This guide is provided to learn how to read and understand an email header. To understand an email header, we need to analyze the life of the email. Most of the time, it appears that email is passed directly from the sender directly to the recipient. This isn't necessarily true: A typical email passes through at least four computers.
To begin you will need to find your full email header. You can find instructions at: How to View Email Headers.
In this example, the "Sender" email@example.com wants to send an email to the "Receiver" firstname.lastname@example.org. The sender composes the email at gmail.com, and email@example.com receives it in the email client Apple Mail.
Here is the example header:
From: Media Temple user (firstname.lastname@example.org)
Subject: article: How to Trace a Email
Date: January 25, 2011 3:30:58 PM PDT
Delivery-Date: Tue, 25 Jan 2011 15:31:01 -0700
Received: from po-out-1718.google.com ([188.8.131.52]:54907) by cl35.gs01.gridserver.com with esmtp (Exim 4.63) (envelope-from <email@example.com>) id 1KDoNH-0000f0-RL for firstname.lastname@example.org; Tue, 25 Jan 2011 15:31:01 -0700
Received: by po-out-1718.google.com with SMTP id y22so795146pof.4 for <email@example.com>; Tue, 25 Jan 2011 15:30:58 -0700 (PDT)
Received: by 10.141.116.17 with SMTP id t17mr3929916rvm.251.1214951458741; Tue, 25 Jan 2011 15:30:58 -0700 (PDT)
Received: by 10.140.188.3 with HTTP; Tue, 25 Jan 2011 15:30:58 -0700 (PDT)
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=+JqkmVt+sHDFIGX5jKp3oP18LQf10VQjAmZAKl1lspY=; b=F87jySDZnMayyitVxLdHcQNL073DytKRyrRh84GNsI24IRNakn0oOfrC2luliNvdea LGTk3adIrzt+N96GyMseWz8T9xE6O/sAI16db48q4Iqkd7uOiDvFsvS3CUQlNhybNw8m CH/o8eELTN0zbSbn5Trp0dkRYXhMX8FTAwrH0=
Domainkey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=wkbBj0M8NCUlboI6idKooejg0sL2ms7fDPe1tHUkR9Ht0qr5lAJX4q9PMVJeyjWalH 36n4qGLtC2euBJY070bVra8IBB9FeDEW9C35BC1vuPT5XyucCm0hulbE86+uiUTXCkaB 6ykquzQGCer7xPAcMJqVfXDkHo3H61HM9oCQM=
Content-Type: multipart/alternative; boundary="----=_Part_3927_12044027.1214951458678"
X-Spam-Status: score=3.7 tests=DNS_FROM_RFC_POST, HTML_00_10, HTML_MESSAGE, HTML_SHORT_LENGTH version=3.1.7
Message Body: This is a KnowledgeBase article that provides information on how to find email headers and use the data to trace a email.
Understanding the email header
It is important to know that when reading an email header every line can be forged, so only the Received:lines that are created by your service or computer should be completely trusted.
- This displays who the message is from, however, this can be easily forged and can be the least reliable.
- This is what the sender placed as a topic of the email content.
- This shows the date and time the email message was composed.
- This shows to whom the message was addressed, but may not contain the recipient's address.
- The email address for return mail. This is the same as "Reply-To:".
- This header shows that this email was delivered to the mailbox of a subscriber whose email address is firstname.lastname@example.org.
- This shows the date and time at which the email was received by your (mt) service or email client.
- The received is the most important part of the email header and is usually the most reliable. They form a list of all the servers/computers through which the message traveled in order to reach you.
The received lines are best read from bottom to top. That is, the first "Received:" line is your own system or mail server. The last "Received:" line is where the mail originated. Each mail system has their own style of "Received:" line. A "Received:" line typically identifies the machine that received the mail and the machine from which the mail was received.
Dkim-Signature & Domainkey-Signature
- A unique string assigned by the mail system when the message is first created. These can easily be forged.
- Generally, this will tell you the format of the message, such as html or plaintext.
- Displays a spam score created by your service or mail client.
- Displays a spam score usually created by your service or mail client.
- This is the actual content of the email itself, written by the sender.
Finding the Original Sender
The easiest way for finding the original sender is by looking for the X-Originating-IP header. This header is important since it tells you the IP address of the computer that had sent the email. If you cannot find the X-Originating-IP header, then you will have to sift through the Received headers to find the sender's IP address. In the example above, the originating IP Address is 10.140.188.3.
Once the email sender's IP address is found, you can search for it at http://www.arin.net/. You should now be given results letting you know to which ISP (Internet Service Provider) or webhost the IP address belongs. Now, if you are tracking a spam email, you can send a complaint to the owner of the originating IP address. Be sure to include all the headers of the email when filing a complaint.