# VERP

> VERP encodes a message's identity into its bounce address, so every returned email identifies exactly which send failed without parsing the bounce text.

Canonical: https://emailfast.dev/glossary/verp

VERP (Variable Envelope Return Path) is the technique of giving every outgoing message its own unique bounce address, encoding which message and recipient it belongs to. When a bounce arrives, the address it was sent to identifies the exact failed send, with no parsing of the bounce body required.

## Why it matters

Bounces are messy. They can arrive days after the send, come from intermediate servers rather than the final one, and range in format from standard delivery status notifications to free-text apologies in any language. Parsing them heuristically misattributes failures, and a misattributed [bounce](/glossary/bounce) either suppresses the wrong address or leaves a dead one on your list. VERP sidesteps the whole problem: the envelope sender you chose comes back as the recipient of the bounce, and that address *is* the attribution. It also creates an attack surface worth naming. Bounce addresses are visible to anyone who receives your mail, so a system that trusts them uncritically can be fed forged bounces to poison its suppression list.

## In practice

A message to `ada@example.com` goes out with an envelope sender like:

```text
bounce+g8h3k2x-r94k1@bounces.example.com
```

Any server that fails to deliver the message returns its report to that address. The token decodes to the message and recipient, so a `550 user unknown` marks exactly one address bad, even when the bounce text arrives in Portuguese with no machine-readable part. This is also why the address in your Return-Path never matches the From address you wrote: [SPF](/glossary/spf) is evaluated against this envelope domain.

## How Email Fast handles it

Email Fast's VERP tokens are HMAC-signed. A bounce arriving at an address whose signature does not verify is rejected before any bounce processing runs, so an attacker who guesses the address format cannot forge bounces to suppress addresses that are actually fine.
