Email Recipient ID: Differences Between RCPT TO and TO

更新时间:
复制 MD 格式

Every email travels in two layers: the envelope (what mail servers read to route the message) and the letter inside (what recipients see in their inbox). RCPT TO lives on the envelope; the TO field lives in the letter. They can contain different addresses — sometimes intentionally, sometimes as a sign of spoofing.

How the two fields work

RCPT TO is an SMTP (Simple Mail Transfer Protocol) command defined in RFC 5321. Mail servers exchange it during the transport handshake to identify where the message must be delivered. The receiving server routes the message to the correct mailbox based on this address; recipients never see it.

The TO field is a message header defined in RFC 5322 (Internet Message Format). It is part of the email content itself and is displayed in the recipient's email client. It can hold one or more addresses along with optional display names. Because TO is a message-layer header rather than a transport command, it does not control delivery and can be set freely by the sender.

Differences at a glance

RCPT TO

TO field

Defined by

RFC 5321 (SMTP)

RFC 5322 (Internet Message Format)

Layer

Transport (envelope)

Message content (header)

Visible to recipient

No

Yes

Controls delivery

Yes — mail servers route to this address

No — display only

Freely editable by sender

No

Yes

When the two addresses diverge

  • Legitimate divergence: RCPT TO and TO addresses legitimately differ in several common scenarios. For BCC recipients, the address is added to RCPT TO but omitted from the TO and CC headers — the BCC recipient receives the message without appearing in visible headers. Mailing lists add each subscriber to RCPT TO while the TO header shows only the list address. Email service providers (ESPs) often use a bounce-handling address in RCPT TO while showing your brand address in the TO header.

  • Security concern: Because the TO field is freely editable, it is a common vector for spoofing and phishing. An attacker can set the TO header to a trusted address (such as a colleague or executive) while RCPT TO routes the message to a completely different mailbox. When reviewing suspicious email, check the RCPT TO address in the raw message headers or server logs. A mismatch not explained by BCC, a mailing list, or an ESP is a strong indicator of spoofing.

To identify the true recipient of a message, always check RCPT TO rather than the TO field. For critical emails, confirm that both addresses match.