{"id":5407,"date":"2021-05-12T11:36:44","date_gmt":"2021-05-12T11:36:44","guid":{"rendered":"https:\/\/chemicloud.com\/kb\/?post_type=ht_kb&p=5407"},"modified":"2021-05-12T11:36:44","modified_gmt":"2021-05-12T11:36:44","slug":"understanding-an-email-header","status":"publish","type":"ht_kb","link":"https:\/\/chemicloud.com\/kb\/article\/understanding-an-email-header\/","title":{"rendered":"Understanding an Email Header"},"content":{"rendered":"

Sometimes when troubleshooting email delivery you will need to analyze the mail header to figure out what went wrong when you sent or received that message. We created this guide to help you understand what the contents of an email header mean.<\/p>\n

Let’s begin!<\/p>\n

How to view an Email Header<\/h2>\n

If you aren’t familiar with how to view an email header, review our Knowledgebase Article on the topic here<\/a>.<\/p>\n

What’s an Email Header Look Like?<\/p>\n

Let’s take a look at the headers on this message I recently received from Cloudflare:<\/p>\n

Return-Path: <713-XSC-918.0.523679.0.0.47834.9.220102596@bounce.cloudflare.com>\r\nDelivered-To: admin@cchostingdemos.com\r\nReceived: from rs2-dal.serverhostgroup.com\r\n\tby rs2-dal.serverhostgroup.com with LMTP\r\n\tid ABlRGJN+kWCfFAAArSgKyQ\r\n\t(envelope-from <713-XSC-918.0.523679.0.0.47834.9.220102596@bounce.cloudflare.com>)\r\n\tfor <admin@cchostingdemos.com>; Tue, 04 May 2021 13:04:19 -0400\r\nReturn-path: <713-XSC-918.0.523679.0.0.47834.9.220102596@bounce.cloudflare.com>\r\nEnvelope-to: admin@cchostingdemos.com\r\nDelivery-date: Tue, 04 May 2021 13:04:19 -0400\r\nReceived: from bounce.cloudflare.com ([192.28.154.211]:54889)\r\n\tby rs2-dal.serverhostgroup.com with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\r\n\t(Exim 4.94)\r\n\t(envelope-from <713-XSC-918.0.523679.0.0.47834.9.220102596@bounce.cloudflare.com>)\r\n\tid 1ldySt-0001O7-P9\r\n\tfor admin@cchostingdemos.com; Tue, 04 May 2021 13:04:19 -0400\r\nX-MSFBL: 6L1whzPBe2O1M048olaxQrdKp6aBuU0YeoW35BFNjh0=|eyJnIjoiYmctYWJkLTg\r\n\t0NCIsInIiOiJhZG1pbkBjY2hvc3RpbmdkZW1vcy5jb20iLCJiIjoiZHZwLTE5Mi0\r\n\tyOC0xNTQtMjExIiwidSI6IjcxMy1YU0MtOTE4OjA6Mzg1NTU6MzA1MzQ0Ojc5MjY\r\n\t1Njo0NzgzNDo5OjUyMzY3OToyMjAxMDI1OTYifQ==\r\nDKIM-Signature: v=1; a=rsa-sha256; q=dns\/txt; c=relaxed\/relaxed; t=1620147046;\r\n\ts=m1; d=cloudflare.com; i=@cloudflare.com;\r\n\th=Content-Type:MIME-Version:Subject:To:From:Date;\r\n\tbh=9+V8RW6CdzfUNkIQW13NlUs0bkYglkEFbfyw+sOKgqU=;\r\n\tb=NPdi1tqYkPC4q9I4XA67LcScLhrJb374W6zqGfc6ppasZjGj5TD9hho\/O2kfuztl\r\n\tr+57DIhzQ928o256pyMje7Y3MKHeMyNtCPYSDKGycs3OXre5fZbhdWihJo1NO6rE1aP\r\n\tzlhL47Q4WpmJq19LznC8gOu\/6WWmYayhfmT632QI=\r\nDKIM-Signature: v=1; a=rsa-sha256; q=dns\/txt; c=relaxed\/relaxed; t=1620147046;\r\n\ts=m1; d=mktdns.com; i=@mktdns.com;\r\n\th=Content-Type:MIME-Version:Subject:To:From:Date;\r\n\tbh=9+V8RW6CdzfUNkIQW13NlUs0bkYglkEFbfyw+sOKgqU=;\r\n\tb=XEryQBzICTRY\/D+UQYyeMT4\/Vy5p0QzHli0ldrUnEcFl3Loh03KBSkxHD+2pg9vu\r\n\tSGP+ZruN\/4AF2IVN5KvhjBJiLV02KWTR\/BQwhZmuSTSrN5hToMgWUL5sSrOSQ43BuzP\r\n\tKIRx9bBWgr7NNjHoUxABqLTQ\/QE47bTtyfo0NN\/A=\r\nDate: Tue, 4 May 2021 11:50:46 -0500 (CDT)\r\nFrom: Cloudflare <newsletter@cloudflare.com>\r\nReply-To: newsletter@cloudflare.com\r\nTo: admin@cchostingdemos.com\r\nMessage-ID: <388175313.12477952.1620147046128@abmktmail-batch1e.marketo.org>\r\nSubject: 5.41 MB of data transferred in    April\r\nMIME-Version: 1.0\r\nContent-Type: multipart\/alternative; \r\n\tboundary=\"----=_Part_12477951_36658994.1620147046127\"\r\nX-Binding: bg-abd-844\r\nList-Unsubscribe: <mailto:NVBDA6K7IZ5GINLONM3G6VK2PBHGSTSINRDXQYSSJVBUUUTQGJWVQQKDORYFQT3UMZYXOPI=.523679.47834.9@unsub-ab.mktomail.com>\r\nX-PVIQ: mkto-713XSC918-000001-000000-523679\r\nX-MarketoID: 713-XSC-918:0:38555:305344:792656:47834:9:523679:220102596\r\nX-Mailfrom: 713-XSC-918.0.523679.0.0.47834.9.220102596@bounce.cloudflare.com\r\nX-MktArchive: false\r\nX-MSYS-API: {\"options\":{\"open_tracking\":false,\"click_tracking\":false}}\r\nX-MktMailDKIM: true\r\nX-Spam-Status: No, score=-0.2\r\nX-Spam-Score: -1\r\nX-Spam-Bar: \/\r\nX-Ham-Report: Spam detection software, running on the system \"rs2-dal.serverhostgroup.com\",\r\n has NOT identified this incoming email as spam.  The original\r\n message has been attached to this so you can view it or label\r\n similar future email.  If you have any questions, see\r\n root\\@localhost for details.\r\n Content preview:  You can also view this email as a webpage <[[https:\/\/info.cloudflare.com\/index.php\/email\/emailWebview?mkt_tok=NzEzLVhTQy05MTgAAAF810K22Dj-YRMGqmyLOV3MQgBYYP7lommWfZEn6cu5rDzE4cdkiXFsQrQGEsN6sk8rzdn7QI\r\n    [...] \r\n Content analysis details:   (-0.2 points, 5.0 required)\r\n  pts rule name              description\r\n ---- ---------------------- --------------------------------------------------\r\n  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was\r\n                             blocked.  See\r\n                             http:\/\/wiki.apache.org\/spamassassin\/DnsBlocklists#dnsbl-block\r\n                              for more information.\r\n                             [URIs: cloudflare.com]\r\n -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record\r\n -0.0 SPF_PASS               SPF: sender matches SPF record\r\n  0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or\r\n                             identical to background\r\n  0.0 HTML_MESSAGE           BODY: HTML included in message\r\n -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from\r\n                             envelope-from domain\r\n -0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature\r\n  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily\r\n                             valid\r\n -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from\r\n                             author's domain\r\n  0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted\r\n                             Colors in HTML\r\nX-Spam-Flag: NO\r\n\r\n------=_Part_12477951_36658994.1620147046127\r\nContent-Type: text\/plain; charset=UTF-8\r\nContent-Transfer-Encoding: quoted-printable<\/pre>\n
How To Analyze an Email Header<\/h2>\n
\n    \t\t
\r\n    \t\t\tImportant:<\/span>    \t\t\t    \t\t\t\t
\r\n    \t\t\t\t\tKeep in mind when reading an email header, EVERY LINE can be forged. So only the Received: lines that are created by the server or the computer should be trusted.     \t\t\t\t<\/p>\r\n    \t\t\t    \t\t\t\r\n    \t\t<\/div>\r\n    \t\t\n<\/div>\n
From<\/h3>\n