A recent change in commit 09bc306 makes PHPMailer pass the -f flag to sendmail in cases where it didn't use -f (i.e., where it previously let the system choose the envelope sender address / return path). This leads to failures in situations where it previously worked because the sendmail default envelope sender was used.

There's discussion of this in this WordPress bug report, but the overview is that (for example) many WordPress plugins send mail with a "From" header address that they don't really own.

This is obviously not best practice because it means DKIM won't work, but as long as -f is not passed to sendmail, the envelope sender address is likely to be valid. Either the system's default sendmail envelope sender address or the php.ini sendmail_from address will be used, and assuming one of those is correctly configured (which is usually the case with competent hosting companies, for example), the resulting mail will pass SPF checks and hopefully be delivered.

With this change, PHPMailer and WordPress send that message with -f same_address_as_from_header, overriding sendmail's default envelope sender. That means that SPF won't match for the message, either, and it's much more likely to be rejected as a forgery. (I've seen this problem happening in the wild after people updated to the version of WordPress that includes this PHPMailer change. Messages that used to be delivered are now rejected outright.)

In case an example helps, imagine a message was sent with "From: [email protected]" by a script that is running as user "user123" at "hostingcompany.com". Since the WordPress wp_mail() function calls PHPMailer without specifying a "sender", that message would previously be sent as:

Return-Path: [email protected]
From: [email protected]

This would probably work: While the "sending with a From header address you don't own" is not recommended for DKIM/DMARC purposes, at least the Return-Path envelope address is a valid address that can be matched using SPF, and it would likely be delivered. Now, however, the same message would be sent as:

Return-Path: [email protected]
From: [email protected]

Neither SPF or DKIM will be valid, so this message is much more likely to be rejected as a forgery.

It doesn't seem that the new "generating a default -f envelope sender from the header From address" behavior when no explicit sender is provided is a good idea. It may fix problems where the default PHP/sendmail binary envelope sender is misconfigured, but those have failed all along... and this change introduces new failures where the sendmail envelope default was properly configured.

If the envelope sender is unspecified when calling PHPMailer, it seems better to let PHP and the sendmail binary choose the default.