Understanding the Email Header Print

  • 2

The following guide is provided to learn how to read and understand an email header. To understand an email header we need to analyze the life of the email. Most of the time it appears that email is passed directly from the sender directly to the recipient.  This isn't true: a typical email passes through at least four computers.

To begin you will need to find your full email header.

Viewing a Header

In this example the “Sendermt.kb.user@gmail.com wants to send an email to the “Receiver” KB-User@mt-example.com. The sender composes the email at gmail.com, and KB-User@mt-example.com  receives it in the email client Apple Mail.  Here is the example header:

From: Media Temple kb-user (mt.kb.user@gmail.com)
Subject: KB Article: How to Trace a Email
Date: July 1, 2008 3:30:58 PM PDT
To:
KB-User@mt-example.com
Return-Path: <mt.kb.user@gmail.com>
Envelope-To: KB-User@mt-example.com
Delivery-Date: Tue, 01 Jul 2008 15:31:01 -0700
Received: from po-out-1718.google.com ([72.14.252.155]:54907) by cl35.gs01.gridserver.com with esmtp (Exim 4.63) (envelope-from <mt.kb.user@gmail.com>) id 1KDoNH-0000f0-RL for KB-User@mt-example.com; Tue, 01 Jul 2008 15:31:01 -0700
Received: by po-out-1718.google.com with SMTP id y22so795146pof.4 for <KB-User@mt-example.com>; Tue, 01 Jul 2008 15:30:58 -0700 (PDT)
Received: by 10.141.116.17 with SMTP id t17mr3929916rvm.251.1214951458741; Tue, 01 Jul 2008 15:30:58 -0700 (PDT)
Received: by 10.140.188.3 with HTTP; Tue, 1 Jul 2008 15:30:58 -0700 (PDT)
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=+JqkmVt+sHDFIGX5jKp3oP18LQf10VQjAmZAKl1lspY=; b=F87jySDZnMayyitVxLdHcQNL073DytKRyrRh84GNsI24IRNakn0oOfrC2luliNvdea LGTk3adIrzt+N96GyMseWz8T9xE6O/sAI16db48q4Iqkd7uOiDvFsvS3CUQlNhybNw8m CH/o8eELTN0zbSbn5Trp0dkRYXhMX8FTAwrH0=
Domainkey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=wkbBj0M8NCUlboI6idKooejg0sL2ms7fDPe1tHUkR9Ht0qr5lAJX4q9PMVJeyjWalH 36n4qGLtC2euBJY070bVra8IBB9FeDEW9C35BC1vuPT5XyucCm0hulbE86+uiUTXCkaB 6ykquzQGCer7xPAcMJqVfXDkHo3H61HM9oCQM=
Message-Id: <c8f49cec0807011530k11196ad4p7cb4b9420f2ae752@mail.gmail.com>
Mime-Version: 1.0
Content-Type: multipart/alternative;  boundary="----=_Part_3927_12044027.1214951458678"
X-Spam-Status: score=3.7 tests=DNS_FROM_RFC_POST, HTML_00_10, HTML_MESSAGE, HTML_SHORT_LENGTH version=3.1.7
X-Spam-Level: ***
Message Body: This is a Knowledge Base Article that will give advice on how to find email headers and use the data to trace a email.

Understanding the Email Header

 

WARNING:

It is important to realize that when reading an email header every line can be forged, so only the Received: lines that are created by your service or computer should be completely trusted.

 

From:

  • This displays who the message is from, however this can be easily forged, and can be the least reliable.

Subject:

  • This is what the sender placed as a topic of the email content.

Date:

  • This shows the date and time the email message was composed.

To:

  • This shows who the message was addressed to, but may not contain the recipient's address!

Return-Path:

  • The email address for return mail. Same as Reply-To:

Envelope-To:

  • This header shows this email was delivered to the mailbox of a subscriber whose email address is KB-User@mt-example.com.

Delivery Date:

  • This shows the date and time at which the email was received by your (mt) service or email client.

Received:

  • The received is the most important part of the email header and is usually the most reliable. They form a list of all the servers/computers through which the message traveled in order to reach you. The received lines are best read from bottom to top. That is, the first Received: line is your own system or mail server. The last Received: line is where the mail originated. Each mail system has their own style of Received: line. A Received: line typically identifies the machine that received the mail and the machine that the mail was received from.

Dkim-Signature & Domainkey-Signature:

  • These are related to domain keys which are currently not supported by (mt) Media Temple services. You can learn more about these by visiting http://en.wikipedia.org/wiki/DomainKeys

Message-id:

  • A unique string assigned by the mail system when the message is first created. These can easily be forged.

Mime-Version:

  • Multipurpose Internet Mail Extensions (MIME) is an Internet standard that extends the format of e-mail. Please see http://en.wikipedia.org/wiki/MIME for more details.

Content-Type:

  • This will usually tell you the format of the message, such as html or plaintext.

X-Spam-Status:

  • Displays a Spam Score usually created by your service or mail client.

X-Spam-Level:

  • Displays a Spam Score usually created by your service or mail client.

Message Body:

  • This is the actual content of the email itself written by the sender.

 

Finding the Original Sender

The easiest way for finding the original sender is by looking for the X-Originating-IP header.  This header is important since it tells you the IP Address of the computer that had sent the email. If you cannot find the X-Originating-IP header then you will have to sift through the Received headers to find the sender's IP address. In the example above the originating IP Address is 10.140.188.3.

Once the email sender's IP address is found you can search for it at http://www.arin.net/.  You should now be given results letting you know which ISP (Internet Service Provider) or webhost the IP Address belongs to.  Now if you are tracking a spam email you can send a complaint to the owner of the originating IP Address.  Be sure to include all the headers of the email when filing a complaint.


Was this answer helpful?

« Back