Every email travels in two layers: the envelope (what mail servers read to route the message) and the letter inside (what recipients see in their inbox). RCPT TO lives on the envelope; the TO field lives in the letter. They can contain different addresses — sometimes intentionally, sometimes as a sign of spoofing.
How the two fields work
RCPT TO is an SMTP (Simple Mail Transfer Protocol) command defined in RFC 5321. Mail servers exchange it during the transport handshake to identify where the message must be delivered. The receiving server routes the message to the correct mailbox based on this address; recipients never see it.
The TO field is a message header defined in RFC 5322 (Internet Message Format). It is part of the email content itself and is displayed in the recipient's email client. It can hold one or more addresses along with optional display names. Because TO is a message-layer header rather than a transport command, it does not control delivery and can be set freely by the sender.
Differences at a glance
|
RCPT TO |
TO field |
|
|
Defined by |
RFC 5321 (SMTP) |
RFC 5322 (Internet Message Format) |
|
Layer |
Transport (envelope) |
Message content (header) |
|
Visible to recipient |
No |
Yes |
|
Controls delivery |
Yes — mail servers route to this address |
No — display only |
|
Freely editable by sender |
No |
Yes |
When the two addresses diverge
Legitimate divergence: RCPT TO and TO addresses legitimately differ in several common scenarios. For BCC recipients, the address is added to RCPT TO but omitted from the TO and CC headers — the BCC recipient receives the message without appearing in visible headers. Mailing lists add each subscriber to RCPT TO while the TO header shows only the list address. Email service providers (ESPs) often use a bounce-handling address in RCPT TO while showing your brand address in the TO header.
Security concern: Because the TO field is freely editable, it is a common vector for spoofing and phishing. An attacker can set the TO header to a trusted address (such as a colleague or executive) while RCPT TO routes the message to a completely different mailbox. When reviewing suspicious email, check the RCPT TO address in the raw message headers or server logs. A mismatch not explained by BCC, a mailing list, or an ESP is a strong indicator of spoofing.
To identify the true recipient of a message, always check RCPT TO rather than the TO field. For critical emails, confirm that both addresses match.