How to Find Email Headers: A Comprehensive Guide

Email headers contain vital information about the journey of an email, revealing its origin, path, and various servers it passed through. This data is crucial for troubleshooting email delivery issues, identifying spam sources, and verifying email authenticity. This comprehensive guide will walk you through the process of finding email headers using different email clients and methods, along with practical examples and troubleshooting tips to help you become a header-hunting expert.

Table of Contents

• What Are Email Headers and Why Are They Important?
• Finding Email Headers in Popular Email Clients
• Retrieving Headers via Command-Line Tools
• Analyzing Email Headers: Understanding the Data
• Using Online Tools to Parse Email Headers
• Troubleshooting Email Delivery Issues with Headers

What Are Email Headers and Why Are They Important?

Email headers are metadata embedded within an email message. Think of them as the envelope containing the postal stamps and routing information for a physical letter. They contain technical details about the sender, recipient, path the email took, timestamps, and more. Understanding these headers is crucial for several reasons:

• Troubleshooting Delivery Issues: Identify where an email got delayed or blocked.
• Spam Detection: Uncover the true origin of spam emails, even if the “From” address is spoofed.
• Authentication Verification: Verify if an email passed SPF, DKIM, and DMARC checks, ensuring its legitimacy.
• Security Analysis: Investigate potential phishing attempts by examining the email’s route and origin.
• Compliance: Maintain records of email communication for regulatory or legal purposes.

A typical email header consists of several fields, each providing specific information. Some of the most important fields include:

• Received: Shows the path an email took, listing each server it passed through. Each “Received” line is added by the mail server as the email travels.
• From: Indicates the sender’s email address (can be spoofed).
• To: Shows the recipient’s email address.
• Subject: The subject line of the email.
• Date: The date and time the email was sent.
• Message-ID: A unique identifier for the email.
• Return-Path: The address where bounce messages (delivery failures) should be sent.
• Authentication-Results: Shows the results of SPF, DKIM, and DMARC checks.
• SPF: Sender Policy Framework – verifies that the sending mail server is authorized to send email on behalf of the domain.
• DKIM: DomainKeys Identified Mail – uses cryptographic signatures to verify the authenticity of the email.
• DMARC: Domain-based Message Authentication, Reporting & Conformance – builds upon SPF and DKIM to provide a more robust authentication mechanism.

Let’s look at an example of a simplified email header:

Received: from mail.example.com (mail.example.com [203.0.113.45]) by mx.recipient.com with ESMTP id s22iF0a90034 for <user@recipient.com>; Tue, 27 Oct 2023 10:00:00 -0700 (PDT)
From: sender@example.com
To: user@recipient.com
Subject: Important Information
Date: Tue, 27 Oct 2023 10:00:00 -0700
Message-ID: <1234567890.12345.java@mail.example.com>
Return-Path: sender@example.com
Authentication-Results: mx.recipient.com; spf=pass (sender IP is 203.0.113.45) smtp.mailfrom=sender@example.com; dkim=pass header.d=example.com; dmarc=pass action=none header.from=example.com

Each line provides a piece of the email’s history. Understanding these pieces is crucial to email forensics.

Why Bother with Command-Line Tools?

While GUI email clients are convenient, sometimes you need more direct access to the raw email data. Command-line tools provide that access, especially useful for server administration or analyzing email logs. They often allow you to bypass client limitations or access emails stored directly on a server.

Here are some basic commands you might use on a Linux server to access and view email data:

# Access a user's mailbox (e.g., using mutt)
mutt -f /var/mail/user

# Read an email directly from the command line (e.g., using mail)
mail -v -f /var/mail/user 1

# Use grep to search for specific headers in a mail file
grep "Received:" /var/mail/user

# Use sed to extract specific header fields from a mail file
sed -n '/^Received:/p' /var/mail/user

Tip: When troubleshooting, examine the `Received:` headers in reverse order to trace the email’s path from sender to recipient.

Email headers are like the DNA of an email message. By carefully analyzing them, you can uncover a wealth of information about its origin and journey.

John Doe, Security Analyst

Finding Email Headers in Popular Email Clients

The method for finding email headers varies depending on the email client you are using. Here’s how to do it in some of the most popular ones:

Gmail

• Open the email you want to examine.
• Click the three vertical dots (More) in the top-right corner of the email.
• Select “Show original.”
• A new tab or window will open, displaying the full email headers and source code.

Gmail provides a user-friendly interface to view the raw email content, including all headers. You can copy the entire content to a text file for further analysis.

Microsoft Outlook (Desktop)

• Open the email message.
• Click File > Info > Properties.
• In the “Properties” window, look for the “Internet headers” section at the bottom. You may need to scroll down.
• The email headers will be displayed in this section.

Outlook’s method is slightly more buried, but the information is readily available once you know where to look. Remember to scroll to the bottom of the properties window.

Microsoft Outlook (Web)

• Open the email message.
• Click the three horizontal dots (More actions) in the top-right corner of the email.
• Select “View” and then “View message source.”
• A new window will open, displaying the full email headers and source code.

The web version of Outlook has a cleaner and more direct approach than the desktop app. Viewing the message source is the key.

Mozilla Thunderbird

• Open the email message.
• Click the three horizontal lines (Menu) in the top-right corner of the application.
• Select “View” > “Message Source.”
• A new tab or window will open, displaying the full email headers and source code. Alternatively, you can press `Ctrl+U` (or `Cmd+U` on macOS).

Thunderbird makes it very easy to access the message source. The keyboard shortcut (`Ctrl+U`) is also a quick way to view the headers.

Apple Mail (macOS)

• Open the email message.
• Go to “View” in the menu bar.
• Select “Message” > “Raw Source.”
• A new window will open, displaying the full email headers and source code.

Similar to Thunderbird, Apple Mail provides a straightforward way to view the raw source code and headers. The “Raw Source” option is what you’re looking for.

Webmail Interfaces (cPanel, Roundcube, Horde)

Most webmail interfaces provide a similar option to view the full email source. The exact wording might vary, but look for options like “View Source,” “Show Original,” or “Raw Message.” These options are usually found within the email viewing pane, often under a “More” or “Options” menu.

Here’s an example using cPanel’s webmail interface (Roundcube):

• Open the email message.
• Click the “More” dropdown menu (usually represented by three dots or a gear icon).
• Select “Show Source.”

The location of this option varies. If you’re having trouble finding it, consult the documentation for your specific webmail interface.

Email Client	Method to View Headers
Gmail	More (three dots) -> Show original
Outlook (Desktop)	File -> Info -> Properties -> Internet headers
Outlook (Web)	More actions (three dots) -> View -> View message source
Thunderbird	View -> Message Source (or Ctrl+U)
Apple Mail	View -> Message -> Raw Source

Warning: Be cautious when sharing email headers, as they may contain sensitive information such as your IP address or email server details. Redact any information you don’t want to share.

Retrieving Headers via Command-Line Tools

For system administrators and developers, command-line tools offer a powerful way to access and manipulate email headers. This is particularly useful when dealing with email servers directly or automating email analysis.

Accessing Mailboxes with `mail` and `mutt`

The `mail` utility is a basic command-line email client present on most Unix-like systems. `mutt` is a more advanced alternative with better features.

To access a user’s mailbox (e.g., the user “john”), you can use:

# Using mail
mail -f /var/mail/john

# Using mutt
mutt -f /var/mail/john

These commands will open the mailbox in the respective client. You can then navigate through the emails and view their contents, including the headers. To view an email’s headers in `mutt`, typically press `h` within the `mutt` interface.

You can also read a specific email directly:

# Using mail to read the first email with verbose output
mail -v -f /var/mail/john 1

The `-v` option in the `mail` command provides verbose output, which includes the email headers.

Extracting Headers with `grep` and `sed`

`grep` and `sed` are powerful tools for searching and manipulating text. You can use them to extract specific headers from an email file.

To find all lines containing “Received:” headers:

grep "Received:" /var/mail/john

To extract only the “Received:” header lines:

sed -n '/^Received:/p' /var/mail/john

The `-n` option in `sed` suppresses default output, and the `/^Received:/p` part prints only lines that start with “Received:”.

To extract the “Subject:” header:

grep "Subject:" /var/mail/john

These commands are useful for quickly filtering through a large email file and extracting the information you need.

Using `awk` for Advanced Header Extraction

`awk` is an even more versatile tool for text processing. You can use it to extract specific parts of header lines.

For example, to extract the IP address from a “Received:” header:

awk '/^Received:/ { match($0, /\[([0-9.]+)/, a); print a[1] }' /var/mail/john

This command searches for lines starting with “Received:”, then uses the `match` function to find the IP address enclosed in square brackets. The `a[1]` part prints the captured IP address.

Another example, to extract the domain name from a “Received:” header:

awk '/^Received:/ { print $3 }' /var/mail/john

This command prints the third field of each “Received:” line, which is often the hostname of the sending server.

Example: Analyzing Delivery Delays

Let’s say you suspect an email is experiencing delivery delays. You can use these tools to analyze the “Received:” headers and identify the bottleneck.

First, extract all “Received:” headers:

grep "Received:" /var/mail/user > received_headers.txt

Then, manually examine the `received_headers.txt` file. The timestamps in each “Received:” header show how long the email spent at each server. A large time difference between two consecutive “Received:” headers indicates a potential delay.

You can also use `awk` to calculate the time difference between each hop if the timestamps are in a consistent format. This requires more advanced `awk` scripting and is beyond the scope of this basic guide, but it illustrates the power of command-line tools for email analysis.

Tip: When using command-line tools, always redirect the output to a file (e.g., `> output.txt`) for easier analysis. This prevents the output from scrolling off the screen and allows you to examine the data more carefully.

Analyzing Email Headers: Understanding the Data

Once you’ve retrieved the email headers, the next step is to understand the information they contain. Each header field provides valuable clues about the email’s origin, path, and authenticity.

The `Received:` Header – Tracing the Email’s Path

The `Received:` header is the most important for tracing the email’s journey. Each mail server that handles the email adds a `Received:` header to the top of the existing headers. Therefore, the `Received:` headers are listed in reverse order of the email’s path. The topmost `Received:` header is the last server the email passed through before reaching your mailbox.

A typical `Received:` header looks like this:

Received: from mail.example.com (mail.example.com [203.0.113.45]) by mx.recipient.com with ESMTP id s22iF0a90034 for <user@recipient.com>; Tue, 27 Oct 2023 10:00:00 -0700 (PDT)

Let’s break down the components:

• from mail.example.com (mail.example.com [203.0.113.45]): This indicates the sending server’s hostname (`mail.example.com`) and IP address (`203.0.113.45`). The hostname may not always match the IP address due to DNS configurations.
• by mx.recipient.com: This indicates the receiving server’s hostname (`mx.recipient.com`). This is usually your mail server.
• with ESMTP id s22iF0a90034: This indicates the protocol used (ESMTP – Extended Simple Mail Transfer Protocol) and the server’s internal message ID (`s22iF0a90034`).
• for <user@recipient.com>: This confirms the recipient’s email address (`user@recipient.com`).
• Tue, 27 Oct 2023 10:00:00 -0700 (PDT): This is the date and time the email was received by this server, along with the timezone (`-0700 (PDT)`).

By examining the `Received:` headers in reverse order, you can trace the email’s path from the sender to your inbox. Look for unusual hops or servers that you don’t recognize, as they might indicate a suspicious email.

Authentication Headers – Verifying Email Authenticity

The `Authentication-Results:` header provides information about the email’s authentication status, including SPF, DKIM, and DMARC checks.

A typical `Authentication-Results:` header looks like this:

Authentication-Results: mx.recipient.com; spf=pass (sender IP is 203.0.113.45) smtp.mailfrom=sender@example.com; dkim=pass header.d=example.com; dmarc=pass action=none header.from=example.com

Let’s break down the components:

• mx.recipient.com: This indicates the server that performed the authentication checks (`mx.recipient.com`).
• spf=pass (sender IP is 203.0.113.45) smtp.mailfrom=sender@example.com: This indicates that the SPF check passed. The sender’s IP address (`203.0.113.45`) is authorized to send emails on behalf of the domain `example.com`. The `smtp.mailfrom` value confirms the “From” address used for the SPF check.
• dkim=pass header.d=example.com: This indicates that the DKIM signature verification passed. The `header.d` value specifies the domain that signed the email (`example.com`).
• dmarc=pass action=none header.from=example.com: This indicates that the DMARC check passed and no action was taken. The `header.from` value specifies the domain used for the DMARC check (`example.com`). The `action=none` indicates that the DMARC policy specified no specific action to take (e.g., quarantine or reject) if the DMARC check failed.

If any of these checks fail (e.g., `spf=fail`, `dkim=fail`, `dmarc=fail`), it could indicate that the email is spoofed or malicious.

Other Important Header Fields

• From: Indicates the sender’s email address. However, this can be easily spoofed, so don’t rely on it solely for verification.
• To: Shows the recipient’s email address.
• Subject: The subject line of the email.
• Date: The date and time the email was sent. Verify that the date and time are consistent with the `Received:` headers.
• Message-ID: A unique identifier for the email. This can be useful for tracking the email across different systems.
• Return-Path: The address where bounce messages (delivery failures) should be sent. This is often the same as the “From” address, but it can be different.
• X-Spam-Status: Some mail servers add this header to indicate whether the email was classified as spam. It may contain a score and a reason for the classification.

Example: Identifying a Phishing Email

Let’s say you receive an email that looks suspicious. You can analyze the headers to determine if it’s a phishing attempt.

• Check the `Received:` headers: Look for any unusual hops or servers that you don’t recognize. If the email claims to be from a reputable company but the `Received:` headers show it originating from a server in a different country, it’s a red flag.
• Check the `Authentication-Results:` header: Verify that SPF, DKIM, and DMARC checks passed. If any of these checks failed, it could indicate that the email is spoofed.
• Examine the `From:` address: Does the `From:` address match the domain of the company it claims to be from? If not, it’s suspicious.
• Look for inconsistencies: Are there any inconsistencies between the `Date:` header and the `Received:` headers? Are there any spelling errors or grammatical mistakes in the headers? These could be signs of a phishing attempt.

By carefully analyzing the email headers, you can often identify phishing emails and protect yourself from online scams.

Understanding email headers is like being a detective. You can use the clues within the headers to solve the mystery of where an email came from and whether it’s legitimate.

Jane Smith, Cyber Security Expert

Using Online Tools to Parse Email Headers

Analyzing email headers manually can be tedious and time-consuming. Fortunately, several online tools can automate this process, providing a more user-friendly and efficient way to understand the data.

Benefits of Using Online Header Analyzers

• Ease of Use: Simply paste the email headers into the tool, and it will automatically parse and analyze them.
• Clear Presentation: The tools present the information in a structured and easy-to-understand format.
• Automated Analysis: Many tools automatically identify potential issues, such as SPF/DKIM/DMARC failures or suspicious hops.
• Time Saving: Reduces the manual effort required to analyze email headers.

Popular Online Header Analyzers

• MXToolbox Email Header Analyzer: A comprehensive tool that parses email headers and provides detailed information about each field. It also checks for SPF, DKIM, and DMARC records and identifies potential issues. MXToolbox Email Header Analyzer
• Google Admin Toolbox Messageheader: Google’s official tool, great at extracting very specific elements like the IP address for message tracing.
• IPLocation Email Header Analyzer: This tool focuses on identifying the geographic location of the sending servers based on their IP addresses.
• MailHeader.org: Another simple and easy-to-use tool that provides a basic analysis of email headers.

These are just a few of the many online tools available. Choose the one that best suits your needs and preferences.

Example: Using MXToolbox Email Header Analyzer

Let’s walk through an example of using MXToolbox Email Header Analyzer.

• Copy the email headers: Follow the instructions in the “Finding Email Headers in Popular Email Clients” section to retrieve the email headers.
• Paste the headers into MXToolbox: Go to the MXToolbox Email Header Analyzer website (https://mxtoolbox.com/EmailHeaders.aspx) and paste the email headers into the text box.
• Click “Analyze Header”: Click the “Analyze Header” button to start the analysis.
• Review the results: MXToolbox will display a detailed analysis of the email headers, including:
  • A summary of the key information, such as the sender, recipient, subject, and date.
  • A breakdown of each header field, with explanations of its meaning and purpose.
  • The results of SPF, DKIM, and DMARC checks.
  • A visualization of the email’s path.
  • Any potential issues or warnings.

The MXToolbox analysis can help you quickly identify potential problems with the email, such as SPF/DKIM/DMARC failures, suspicious hops, or inconsistencies in the headers.

Interpreting the Results

Online header analyzers provide a lot of information, but it’s important to understand how to interpret the results.

• Pay attention to warnings and errors: If the tool identifies any potential issues, investigate them further. For example, if the SPF check failed, it could indicate that the email is spoofed.
• Verify the authenticity of the sender: Check the `From:` address and the `Authentication-Results:` header to verify that the email is from a legitimate sender.
• Trace the email’s path: Examine the `Received:` headers to trace the email’s path and look for any unusual hops or servers.
• Use multiple tools: To get a more comprehensive analysis, use multiple online header analyzers. Each tool may provide slightly different information or perspectives.

Warning: Be cautious when using online tools to analyze sensitive emails. Some tools may store or share the data you submit. Choose reputable tools with clear privacy policies, and avoid submitting emails containing confidential information.

Feature	MXToolbox Email Header Analyzer	IPLocation Email Header Analyzer
SPF/DKIM/DMARC Checks	Yes	No
Geographic Location Identification	Limited	Yes
Detailed Header Analysis email analysisemail forensicsemail headeremail troubleshootingfind email header Share this article Twitter Facebook LinkedIn Previous Honest Hunter.io Email Finder Review: Truth Revealed! Next Get business email addresses with hunter.io in 2024