We've since slightly rolled that change back, however won't be until out next minor.

 

    Only trusted contacts will look at just the Return-Path header. When you use something like SPF, we can guarantee the Return-Path is not spoofed. Many mobile phones through various protocols will add the local user to the contacts list, there also common email addresses one might have in their contacts, admin@domain.com, support@domain.com, etc. Since what is in a contact list could potentially be predicable, spammers can try to utilize these addresses to bypass spam checks, something they can't do if we only use ReturnPath and SPF together.

 

    The other sources of trusted senders, from the user's trusted sender list, the domain's, or even the system's will still continue using Return-Path, From, and Reply-To just as they were before.

 

So the new changes that have not rolled out yet, will now only apply to Contacts.

 

Hopefully this clears up any confusion.