists and role addresses (such as helpdesks) often use a return-path different from the visible From address.

If you are constructing a whitelist or blacklist of addresses, to ensure good matching use the addresses of the return-path and RCPT TO.

You can review message logs to determine the appropriate return-path and recipient addresses.

  • In MailMarshal 6.9 and above, you can review the log for a message easily by viewing the message in the Console and selecting the Content Analysis Log tab.
  • For earlier versions, you can see this information most easily if you have moved or copied the message and associated log to a folder.

The first line of the Content Analysis (Engine) log will appear in the following format:

Message From: <fromaddress@senderdomain.com>, Return-Path: <returnpath@senderdomain.com>, Recipients: recip@recipientdomain.com

The Return-Path recorded by MailMarshal is the address that was used as the SMTP MAIL FROM: (in MailMarshal Exchange, the From address assigned by Exchange).

Last Modified 12/13/2010.