Sample Message Header:


Return-path: <sender@senderdomain.tld>
Delivery-date: Wed, 13 Apr 2011 00:31:13 +0200
(3)Received: from mailexchanger.recipientdomain.tld([ccc.ccc.ccc.ccc])
by mailserver.recipientdomain.tld running ExIM with esmtp
id xxxxxx-xxxxxx-xxx; Wed, 13 Apr 2011 01:39:23 +0200
(2)Received: from mailserver.senderdomain.tld ([bbb.bbb.bbb.bbb] helo=mailserver.senderdomain.tld)
by mailexchanger.recipientdomain.tld with esmtp id xxxxxx-xxxxxx-xx
for recipient@recipientdomain.tld; Wed, 13 Apr 2011 01:39:23 +0200
(1)Received: from senderhostname [aaa.aaa.aaa.aaa] (helo=[senderhostname])
by mailserver.senderdomain.tld with esmtpa (Exim x.xx)
(envelope-from <sender@senderdomain.tld) id xxxxx-xxxxxx-xxxx
for recipient@recipientdomain.tld; Tue, 12 Apr 2011 20:36:08 -0100
Message-ID: <xxxxxxxx.xxxxxxxx@senderdomain.tld>
Date: Tue, 12 Apr 2011 20:36:01 -0100
X-Mailer: Mail Client
From: Sender Name <sender@senderdomain.tld>
To: Recipient Name <recipient@recipientdomain.tld>
Subject: Message Subject


  • Return Path: The email address which should be used for bounces.
    The mail server will send a message to the specified email address if the message cannot be delivered
  • Delivery-date: The data the message was delivered
  • Date: The date the message was sent
  • Message-ID: The ID of the message
  • X-Mailer: The mail client (mail program) used to send the message
  • From: The message sender in the format: “Friendly Name” <email@address.tld>
  • To: The message recipient in the format: “Friendly Name” <email@address.tld>
  • Subject: The message subject

The From: line, which contains the sender of the message could be faked easily, so you should not rely on this information.

The lines in green contain the routing information, from the senders computer to the recipients mail server.

Let’s take a closer look at the routing information:


(3) Received: from senderhostname [aaa.aaa.aaa.aaa] (helo=[ senderhostname])
by mailserver.senderdomain.tld with esmtpa (Exim x.xx)
(envelope-from <sender@senderdomain.tld) id xxxxx-xxxxxx-xxxx
for recipient@recipientdomain.tld; Tue, 12 Apr 2011 20:36:08 -0100


(3) The message was sent from the senders computer with the IP address aaa.aaa.aaa.aaa to the mail server of the sender. In many cases the sender IP aaa.aaa.aaa.aaa is a dynamic IP address, e.g. DSL. The IP address gives many information about the sender, the location of the sender and the provider.


2) Received: from mailserver.senderdomain.tld ([bbb.bbb.bbb.bbb] helo=mailserver.senderdomain.tld)
by mailexchanger.recipientdomain.tld with esmtp
id xxxxxx-xxxxxx-xx


(2) The message was transferd from the senders mail server with the IP address bbb.bbb.bbb.bbb to the recipients mail-exchanger. The mail-exchanger is the mail server, which accepts incoming messages for a domain.


(1) Received: from mailexchanger.recipientdomain.tld([ccc.ccc.ccc.ccc])
by mailserver.recipientdomain.tld running ExIM with esmtp
id xxxxxx-xxxxxx-xxx; Wed, 13 Apr 2011 01:39:23 +0200


(1) The message was finally received by the recipients mail server from the the recipients mail exchanger ccc.ccc.ccc.ccc.

This is only a sample, which should show the principles. The message routing can contain much more steps, depending on the used mail provider. It should always be possible to see the sender computer IP address aaa.aaa.aaa.aaa and the sender mail server bbb.bbb.bbb.bbb, if the message was sent from a mail client and a client computer. If the message was sent from a webmail client, then the real IP address of the sender is not included – in this case aaa.aaa.aaa.aaa (if any) will be the IP address of the webmail.

Some might try to fake the routing information, but your mail server should give you a warning that something is not correct during the transfer from the sender mail server bbb.bbb.bbb.bbb to the recipient mail exchanger ccc.ccc.ccc.ccc.

You can also use the following online tool to help analyze your email headers.