This article provides you with information regarding email headers.



What is the value of the Internet Email Header?

Here are few reasons it may be necessary to review the headers:

  • Investigate possible Spoofing and determine the source of the message.
  • Analyze timestamps along the delivery route and identify the source of any delay.
  • Test any of the mail servers in the path to see if they are on a blacklist.
  • Review Spam Assassin score.
  • Determine if the message was routed through a filtering server prior to arrival.



What is a header?

The header is a section of code that contains information about from where the e-mail came and how the message reached its destination. Headers will contain the e-mail address of the originator and/or the computer the perpetrator/sender was using.

Here is what the typical Internet email header looks like. What you are looking for in the header is the IP address, sometimes conveniently identified as the "Originating IP". We can trace to the Internet service provider (ISP) with the date and time of the offending e-mail using the IP address of the sender's computer. The IP addresses in the example below are shown in bold font.

            Return-path: 
            Envelope-to: [email protected]
            Delivery-date: Wed, 02 Apr 2014 15:06:11 -0600
            Received: from [46.165.209.232] (port=36531 helo=delivery.antispamcloud.com)
                by box309.hd.com with esmtps (TLSv1:RC4-SHA:128)
                (Exim 4.82)
                (envelope-from )
                id 1WVSMM-0003oR-Ny
                for [email protected]; Wed, 02 Apr 2014 15:06:10 -0600
            Received: from mail-ig0-f195.google.com ([209.85.210.117])
                by mx7.antispamcloud.com with esmtps (TLSv1:RC4-SHA:128)
                (Exim 4.82)
                (envelope-from )
                id 1WVSMJ-00049k-3X
                for [email protected]; Wed, 02 Apr 2014 23:06:10 +0200
            Received: by mail-ig0-f195.google.com with SMTP id uq10so212231igb.2
                    for ; Wed, 02 Apr 2014 14:06:02 -0700 (PDT)
            DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
                    d=gmail.com; s=20120113;
                    h=mime-version:date:message-id:subject:from:to:content-type;
                   bhbhovkRL3Im017b5m7rMRTWVa1olgzE1U+yr8FXykLSM=;
                    b=I9n1lRLh2EbEic44CPWv6doKf6m9+z1G9tVmowbugj99p5jn5ImorW2oBqZ1BRbOFD
                     3CnQkj7koUZfajma0Q0bbjJFB27CHfIMKvFLzOeWjeLP2bu3Z5X/d+lmCdFMSG8FQBoO
                     c2Pz5n0d85zQyxkzy4lvL4D5kVevuJ5n+s7y6nCZTpYw1iwtQciGgr8XO77wGJq0S2FY
                     WZC7jqB5c3CmpT8EytMEJwsH3UQAD7hxYq3FZHL7Ici89x8vDG/ZNQOla9TsfSrmC9qO
                     mMLFWCZs1A1Hfe2gwOxBpRXgAqxf1/hlFfAf0CIIRTcD/03kSaWB7L/lPy++CTvkzpbB
                     Ro4A==
            MIME-Version: 1.0
            X-Received: by 10.42.107.67 with SMTP id c3mr2836464icp.28.1396472762166; Wed,
             02 Apr 2014 14:06:02 -0700 (PDT)
            Received: by 10.50.216.193 with HTTP; Wed, 2 Apr 2014 14:06:02 -0700 (PDT)
            Date: Wed, 2 Apr 2014 15:06:02 -0600
            Message-ID: 
            Subject: I can haz headers
            From: blu Tutorials
            To: [email protected]
            Content-Type: multipart/alternative; boundary=20cf302075e4ed71d604f615a6cd
            Received-SPF: pass (mx7.antispamcloud.com: domain of gmail.com designates 209.85.213.195 as permitted sender) client-ip=209.85.213.195; [email protected]; helo=mail-ig0-f195.google.com;
            X-SPF-Result: mx7.antispamcloud.com: domain of gmail.com designates 209.85.213.195 as permitted sender
            X-Filter-ID: XtLePq6GTMn8G68F0EmQveOvoFo7+04sHaU+aQGjobYi0opp2x9AytcIxrAv/iEuaWmMHd4i6wCz
             ASsx7ILyBvmrHcqsgpX6d4SIG6yP47bDMFgiN2el8cbE99y5VERdERWeKKG4PAQYNyavp7c49C7S
             5JHQ4xOsiG8cGbGY8Ju2qts0ILWtXEEZmkE2vLlbG/45LuYWJsWNKzGzAznZ/oq+Kj8XsfH6M1iC
             r9Pl7cS2FeLaw8TKFNoyhNvcmkCU2LIKoGx11NpkPoCtYTihVFvHjmVhGT2LR+SRHRnJSjexOaDD
             7DhwsYoQmALxTDsg5YE5enyccp7RH4WQio3uGcdGxQ6d5hivGO7oPpIBNraJdlCnvQ+khpxZdnh3
             Rg+eq6FYx9JcxaWalMnLitersKkGD1ysZpHhKaUh/7HiGlCtDNmfymkhdU0FFLdsJzH+bncTWq+l
             t2yLUdZkS4XDsBY2SdcAejSFbwPMuc/8+8bnfBK8XMz156Rrx4gJt1rfVwqJrV8TZUiWxNy0V2Qu
             LFYFvf25LVONYbYifH5OzZDcKP8EIfERgwZdrj+yX3bZ9HVqUY3tkBcsuKQ2aA7N/8zfymEUbuPk
             n06aNthuTeE=
            Authentication-Results: antispamcloud.com; spf=pass [email protected]
            Authentication-Results: antispamcloud.com; dkim=pass header.i=gmail.com
            X-Spampanel-Class: unsure
            X-Spampanel-Evidence: Combined (0.15)
            X-Recommended-Action: accept
            X-Identified-User: {0000:box309.okhost.com:local:local} {sentby:Delivered locally}
            

Which of the IP addresses above should you trace? Usually, the originating IP (in this case, 209.85.210.177) is either called that, and/or is closer to the bottom of the stack, nearer to the actual body of the message.



INFO: A tool that can assist you in analyzing email headers can be found here.


TIP: Should you require more information regrading emails please check out our Email Category. Alternatively you may contact our Support Center by clicking here.