When a receiver sees two From: header fields in one message, the problem is not subtle. The message is malformed.
That matters because modern receiver filtering does not separate "syntax hygiene" from "sender trust" as neatly as administrators often expect. If the visible author identity is malformed or ambiguous, the message can be treated as risky even when SPF or DKIM would otherwise look fine.
For Gmail in particular, the guidance is explicit: From: should contain only one email address, and single-instance headers such as From:, To:, Subject:, and Date: should appear only once in a message. RFC 5322 and DMARC line up with that operational stance for the duplicate-From: case.
Messages with multiple From: header fields fail RFC 5322 checks because From: is a single-instance originator field.
RFC 5322 defines the From: field with a maximum count of one in the message header section. DMARC then depends on a single, properly formed RFC 5322 From: field as the visible author-domain identifier. If the message has a repeated From: field, the receiver no longer has one reliable author identity to evaluate.
That is why receivers often classify the message as malformed, deceptive, or authentication-risk mail rather than trying to guess which From: field was the "real" one.
In RFC 5322, section 3.6 defines header-field occurrence limits. The table there gives from a minimum of 1 and a maximum of 1.
That is the key rule here. This is invalid:
From: billing@example.com
From: alerts@example.net
To: user@example.org
Subject: Test
Date: Mon, 9 Jun 2026 10:15:00 +0000The receiver does not have one canonical author field anymore. It has two competing ones.
This point gets confused with a different rule in the same RFC: a singleFrom: field can contain more than one mailbox, and if it does, Sender: must also be present. That is unusual in modern operational mail, but it is not the same thing as having duplicate From: header fields.
So keep these separate:
From: field containing multiple addresses is an edge-case syntax that RFC 5322 can describeFrom: fields is a message-format errorThis is where DMARC becomes relevant.
DMARC is evaluated against the domain in the visible RFC 5322 From: field, not the SMTP envelope sender and not some receiver-chosen "best guess" among conflicting author headers. RFC 7489 makes that dependency very clear: DMARC uses the RFC 5322 From domain as the primary identifier.
It also says something operationally important in section 3.1: Identifier Alignment cannot occur with a message that is malformed, absent, or repeated in the RFC 5322 From: field, because there is no reliable way to determine which DMARC policy applies.
That is the real reason duplicate From: headers get treated as authentication-risk mail.
The receiver is not merely being picky about formatting. It is facing an identity ambiguity at exactly the header field DMARC is supposed to protect.
From: field and continueBecause any choice would be arbitrary, and arbitrary parsing decisions are dangerous in abuse handling.
Imagine this message shape:
From: payroll@example.com
From: attacker@example.net
DKIM-Signature: d=example.net; ...If one parser shows the first From: field to the user, another internal component evaluates the second one, and a third component logs only one of them, the receiver now has inconsistent identity handling inside its own pipeline.
That kind of disagreement is exactly the sort of thing anti-abuse systems try to avoid.
So the safe posture is usually one of these:
From an operator perspective, that behavior is sensible. It avoids giving malformed mail the benefit of parser luck.
Google's current Email sender guidelines say all of the following:
From: headers should include only one email addressThat combination matters.
Duplicate From: headers are not only an RFC 5322 formatting problem. Under Gmail's guidance they also look like a sender-identity defect, which is why administrators often see them show up in the same operational bucket as authentication failures.
Even if SPF passes and DKIM verifies, the message can still be blocked because the visible author identity is not trustworthy.
From: is different from SPF, DKIM, or DMARC failing on their ownThis distinction is worth being precise about.
From: identity is malformedSo when a team says, "authentication was fine, but the receiver still rejected it," the next question should be whether the message had a valid, singular originator header structure.
That same pattern shows up in troubleshooting email rejected for RFC 5322 formatting issues that look like authentication failures. This post is just the narrowest and most common version of that failure.
From: headers get createdIn practice, this is usually not a deliberate mail-construction choice. It is a pipeline bug.
Typical causes are:
From: and a downstream library sets it againThe last case is common in custom systems: the software generates what it thinks is a complete header block, then the mail library helpfully adds its own From: because it assumes ownership of the field.
The bug is often obvious once the exact source is inspected.
Bad example:
From: App Notifications <notify@example.com>
To: user@example.org
Subject: Status update
Date: Mon, 9 Jun 2026 10:15:00 +0000
Message-ID: <abc123@example.com>
From: Example Platform <mailer@example.com>The placement does not matter. The second From: is still a duplicate single-instance header.
Healthy shape:
From: App Notifications <notify@example.com>
To: user@example.org
Subject: Status update
Date: Mon, 9 Jun 2026 10:15:00 +0000
Message-ID: <abc123@example.com>If the transmitting agent differs from the author and there is a standards-based reason to represent that, use a valid Sender: field instead of a second From: field.
Do not rely on UI summaries or header views that collapse duplicates.
Some tools display only the first occurrence of a field. Others display only the last. That can hide the defect completely.
At minimum, count:
From:Date:Subject:To:Message-ID:If From: appears twice, stop there first. That is already enough to explain many rejections.
Compare the message at three points if possible:
That usually shows whether the duplicate came from the app, a middleware layer, or the sending platform.
Only one component should be responsible for From:, Date:, and Message-ID generation. Shared ownership is how duplicate headers happen.
Send a plain-text test with:
From: fieldDate:Message-IDIf the minimal version works, reintroduce pipeline features one at a time until the duplicate From: returns.
The fix is not to "teach DMARC" about duplicate author headers. The fix is to stop generating malformed mail.
In most environments that means:
From: in exactly one layerSender: when there is a legitimate transmitting-agent distinctionIf a receiver says the message is malformed or risky, believe the raw message over the sending application's configuration screen. The UI often shows intended header values, not the exact final header block that was sent.
Multiple From: header fields fail RFC 5322 because From: is allowed exactly once.
They also create an identity problem for DMARC because DMARC depends on one reliable RFC 5322 From: domain for policy lookup and alignment evaluation. Once that field is duplicated, the receiver no longer has a trustworthy visible author identity, so rejection or high-risk handling becomes the safe outcome.
If the message is being treated like an authentication problem, that is usually not a misunderstanding. For duplicate From: headers, formatting failure and identity risk are the same operational issue.