How do I read the full headers in an email?

popowich · Saturday, November 15th, 2008

Hello,

This guide is for understanding the information in the full headers of an e-mail message.

If you are trying to find the full headers please see our Full E-Mail Headers forum for the directions specific to your mail program.

If you are trying to do a forward or reverse email search please try our email directory lookup tool.

How do you understand the information once you have it?

The path an e-mail followed can be followed from the bottom to the top of the headers.

First, here are the full e-mail headers from an example text e-mail to myself:

	Quote:
	Return-Path: <example@EmailQuestions.com> Delivered-To: Received: (qmail 19640 invoked from network); 11 Nov 2008 15:03:14 -0000 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on holdems X-Spam-Level: X-Spam-Status: No, score=0.1 required=2.4 tests=RDNS_NONE autolearn=disabled version=3.2.5 Received: from unknown (HELO hrndva-omtalb.mail.rr.com) (71.74.56.124) by mail.discussny.com with SMTP; 11 Nov 2008 15:03:14 -0000 Received: from 007guard.com ([74.74.141.45]) by hrndva-omta01.mail.rr.com with ESMTP id <20081111150328.XBIS2091.hrndva-omta01.mail.rr.com@007guard.com> for <example@emailquestions.com>; Tue, 11 Nov 2008 15:03:28 +0000 Date: Tue, 11 Nov 2008 10:03:23 -0500 From: E-Mail Questions <example@EmailQuestions.com> Message-ID: <975585836.20081111100323@EmailQuestions.com> To: Subject: Full E-Mail Headers

Now lets break this down into manageable chunks that can be easily explained.

	Quote:
	Date: Tue, 11 Nov 2008 10:03:23 -0500 From: E-Mail Questions <example@EmailQuestions.com> Message-ID: <975585836.20081111100323@EmailQuestions.com> To: Subject: Full E-Mail Headers

First, I sent this e-mail to and from a test account that I use for this site. Please keep in mine that even though this information is To: and From: myself, and that in this case it is true, it is possible for spammers to forge this information and use values that do not belong to themselves or you.

	Quote:
	Received: from 007guard.com ([74.74.141.45]) by hrndva-omta01.mail.rr.com with ESMTP id <20081111150328.XBIS2091.hrndva-omta01.mail.rr.com@007guard.com> for <example@emailquestions.com>; Tue, 11 Nov 2008 15:03:28 +0000

This section of the headers shows that I sent the e-mail out through my ISP Time Warner rr.com smtp relay servers. The IP address of their SMTP relay that my e-mail passed through was 74.74.141.45. Again it is possible to add fake headers to an e-mail, but in this case they are true. A general rule of thumb is that you can only trust e-mail headers created by mail servers that you trust.

	Quote:
	Received: from unknown (HELO hrndva-omtalb.mail.rr.com) (71.74.56.124) by mail.discussny.com with SMTP; 11 Nov 2008 15:03:14 -0000

The e-mail was then received from the Time Warner smtp relay by my mail server. I trust the headers created by mail server, and since it confirms the e-mail passed through 74.74.141.45 I tend to trust the previous headers too.

	Quote:
	Delivered-To: Received: (qmail 19640 invoked from network); 11 Nov 2008 15:03:14 -0000 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on holdems X-Spam-Level: X-Spam-Status: No, score=0.1 required=2.4 tests=RDNS_NONE

My mail server did a check for spam using SpamAssassin.

It's also worth noting that RBL checks are not recorded, but that my server also did an RBL check as the e-mail was being received before passing it on to SpamAssassin to be checked.

	Quote:
	Return-Path: <example@EmailQuestions.com>

A reply to the message will go To: [email address]

.

If you suspect a forgery please see our guide on How to check the DNS of an IP Address and Hostname.

If you have any questions about understanding the full headers of an e-mail message that you received please copy and paste them into a reply to this thread and we will be more than happy to examine them for you.

How do I read the full headers in an email?

Full Email Headers