What are email headers?

An email header is a code snippet which contains all of the relevant information which relates to the email itself, such as the Mail From/From/To addresses, SPF and DKIM infromation and much more.
Email headers can tell you if SPF failed, DKIM failed, DMARC failed, if an email was spoofed, where the email is going before it reaches the destination SMTP server etc.

What is inside an email header?

Firstly, an email itself contains two important forms

  • The email header
  • The body of the email

The headers of an email contains

  • The Mail From and the From address (the Mail From address can also be referred to as the Return-Path or Envelope-Sender address, which tells mail servers where to return the message or to bounce the message back to).
  • The recipient address or To address
  • The date and times in which email servers sent/received the email
  • The complete path the email took, including the SMTP servers which may have relayed the email
  • SPF, DKIM and DMARC authentication results
  • As mentioned above, the servers which sent and received the email/message are also included

How to find email headers

Finding the email headers for a message varies as different email clients such as Outlook, Gmail, Thunderbird, etc have different processes. However, I will be using Outlook as an example and how to find the headers in both the browser client and the official Outlook application.

Outlook browser client

  1. Login and browse to the Outlook client.
  2. Right click on the email in which you want to look at the headers for.
  3. Hover over “View” in this menu and click on “View message source”, this will open up the email headers.
    (This works the same with the Outlook application on iOS)

Outlook application

  1. Double click an email to open it up separately.
  2. Click on File in the top and click on “Properties”.
  3. The information here is the email headers.

Most email applications work the same and it is possible that when you right click the email in the client there will usually be a “View message source” button.

Importance of email headers and what to look for

Before going into this section, please be aware that email headers are read from BOTTOM to TOP. All of the important information pertaining to an email message lives in the email headers and gives way more information then what you see when you normally open an email.

Here is an example of an email header:

Delivered-To: test123@gmail.com
Received: by 123 with SMTP id 123;
    Mon, 1 Aug 2022 00:00:00 -0700 (PDT)
🔴 X-Google-Smtp-Source: 123
🔴 X-Received: by 123 with SMTP id 123;
    Mon, 01 Aug 2022 00:00:00 -0700 (PDT)
🔴 Return-Path: <admin@dukesit.com>
🔴 Received: from dukesit.com (dukesit.com. [123])
    by mx.google.com with ESMTPS id 123
    for <test123@gmail.com>
    Mon, 01 Aug 2022 00:00:00 -0700 (PDT)
Received-SPF: pass (google.com: domain of admin@dukesit.com designates IP as permitted sender) client-ip=123;
🔴 Authentication-Results: mx.google.com;
🔴 Message-ID: <12345678-1234-1234-1234-12345678912@dukesit.com> 
🔴 Date: Mon, 1 Aug 2022 00:00:00 +1000
MIME-Version: 1.0
User-Agent: 
Content-Language: en-US
🔴 To: test123@gmail.com
🔴 From: admin <admin@dukesit.com>
Subject: Test email header
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

As seen above, the lines with the red dots are most important and are what should be looked at when investigating email headers.

Here is a breakdown of the important parts of an email header

From:
This field indicates which email user sent the email. (Please be aware that this email address can be easily spoofed and the subdomain/domain should match the one in the Return-Path: field).

To:
This field will show the email address/es that the message will be sent to.

Date:
This will display the current date.

‘X-’ type headers:
These headers are custom headers that are usually applied by the ISP/SMTP server themselves and relates to things such as authentication results.

Authentication-Results:
This information will display the mail server that authenticated the message at each email ‘hop’.

Message-ID:
This is a unique ID which can be used to identify your message/email. Email Service Providers (ESP) can use this information to track your email if support is required.

Received:
This line displays the mail server which accepted the mail from the previous. As stated above, please be aware that email headers are read from bottom to top.

Return-Path:
The return path specifies the address that mail servers (SMTP) should send emails too to notify of bounces.

Please be aware that these are the important headers in an email although when analysing email headers, please also take into account the other headers as they can also provide helpful information.