Sometimes when troubleshooting email delivery you will need to analyze the mail header to figure out what went wrong when you sent or received that message. We created this guide to help you understand what the contents of an email header mean.
Let’s begin!
How to view an Email Header
If you aren’t familiar with how to view an email header, review our Knowledgebase Article on the topic here.
What’s an Email Header Look Like?
Let’s take a look at the headers on this message I recently received from Cloudflare:
Return-Path: <[email protected]> Delivered-To: [email protected] Received: from rs2-dal.serverhostgroup.com by rs2-dal.serverhostgroup.com with LMTP id ABlRGJN+kWCfFAAArSgKyQ (envelope-from <[email protected]>) for <[email protected]>; Tue, 04 May 2021 13:04:19 -0400 Return-path: <[email protected]> Envelope-to: [email protected] Delivery-date: Tue, 04 May 2021 13:04:19 -0400 Received: from bounce.cloudflare.com ([192.28.154.211]:54889) by rs2-dal.serverhostgroup.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94) (envelope-from <[email protected]>) id 1ldySt-0001O7-P9 for [email protected]; Tue, 04 May 2021 13:04:19 -0400 X-MSFBL: 6L1whzPBe2O1M048olaxQrdKp6aBuU0YeoW35BFNjh0=|eyJnIjoiYmctYWJkLTg 0NCIsInIiOiJhZG1pbkBjY2hvc3RpbmdkZW1vcy5jb20iLCJiIjoiZHZwLTE5Mi0 yOC0xNTQtMjExIiwidSI6IjcxMy1YU0MtOTE4OjA6Mzg1NTU6MzA1MzQ0Ojc5MjY 1Njo0NzgzNDo5OjUyMzY3OToyMjAxMDI1OTYifQ== DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1620147046; s=m1; d=cloudflare.com; [email protected]; h=Content-Type:MIME-Version:Subject:To:From:Date; bh=9+V8RW6CdzfUNkIQW13NlUs0bkYglkEFbfyw+sOKgqU=; b=NPdi1tqYkPC4q9I4XA67LcScLhrJb374W6zqGfc6ppasZjGj5TD9hho/O2kfuztl r+57DIhzQ928o256pyMje7Y3MKHeMyNtCPYSDKGycs3OXre5fZbhdWihJo1NO6rE1aP zlhL47Q4WpmJq19LznC8gOu/6WWmYayhfmT632QI= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1620147046; s=m1; d=mktdns.com; [email protected]; h=Content-Type:MIME-Version:Subject:To:From:Date; bh=9+V8RW6CdzfUNkIQW13NlUs0bkYglkEFbfyw+sOKgqU=; b=XEryQBzICTRY/D+UQYyeMT4/Vy5p0QzHli0ldrUnEcFl3Loh03KBSkxHD+2pg9vu SGP+ZruN/4AF2IVN5KvhjBJiLV02KWTR/BQwhZmuSTSrN5hToMgWUL5sSrOSQ43BuzP KIRx9bBWgr7NNjHoUxABqLTQ/QE47bTtyfo0NN/A= Date: Tue, 4 May 2021 11:50:46 -0500 (CDT) From: Cloudflare <[email protected]> Reply-To: [email protected] To: [email protected] Message-ID: <[email protected]> Subject: 5.41 MB of data transferred in April MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_12477951_36658994.1620147046127" X-Binding: bg-abd-844 List-Unsubscribe: <mailto:NVBDA6K7IZ5GINLONM3G6VK2PBHGSTSINRDXQYSSJVBUUUTQGJWVQQKDORYFQT3UMZYXOPI=.523679.47834.9@unsub-ab.mktomail.com> X-PVIQ: mkto-713XSC918-000001-000000-523679 X-MarketoID: 713-XSC-918:0:38555:305344:792656:47834:9:523679:220102596 X-Mailfrom: [email protected] X-MktArchive: false X-MSYS-API: {"options":{"open_tracking":false,"click_tracking":false}} X-MktMailDKIM: true X-Spam-Status: No, score=-0.2 X-Spam-Score: -1 X-Spam-Bar: / X-Ham-Report: Spam detection software, running on the system "rs2-dal.serverhostgroup.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details. Content preview: You can also view this email as a webpage <[[https://info.cloudflare.com/index.php/email/emailWebview?mkt_tok=NzEzLVhTQy05MTgAAAF810K22Dj-YRMGqmyLOV3MQgBYYP7lommWfZEn6cu5rDzE4cdkiXFsQrQGEsN6sk8rzdn7QI [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: cloudflare.com] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to background 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Spam-Flag: NO ------=_Part_12477951_36658994.1620147046127 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
How To Analyze an Email Header
Important:
Keep in mind when reading an email header, EVERY LINE can be forged. So only the Received: lines that are created by the server or the computer should be trusted.
From
- This displays who sent the message, however, this can be easily forged and can be the least reliable.
Subject
- This is what the sender placed as a topic of the email message.
Date
- This shows the date and time the email message was composed.
To
- This shows to whom the message was addressed, but may not contain the recipient’s address.
Return-Path
- The email address for return mail. This is the same as “Reply-To:”.
Envelope-To
- This header shows that this email was delivered to the mailbox of a subscriber whose email address is admin @ chcostingdemos . com.
Delivery Date
- This shows the date and time at which the email was received by your mail server or client.
Received
- The received is the most important part of the email header and is usually the most reliable. They form a list of all the servers/computers through which the message traveled in order to reach you.
- The received lines are best read from bottom to top.
- That is, the first “Received:” line is your own system or mail server.
- The last “Received:” line is where the mail originated.
- Each mail system has their own style of “Received:” line.
- A “Received:” line typically identifies the server that received the mail and the server from which the mail was received.
Dkim-Signature & Domainkey-Signature
- This indicates if the domain key identifiers are validated to ensure that a server signed to this domain truly sent this message or not.
Message-id
- A unique string assigned by the mail system when the message is first created. These can easily be forged.
Mime-Version
- Multipurpose Internet Mail Extensions (MIME) is an Internet standard that extends the format of email. There are various MIME differentiators that could be attached, such as a S/MIME which uses PGP signing to encrypt a message.
Content-Type
- Generally, this will tell you the format of the message, such as html or plaintext.
X-Spam-Status
- Displays a spam score created by your service or mail client.
X-Spam-Level
- Displays a spam score usually created by your service or mail client.
Message Body
- This is the actual content of the email itself, written by the sender.
Finding The Original Sender
The easiest way for finding the original sender is by looking for the X-Originating-IP header.
This header is important since it tells you the IP address of the computer that had sent the email.
If you cannot find the X-Originating-IP header, then you will have to sift through the Received headers to find the sender’s IP address. In the headers above, that IP address is 192.28.154.211.
Once the email sender’s IP address is found, you can search for it at ARIN.
You should now be given results letting you know to which ISP (Internet Service Provider) or webhost the IP address belongs. Now, if you are tracking a spam email, you can send a complaint to the owner of the originating IP address. Be sure to include all the headers of the email when filing a complaint.