How to get your Email headers, and make sense of them

How to get your email headers, and make sense of them! When you receive an email from somebody, you will be able to see basic information about the message – such as the name and email address of the person who sent it, what time they sent it, and the content of the message.

Sometimes it may be necessary to gather a bit more information about an email you have received, and there is a wealth of information stored within the email headers which can provide some very useful information if you know how to interpret the rather intimidating text output.

First of all, you need to know how to get to this information – rather than detailing the various email programs here, there is a pretty extensive list covered here: https://mxtoolbox.com/Public/Content/EmailHeaders/

If you are having broader problems with your email, you may find our guide to email troubleshooting helpful.

Message Header Fields

There are many standard email header types… and even more non-standard email header types. Standard header names should follow the standard outlined in the RFC document that covers email headers – but trawling through RFC documents to make sense of this is not what we will be covering here!

The task of interpreting email headers becomes far easier once you understand which bits of information are important to you, and what can be ignored. Normally, you will be interested in things like the true origin of the email – or why an email was delayed.

You may also see headers with the same name, this is confusing – but it will be possible to get the information you are after.

Okay, let’s get into the juice! Here is an example of what you might find when viewing the email headers:

Delivered-To: recipient@activereach.net
Received: by 10.0.0.254 with SMTP id abc123abc123;
Mon, 15 Dec 2014 01:53:34 -0800 (PST)
Return-Path: <sender_return@senderdomain.tld>
Received: from mailserver1.senderserver.tld (mailserver1.senderserver.tld. [99.88.77.66])
by mx.google.com with ESMTPS id xyz789xyz789.59.2014.12.15.01.53.33
for <recipient@activereach.net>;
Mon, 15 Dec 2014 01:53:33 -0800 (PST)
Received: from [10.10.10.254] ([10.10.10.254:59597] helo=mailgateway4.senderserver.tld)
by mailgateway3.senderserver.tld
with ESMTP id D8/4F-26441-C9FAE845;
Mon, 15 Dec 2014 09:53:32 +0000
Received: from [10.20.20.254] ([10.20.20.254:58806] helo=mailgateway2.senderserver.tld)
by mailgateway1.senderserver.tld
with ESMTPS id 6C/15-15531-C9FAE845;
Mon, 15 Dec 2014 09:53:31 +0000
Received: from  [123.45.67.89] by server.senderdomain.tld via HTTP; Mon, 15 Dec 2014 01:53:30 -0800
Date: Mon, 15 Dec 2014 09:53:30 +0000 (GMT)
From: Ray Tomlinson <ray@senderdomain.tld>
To: activereach Ltd <recipient@activereach.net>
Message-ID: <11122223333@senderdomain.tld>
Subject: This is the email subject

Looks intimidating at first – and this is a simplified example – so let’s break it down:

At the bottom we have the most basic information:

Date: Mon, 15 Dec 2014 09:53:30 +0000 (GMT)
From: Ray Tomlinson <ray@senderdomain.tld>
To: activereach Ltd <recipient@activereach.net>
Message-ID: <11122223333@senderdomain.tld>
Subject: This is the email subject

We can see this email was sent at 09:53:30 GMT by someone calling themselves Ray Tomlinson – the FROM header here is easily forged – so should not be relied upon in any technical sense. Ray Tomlinson sent the first email ever in 1971, and the underlying structure has not changed. There’s a bit of history for you.

We can see the message ID – which is the unique identifier for this message. This is generated by the sender – this can be useful for message tracking. We can see who the message was sent to, and the subject line.

Further up the message headers, we see a series of lines containing “Received:”. It is best to start at the bottom, and work upwards – the entry furthest down is the origin of the email – and is particularly useful when trying to determine the true source of an email. In this example, the email was sent from IP address 123.45.67.89. Finding out the owner of the IP address will allow you to see who is responsible for the system that created and sent the message.

If we trim some lines down, we can see the path of the email through the various servers that were involved in its transaction:

Received: by 10.0.0.254 Mon, 15 Dec 2014 01:53:34 -0800 (PST)
Received: by mx.google.com Mon, 15 Dec 2014 01:53:33 -0800 (PST)
Received: by mailgateway3.senderserver.tld Mon, 15 Dec 2014 09:53:32 +0000
Received: by mailgateway1.senderserver.tld Mon, 15 Dec 2014 09:53:31 +0000
Received: by server.senderdomain.tld via HTTP; Mon, 15 Dec 2014 01:53:30 -0800

We can see that it was sent from the original sender using GMT to another server 8 hours behind – the system recognises this to avoid confusion. Once we have accounted for the time zone difference – we can see that each server involved in the sending of the message added a 1 second delay. Ultimately this meant the overall time it took for the email to leave the sender and reach the receiver was 4 seconds.

Understanding how to read these lines will help you find where long delays might be occurring. Each server also typically generates a new unique ID – which may be useful for message tracking.

The other fields we can see are: the Return-Path – this can be different from the sender… the address specified here may be used when sending a non-delivery response. And the Delivered-To – the address here is the final destination, which is normally the same as the original email address it was sent to; redirects and distribution lists might require this to change accordingly.

A useful resource to use if you want to parse email headers with a lot less effort is:
https://toolbox.googleapps.com/apps/messageheader/analyzeheader