Email headers contain valuable information about the journey an email has taken. By reading headers you can trace problems, identify spam, and understand why emails don't arrive. In this article, we explain how to read and interpret headers.

What are email headers?

Email headers are metadata attached to every email message. They contain information about:

• Sender and recipient
• Route the email has traveled
• Timestamps from each server
• Authentication results (SPF, DKIM, DMARC)
• Spam scores and filtering

Why view headers?

• Troubleshooting - Why isn't my email arriving?
• Spam analysis - Is this email legitimate?
• Trace delays - Where is the delay?
• Detect spoofing - Does this email really come from who it says?

Viewing headers

Gmail

1. Open the email
2. Click the three dots in the top right
3. Choose "Show original
4. You now see the full headers

Outlook (Web)

1. Open the email
2. Click the three dots
3. Choose "View message details

Outlook (Desktop)

1. Open the email in a separate window
2. Go to File > Properties
3. View the "Internet headers" section

Apple Mail

1. Open the email
2. Go to View > Message > All Headers
3. Or press Cmd+Shift+H

Thunderbird

1. Open the email
2. Go to View > Headers > All
3. Or press Ctrl+U for source view

Important header fields

From, To, Subject

From: john@example.com
To: mary@company.com
Subject: Meeting tomorrow

Note: The "From" field can be forged. Look at authentication headers for verification.

Received headers

The "Received" headers show the route of the email. They are read from bottom to top (oldest at bottom, newest at top).

Received: from mail.company.com (192.168.1.1)
    by mx.receiver.com (10.0.0.1)
    with ESMTPS id abc123
    for <mary@company.com>;
    Mon, 13 Jan 2025 10:30:00 +0100

Interpretation:

• from mail.company.com - Sending server
• by mx.receiver.com - Receiving server
• with ESMTPS - Secure connection (TLS)
• Timestamp shows when this hop occurred

Authentication-Results

This is one of the most important headers for troubleshooting:

Authentication-Results: mx.google.com;
    spf=pass (google.com: domain of john@example.com designates 192.168.1.1 as permitted sender);
    dkim=pass header.d=example.com;
    dmarc=pass (p=QUARANTINE) header.from=example.com

Interpretation:

• spf=pass - SPF check passed ✓
• dkim=pass - DKIM signature valid ✓
• dmarc=pass - DMARC policy followed ✓

Possible values:

X-Spam headers

Spam filters often add their own headers:

X-Spam-Status: No, score=-1.2
X-Spam-Score: -1.2
X-Spam-Flag: NO

Interpretation:

• Negative score = less likely to be spam
• Score above threshold (often 5.0) = spam

Message-ID

Message-ID: <abc123@mail.example.com>

A unique identifier for this specific message. Useful for tracking and reference.

Troubleshooting with headers

Email not arriving

1. Check Authentication-Results

   • SPF failed? Check your SPF record
   • DKIM failed? Check your DKIM configuration

2. Check X-Spam headers

   • High spam score? Your email is being filtered

3. Check the route

   • Are there unexpected servers in the chain?

Email is delayed

1. Analyze Received headers
2. Calculate time between each hop
3. Identify where the delay is

Detecting phishing/spoofing

1. Compare "From" with "Return-Path

   From: support@bank.com
   Return-Path: <hacker@malicious.ru>
   

   ⚠️ This is suspicious!

2. Check Authentication-Results

   • SPF fail + DKIM fail = probably spoofing

Header analysis tools

MXToolbox Header Analyzer

1. Go to mxtoolbox.com/EmailHeaders.aspx
2. Paste the full headers
3. Get a structured analysis

Google Admin Toolbox

1. Go to toolbox.googleapps.com/apps/messageheader
2. Paste headers
3. See a timeline of the email route

Need help?

We're here for you! Running into issues or have questions? Our support team is happy to help you personally. Drop us a message through the ticket system - we usually respond within a few hours and love helping you find the best solution.