Email headers contain valuable information about the journey an email has taken. By reading headers, you can troubleshoot issues, identify spam, and understand why emails are not arriving. In this article, we explain how to read and interpret headers.

What are email headers?

Email headers are metadata added to each email message. They contain information about:

• Sender and recipient
• Route the email has taken
• Timestamps from each server
• Authentication results (SPF, DKIM, DMARC)
• Spam scores and filtering

Why view headers?

• Troubleshooting - Why is my email not arriving?
• Spam analysis - Is this email legitimate?
• Detecting delays - Where is the delay?
• Detecting spoofing - Is this email really from who it says?

Viewing headers

Gmail

1. Open the email
2. Click on the three dots in the top right
3. Select "Show original
4. You will now see the full headers

Outlook (Web)

1. Open the email
2. Click on the three dots
3. Select "View message details

Outlook (Desktop)

1. Open the email in a separate window
2. Go to File > Properties
3. View the "Internet headers" section

Apple Mail

1. Open the email
2. Go to View > Message > All Headers
3. Or press Cmd+Shift+H

Thunderbird

1. Open the email
2. Go to View > Headers > All
3. Or press Ctrl+U for source view

Important header fields

From, To, Subject

From: jan@voorbeeld.nl
To: marie@bedrijf.nl
Subject: Meeting tomorrow

Note: The "From" field may be spoofed. Look at authentication headers for verification.

Received headers

The "Received" headers show the route of the email. They are read from bottom to top (oldest at the bottom, newest at the top).

Received: from mail.bedrijf.nl (192.168.1.1)
    by mx.ontvanger.nl (10.0.0.1)
    with ESMTPS id abc123
    for <marie@bedrijf.nl>;
    Mon, 13 Jan 2025 10:30:00 +0100

Interpretation:

• from mail.bedrijf.nl - Sending server
• by mx.ontvanger.nl - Receiving server
• with ESMTPS - Secure connection (TLS)
• The timestamp shows when this hop occurred

Authentication-Results

This is one of the most important headers for troubleshooting:

Authentication-Results: mx.google.com;
    spf=pass (google.com: domain of jan@voorbeeld.nl designates 192.168.1.1 as permitted sender);
    dkim=pass header.d=voorbeeld.nl;
    dmarc=pass (p=QUARANTINE) header.from=voorbeeld.nl

Interpretation:

• spf=pass - SPF check passed ✓
• dkim=pass - DKIM signature valid ✓
• dmarc=pass - DMARC policy followed ✓

Possible values:

Status	Meaning
pass	Check passed
fail	Check failed - possible spoofing
softfail	Partially failed - suspicious
neutral	No policy found
none	No record present

X-Spam headers

Spam filters often add their own headers:

X-Spam-Status: No, score=-1.2
X-Spam-Score: -1.2
X-Spam-Flag: NO

Interpretation:

• Negative score = less chance of spam
• Score above threshold (often 5.0) = spam

Message-ID

Message-ID: <abc123@mail.voorbeeld.nl>

A unique identifier for this specific message. Useful for tracking and reference.

Date

Date: Mon, 13 Jan 2025 10:25:00 +0100

When the email was sent according to the sending client.

Detecting problems with headers

Email not arriving

1. Check Authentication-Results
   • Did SPF fail? Check your SPF record
   • Did DKIM fail? Check your DKIM configuration
2. Check X-Spam headers
   • High spam score? Your email is being filtered
3. Check the route
   • Are there unexpected servers in the chain?

Email is delayed

1. Analyze Received headers
2. Calculate time between each hop
3. Identify where the delay is

Example analysis:

Received: ... Mon, 13 Jan 2025 10:35:00 +0100  ← Receipt
Received: ... Mon, 13 Jan 2025 10:30:00 +0100  ← 5 min earlier
Received: ... Mon, 13 Jan 2025 10:25:00 +0100  ← Sent

Total time: 10 minutes, delay in the first hop.

Detecting phishing/spoofing

1. Compare "From" with "Return-Path

   From: support@bank.nl
   Return-Path: <hacker@kwaadaardig.ru>
   

   ⚠️ This is suspicious!
2. Check Authentication-Results
   • SPF fail + DKIM fail = likely spoofing
3. Check Received headers
   • Is the email coming from an unexpected server?

Header analysis tools

MXToolbox Header Analyzer

1. Go to mxtoolbox.com/EmailHeaders.aspx
2. Paste the full headers
3. Get a structured analysis

Google Admin Toolbox

1. Go to toolbox.googleapps.com/apps/messageheader
2. Paste headers
3. See a timeline of the email route

Mail Header Analyzer (whatismyipaddress.com)

1. Go to whatismyipaddress.com/email-header
2. Analyze headers visually

Common header issues

"SPF: softfail"

Problem: The sending server is not listed in your SPF record.

Solution: Add the server to your SPF record or use an authorized server.

"DKIM: fail"

Problem: The DKIM signature is invalid.

Causes:

• Email has been altered in transit
• DKIM is misconfigured
• DNS record is missing

No Authentication-Results

Problem: The receiving server does not perform authentication checks.

This is normal for: Some older or smaller mail servers.

Related articles

• Setting up email on Android: Complete guide
• Managing email quota: Freeing up space and optimizing mailbox
• Setting up email in Apple Mail on Mac: Complete guide
• More information about email services at Theory7

Need help?

We are here for you! Are you facing any issues or do you have questions? Our support team is happy to assist you personally. Send us a message via the ticket system - we usually respond within a few hours and are happy to help you.