Reading Email Headers
Every email carries a header block — a sequence of Name: Value lines prepended by each server that handles the message. Reading headers reveals the complete delivery path from sender to inbox.
To view raw headers:
- Gmail: open the email → three-dot menu → *Show original*
- Outlook: File → Properties → *Internet headers*
- Apple Mail: View → Message → *All Headers*
Received Headers Chain
Each MTA (Mail Transfer Agent) that relays the message prepends a Received: header. Reading from bottom to top gives the delivery path in chronological order:
Received: from mail.recipient.com (mail.recipient.com [203.0.113.5])
by mx.example.com with ESMTPS id abc123
for <[email protected]>
Tue, 14 Feb 2024 10:32:01 +0000
Received: from smtp.sender.com (smtp.sender.com [198.51.100.10])
by mail.recipient.com with ESMTPS id xyz789
Tue, 14 Feb 2024 10:32:00 +0000The bottom Received: header is from the originating server. Each subsequent header (reading upward) shows the next hop. Compare timestamps between hops to identify where delays occurred.
Authentication Results (SPF, DKIM, DMARC)
The Authentication-Results: header is added by the receiving MTA reporting the outcome of email authentication checks:
Authentication-Results: mx.example.com;
spf=pass smtp.mailfrom=sender.com;
dkim=pass header.d=sender.com header.s=selector1;
dmarc=pass action=none| Check | Pass Meaning | Fail Meaning |
|---|---|---|
| **SPF** | Sending IP is authorized for the domain | Unauthorized IP |
| **DKIM** | Message was signed and signature is valid | Signature invalid or missing |
| **DMARC** | Passes SPF or DKIM alignment | May be quarantined or rejected |
Message-ID and References
Message-ID is a globally unique identifier assigned by the originating MTA:
Message-ID: <[email protected]>Format: <unique-part@domain>. Use this ID in support tickets or logs to locate a specific message.
References and In-Reply-To chain replies into threads:
In-Reply-To: <[email protected]>
References: <[email protected]>Return-Path vs From
From: — the human-visible sender address. This is what appears in the email client. It can be spoofed without domain ownership.
Return-Path: (also called *envelope from* or *MAIL FROM*) — the address where bounce messages (NDRs) are sent. This is what SPF checks. It is often different from From: when using an ESP (Email Service Provider):
From: Alice <[email protected]>
Return-Path: <[email protected]>Envelope vs Header Addresses
SMTP has two layers of addressing:
| Layer | Header | Used for |
|---|---|---|
| **Envelope** | `MAIL FROM` / `RCPT TO` | Actual delivery routing |
| **Header** | `From:` / `To:` / `Cc:` | Display in email client |
A BCC recipient appears in RCPT TO (envelope) but not in any header — that is how BCC works. A mailing list rewrites the envelope From to itself while preserving the header From.
Tools for Header Analysis
- Google Admin Toolbox — Message Header: https://toolbox.googleapps.com/apps/messageheader/ — visual timeline of delivery hops
- Mail Header Analyzer (MXToolbox): parses raw headers into readable tables with latency visualization
- Command line:
# Extract Message-ID from raw email file
grep '^Message-ID:' email.eml
# Check SPF result
grep 'Authentication-Results' email.eml
# List all Received headers (delivery path)
grep '^Received:' email.emlHeaders are the forensic trail for email debugging. When investigating delivery failures, start with Authentication-Results (auth failures cause rejection) and Received chain (delays indicate routing issues).