Emails from planningalerts.org.au and morph.io use oaf.org.au as the Return-Path domain

[benrfairless]

Describe the bug
Emails sent from morph.io use oaf.org.au as the Return-Path domain, causing DMARC alignment failures. This mismatch prevents proper email authentication and may trigger delivery issues.

To Reproduce
Steps to reproduce the behaviour:

• Send an email from morph.io
• Inspect the email headers
• Observe Return-Path uses @oaf.org.au domain
• Note that From address uses @morph.io domain
• Run DMARC check and observe alignment failure

Expected behaviour
Return-Path domain should match the From domain (morph.io) to pass DMARC alignment requirements. Either:

• Configure Return-Path to use morph.io, or
• Ensure SPF and DKIM records properly support the current configuration

Additional context

• DMARC requires either SPF or DKIM to align with the From domain
• Return-Path domain mismatch causes SPF alignment to fail
• May impact email deliverability, particularly with strict DMARC policies
• This issue compounds the p=none DMARC policy problem

[benrfairless]

The root cause of this issue can be linked back to the way Cuttlefish handles transactional email.

The Return-Path is hard-coded as follows:
Return-Path: <bounces@cuttlefish.oaf.org.au>

The Return-Path needs to be the same as the domain in order for emails to succeed. For example, the Return-Path for an email from planningalerts.org.au should be something like bounces@email.planningalerts.org.au.

[benrfairless]

I wonder if this issue causes openaustralia/planningalerts#1969

[andrianvaleanu]

I've run into this exact alignment headache before when migrating mail servers. While you could swap the Return-Path to match morph.io, it's often easier to just ensure your DKIM signature is valid and uses the morph.io domain. DMARC only needs one (either SPF or DKIM) to align, and DKIM is much more resilient when emails get forwarded.

If you're still seeing deliverability drops after fixing the signature, you might want to run a quick test through something like https://unspam.email/ to see if there are other hidden configuration gaps.

Dealing with oaf.org.au as the envelope sender is fine as long as the crypto signature matches the header-from. Balancing both is ideal, but fixing the DKIM alignment is usually the faster win here.