Hello,
This guide is for understanding the information in the full headers of an e-mail message.
If you are trying to find the full headers please see our How to get full email headers (message source) forum for the directions specific to your mail program.
If you are trying to do a forward or reverse email search please try our email directory lookup tool.
How do you understand the information once you have it?
The path an e-mail followed can be followed from the bottom to the top of the headers.
First, here are the full e-mail headers from an example text e-mail to myself:
It's also worth noting that RBL checks are not recorded, but that my server also did an RBL check as the e-mail was being received before passing it on to SpamAssassin to be checked.
If you suspect a forgery please see our guide on How to check the DNS of an IP Address and Hostname.
If you have any questions about understanding the full headers of an e-mail message that you received please copy and paste them into a reply to this thread and we will be more than happy to examine them for you.
This guide is for understanding the information in the full headers of an e-mail message.
If you are trying to find the full headers please see our How to get full email headers (message source) forum for the directions specific to your mail program.
If you are trying to do a forward or reverse email search please try our email directory lookup tool.
How do you understand the information once you have it?
The path an e-mail followed can be followed from the bottom to the top of the headers.
First, here are the full e-mail headers from an example text e-mail to myself:
Now lets break this down into manageable chunks that can be easily explained.Return-Path: <example@EmailQuestions.com>
Delivered-To: example@emailquestions.com
Received: (qmail 19640 invoked from network); 11 Nov 2008 15:03:14 -0000
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on holdems
X-Spam-Level:
X-Spam-Status: No, score=0.1 required=2.4 tests=RDNS_NONE autolearn=disabled
version=3.2.5
Received: from unknown (HELO hrndva-omtalb.mail.rr.com) (71.74.56.124)
by mail.discussny.com with SMTP; 11 Nov 2008 15:03:14 -0000
Received: from 007guard.com ([74.74.141.45]) by hrndva-omta01.mail.rr.com
with ESMTP
id <20081111150328.XBIS2091.hrndva-omta01.mail.rr.com@007guard.com>
for <example@emailquestions.com>; Tue, 11 Nov 2008 15:03:28 +0000
Date: Tue, 11 Nov 2008 10:03:23 -0500
From: E-Mail Questions <example@EmailQuestions.com>
Message-ID: <975585836.20081111100323@EmailQuestions.com>
To: example@emailquestions.com
Subject: Full E-Mail Headers
First, I sent this e-mail to and from a test account that I use for this site. Please keep in mine that even though this information is To: and From: myself, and that in this case it is true, it is possible for spammers to forge this information and use values that do not belong to themselves or you.Date: Tue, 11 Nov 2008 10:03:23 -0500
From: E-Mail Questions <example@EmailQuestions.com>
Message-ID: <975585836.20081111100323@EmailQuestions.com>
To: example@emailquestions.com
Subject: Full E-Mail Headers
This section of the headers shows that I sent the e-mail out through my ISP Time Warner rr.com smtp relay servers. The IP address of their SMTP relay that my e-mail passed through was 74.74.141.45. Again it is possible to add fake headers to an e-mail, but in this case they are true. A general rule of thumb is that you can only trust e-mail headers created by mail servers that you trust.Received: from 007guard.com ([74.74.141.45]) by hrndva-omta01.mail.rr.com
with ESMTP
id <20081111150328.XBIS2091.hrndva-omta01.mail.rr.com@007guard.com>
for <example@emailquestions.com>; Tue, 11 Nov 2008 15:03:28 +0000
The e-mail was then received from the Time Warner smtp relay by my mail server. I trust the headers created by mail server, and since it confirms the e-mail passed through 74.74.141.45 I tend to trust the previous headers too.Received: from unknown (HELO hrndva-omtalb.mail.rr.com) (71.74.56.124)
by mail.discussny.com with SMTP; 11 Nov 2008 15:03:14 -0000
My mail server did a check for spam using SpamAssassin.Delivered-To: example@emailquestions.com
Received: (qmail 19640 invoked from network); 11 Nov 2008 15:03:14 -0000
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on holdems
X-Spam-Level:
X-Spam-Status: No, score=0.1 required=2.4 tests=RDNS_NONE
It's also worth noting that RBL checks are not recorded, but that my server also did an RBL check as the e-mail was being received before passing it on to SpamAssassin to be checked.
A reply to the message will go To: example@EmailQuestions.com.Return-Path: <example@EmailQuestions.com>
If you suspect a forgery please see our guide on How to check the DNS of an IP Address and Hostname.
If you have any questions about understanding the full headers of an e-mail message that you received please copy and paste them into a reply to this thread and we will be more than happy to examine them for you.
Last edited: