Understanding Email Headers

Received emails contain details of the path they took to arrive along with many other details – this information is contained in the Email Headers.

Email Headers are often essential to diagnose message routing problems, delays, reasons for spam filtering and NDRs (bounces).

How to locate Email Headers

Locating your email header is very simple, but does depend on your email client. See this article on locating your email header.

Example Email Header

The below image is what a typical Internet Email Header looks like.

Delivered-To: recipient@gmail.com
Received: by with SMTP id e128csp214709ywa;
Fri, 3 Jun 2016 05:40:42 -0700 (PDT)
X-Received: by with SMTP id x35mr5196223ioi.124.1464957642784;
Fri, 03 Jun 2016 05:40:42 -0700 (PDT)
Return-Path: <sender@gmail.com>
Received: from mail-io0-x234.google.com (mail-io0-x234.google.com. [2607:f8b0:4001:c06::234])
by mx.google.com with ESMTPS id w79si3994187itc.47.2016.
for <recipient@gmail.com>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Fri, 03 Jun 2016 05:40:42 -0700 (PDT)
Received-SPF: pass (google.com: domain of sender@gmail.com designates 2607:f8b0:4001:c06::234 as permitted sender) client-ip=2607:f8b0:4001:c06::234;
Authentication-Results: mx.google.com;
dkim=pass header.i=@gmail.com;
spf=pass (google.com: domain of sender@gmail.com designates 2607:f8b0:4001:c06::234 as permitted sender) smtp.mailfrom=sender@gmail.com;
dmarc=pass (p=NONE dis=NONE) header.from=gmail.com
Received: by mail-io0-x234.google.com with SMTP id t40so62903834ioi.0
for <recipient@gmail.com>; Fri, 03 Jun 2016 05:40:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
X-Gm-Message-State: ALyK8tIGzLnUQ711hv6+Lj0x6R+XboeWRTKHhCy7yOhqoG22nzOEMRnGqWJHQNccsLrT7ZXEG8+8hzlR9XztNA==
X-Received: by with SMTP id 76mr3467819ios.157.1464957642607;
Fri, 03 Jun 2016 05:40:42 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 3 Jun 2016 05:40:42 -0700 (PDT)
From: Sender Name <sender@gmail.com>
Date: Fri, 3 Jun 2016 14:40:42 +0200
Message-ID: <CALEspy8Fm7A0K0TQJadiDavRKdXDU+PpGFYFyQO=+x784XNVFQ@mail.gmail.com>
Subject: Email Headers
To: recipient@gmail.com
Content-Type: multipart/alternative; boundary=001a113ed0a6e6125405345f071c

In the above example, the “Sender” is sender@gmail.com and the “Recipient” is recipient@gmail.com. The sender composed the email with Gmail, and the recipient received the email from the client Gmail.

Important: Some details in Email Headers can be forged. Generally, you can only trust the “Received:” lines created by your email service – headers added by other servers can’t be trusted, neither can the From: headers which are easily forged.

Understanding the Email Header

Not all Email Headers contain the same information, but many will contain the following headers:

From: The name and email address of the sender. NB Could easily be forged

Subject: This is what the sender selected as the topic of the email

Date: The date and time the email was composed. NB time from the sender's computer – could be incorrect or in another time zone

To: This displays who the email was addressed to. NB this may not be the actual email address of the final recipient e.g. if the recipient were included in the BCC field

Envelope-To: This can show the recipient address being altered depending on the delivery configuration (for example, if an email was originally addressed to an alias domain)

Message Body: The content written by the sender

Return-Path: The email specified for the return mail (also known as “Reply-To:”) NB this is usually a real email address but may not be the email address of the sender

Delivery Date: This shows the date and time the email was received by the recipient. NB time from the sender's computer – could be incorrect or in another time zone

Received: This displays all the servers/computers that the email travelled through to reach the recipient.

These lines are normally in the following format:

Received: from servername (IP address) by servername (IP address) with MTA-name; timestamp

These details are best read from bottom to top as:

  • the last (bottom) “Received:” line will be where the email originated from (the sender’s server details)
  • the first (top) “Received:” line will be listed as the recipient servers details

Message-ID: An unique string assigned by the mail system when the message is first created. NB this should be unique but sometimes spammers use the same Message ID for multiple emails.

Content-Type: Defines the format of the message (ie. HTML or Plain Text)

X-Spam Status: Displays a spam score created by the recipient's email service. See this article to understand why an email may be marked as Spam

Tools for Reading Email Headers

Full Email Headers can normally be quite lengthy and overwhelming. The following are great tools that will assist you in dissecting your email header:

  1. Microsoft Remote Connectivity Analyser
    Paste the email headers details into the message analyser field provided and click Analyze headers to see the report.
  2. Google Apps Toolbox – Message Header
    Simply copy your email header into the Message Header Analyser and Google will translate the Email Header into a format that is more simple to read.

To locate your Email Headers, take a look at this article:

How to Locate your Email Headers