This article provides you with information regarding email headers.

What is the value of the Internet Email Header?

Here are few reasons it may be necessary to review the headers:

  • Investigate possible Spoofing and determine the source of the message.
  • Analyze timestamps along the delivery route and identify the source of any delay.
  • Test any of the mail servers in the path to see if they are on a blacklist.
  • Review Spam Assassin score.
  • Determine if the message was routed through a filtering server prior to arrival.

What is a header?

The header is a section of code that contains information about from where the e-mail came and how the message reached its destination. Headers will contain the e-mail address of the originator and/or the computer the perpetrator/sender was using.

Here is what the typical Internet email header looks like. What you are looking for in the header is the IP address, sometimes conveniently identified as the "Originating IP". We can trace to the Internet service provider (ISP) with the date and time of the offending e-mail using the IP address of the sender's computer. The IP addresses in the example below are shown in bold font.

            Delivery-date: Wed, 02 Apr 2014 15:06:11 -0600
            Received: from [] (port=36531
                by with esmtps (TLSv1:RC4-SHA:128)
                (Exim 4.82)
                (envelope-from )
                id 1WVSMM-0003oR-Ny
                for; Wed, 02 Apr 2014 15:06:10 -0600
            Received: from ([])
                by with esmtps (TLSv1:RC4-SHA:128)
                (Exim 4.82)
                (envelope-from )
                id 1WVSMJ-00049k-3X
                for; Wed, 02 Apr 2014 23:06:10 +0200
            Received: by with SMTP id uq10so212231igb.2
                    for ; Wed, 02 Apr 2014 14:06:02 -0700 (PDT)
            DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
          ; s=20120113;
            MIME-Version: 1.0
            X-Received: by with SMTP id c3mr2836464icp.28.1396472762166; Wed,
             02 Apr 2014 14:06:02 -0700 (PDT)
            Received: by with HTTP; Wed, 2 Apr 2014 14:06:02 -0700 (PDT)
            Date: Wed, 2 Apr 2014 15:06:02 -0600
            Subject: I can haz headers
            From: blu Tutorials
            Content-Type: multipart/alternative; boundary=20cf302075e4ed71d604f615a6cd
            Received-SPF: pass ( domain of designates as permitted sender) client-ip=;;;
            X-SPF-Result: domain of designates as permitted sender
            X-Filter-ID: XtLePq6GTMn8G68F0EmQveOvoFo7+04sHaU+aQGjobYi0opp2x9AytcIxrAv/iEuaWmMHd4i6wCz
            Authentication-Results:; spf=pass
            Authentication-Results:; dkim=pass
            X-Spampanel-Class: unsure
            X-Spampanel-Evidence: Combined (0.15)
            X-Recommended-Action: accept
            X-Identified-User: {} {sentby:Delivered locally}

Which of the IP addresses above should you trace? Usually, the originating IP (in this case, is either called that, and/or is closer to the bottom of the stack, nearer to the actual body of the message.

INFO: A tool that can assist you in analyzing email headers can be found here.

TIP: Should you require more information regrading emails please check out our Email Category. Alternatively you may contact our Support Center by clicking here.