Email headers contain the technical details of a message: who sent it, the software used to compose it, the servers it travelled through, and the authentication results at each hop. This article explains the headers you are most likely to see and which ones are reliable enough to trust when investigating a problem.
Note: To learn how to extract the full headers from your email client, see Viewing Email Message Headers.
Partial headers vs. full headers
The fields you see in your everyday inbox view, From, To, Subject, Date, Reply-To, CC, and BCC, are called partial headers. They are the most important fields for normal use.
The full headers include all of those fields plus the technical metadata added by every mail server that handled the message. Full headers are what you need when troubleshooting delivery problems or investigating a suspicious message.
Warning: Almost every header field can be forged. The only fields you should trust completely are the Received lines added by your own mail server or computer, because those are written by systems you control.
Finding the original sender
The fastest way to find who really sent a message is to look for the X-Originating-IP header, which records the IP address of the computer that submitted the message. If X-Originating-IP is not present, you can find the originating IP by reading the Received headers from bottom to top.
Common header fields
The table below explains the most useful headers and how much you can trust each one.
| Header | What it shows | Trust level |
|---|---|---|
| From | The sender's display name and address as the sender claims it. | Low. Easily forged. |
| To | The address(es) the message was sent to. May not include the actual recipient when BCC or aliases are used. | Low to medium. |
| Subject | The topic the sender chose for the message. | Low. Sender-supplied. |
| Date | The date and time the sender's client recorded when composing the message. | Low. Set by the sender's client. |
| Return-Path | The address used for bounces and delivery notifications. Often the same as Reply-To. | Medium. Tied to SPF checks. |
| Envelope-To | The mailbox the message was actually delivered to, which is useful when forwarding is involved. | High. Set by your server. |
| Delivery-Date | The date and time your mail server received the message. | High. Set by your server. |
| Received | A chain of entries, one for every server that handled the message. Read bottom to top. The bottom entry is closest to the original sender; the top entry is your own server. | High for entries from servers you control; lower for entries from servers you don't. |
| Message-ID | A unique string the sending mail system assigns when the message is created. | Low. Can be forged. |
| MIME-Version | Indicates the message uses Multipurpose Internet Mail Extensions for formatting and attachments. | Informational. |
| Content-Type | The format of the body, for example, text/html or text/plain. | Informational. |
| X-Originating-IP | The IP address of the device that submitted the message. | High when present, because the sending server adds it. |
| X-Spam-Status | The spam scan result added by your mail server. | High. Set by your server. |
| X-Spam-Level | The numeric spam score assigned by your mail server. | High. Set by your server. |
| X-HE-DKIM-Result | The DKIM validation result on Hosted Email, such as pass, fail, or none. | High. Set by Hosted Email. |
| Received-SPF | The SPF check result and the IP address the message was received from. | High. Set by your server. |
Reading the Received headers
The Received chain is the most useful part of any header for tracing a message:
- Read from the bottom up. The bottommost Received entry was added first, by the server closest to the sender.
- The topmost entry is your own server. This is the last hop before the message reached your mailbox.
- Each entry shows who passed the message and who received it. Compare those IPs and hostnames against what the From header claims.
- Watch for gaps. If the chain jumps between unrelated networks, the message may have been relayed in a suspicious way.
Spotting a suspicious message
When you suspect a message is spam, phishing, or spoofed, the headers usually give you enough to decide. Look for:
- A From address that doesn't match the Received chain. If the message claims to be from your own domain but the lowest Received entry is from an unrelated IP, the From address is forged.
- A failed SPF or DKIM result. Check the Received-SPF and X-HE-DKIM-Result headers.
- A mismatched Reply-To address. Phishing messages often use a Reply-To that differs from the From address.
- An unfamiliar X-Originating-IP. Run the IP through a reverse lookup to see who owns it.
Next steps
- Retrieve the headers from your client. See Viewing Email Message Headers.
- Investigate spoofing or compromise. See Am I Being Spoofed or Has My Email Been Compromised?
- Troubleshoot delivery problems. See Troubleshooting Spam and Rejections in Exact Hosting Hosted Email.
Questions? Contact Exact Hosting Support.
How helpful was this article?
Thanks for your feedback!
Do you still need help? If so please submit a request here.