Analyzing Headers To Gain Insight on Any Email Message


Every email message contains a set of headers, which are name-value pairs, that are very helpful if you need to learn more about the message's origins. Such analysis is often called Email Forensic as well. This page discusses how to interpret these headers to gain important information about:

  • The sender
  • The network where the message came from
  • The physical location of the sender
  • The type of email software used to compose the message
  • The message thread
  • Investigate if the message is forged, and so on.

On this page, we talk about these headers from two perspectives:

  1. Define the meaning of essential headers
  2. Ask a few important questions about an email and find their answers by analyzing these headers


How to View Email Headers

Headers are not visible when you view email messages. However, most email clients provide a way to view these headers. Here is a list of popular email clients with instructions on extracting headers.

Important Headers

The following text snippet display a sample email. Important headers are colored in red.

Received: from [(192.168.10.50)] by jackfrost.synametrics.com with Xeams SMTP; Fri, 18 Aug 2023 14:04:47 -0400 (EDT)
Received: from [(40.92.40.72)] by mail.synametrics.com with Xeams SMTP; Fri, 18 Aug 2023 14:04:47 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=fz+ay/qaolIwc7f5tsJfL3f9VSLHVfseHxLiSQZcsks=;
 b=WZP6PLXxJ5VHTFaIpH9tt6ZYwgh6WQywkJUI0qMt2u4tPCqLOhUG4WQNcjIDzJ6o8Rl7hscsCBIXaw==
Received: from CY8PR10MB6443.namprd10.prod.outlook.com (2603:10b6:930:61::10)
 by DS7PR10MB4976.namprd10.prod.outlook.com (2603:10b6:5:3a5::11) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6699.20; Fri, 18 Aug
 2023 18:04:45 +0000
Received: from CY8PR10MB6443.namprd10.prod.outlook.com
 ([fe80::f020:e1e:284d:aa87]) by CY8PR10MB6443.namprd10.prod.outlook.com
 ([fe80::f020:e1e:284d:aa87%4]) with mapi id 15.20.6699.020; Fri, 18 Aug 2023
 18:04:45 +0000
Reply-To: <another.address@gmail.com>
From: John Doe <a.friend@hotmail.com>
To: Synametrics Support <support@synametrics.com>
Subject: Re: I need help moving Xeams to a different
 machine
Date: Fri, 18 Aug 2023 18:04:45 +0000
Message-ID: <CY8PR10MB6443746D954CBE8F02EA4F47D11BA@CY8PR10MB6443.namprd10.prod.outlook.com>
X-Mailer: Microsoft Outlook 16.0
In-Reply-To: <97829642.617.1692381819109@SyncriTix>
Accept-Language: en-US
Content-Language: en-US
Content-Type: multipart/related;
	boundary="_005_CY8PR10MB6443746D954CBE8F02EA4F47D11BACY8PR10MB6443namp_";
	type="multipart/alternative"
MIME-Version: 1.0

The following table talks about these headers in detail.

Header Name Description
Received:

This is usually the most important header in terms of email forensics. Emails go through multiple SMTP servers before reaching its final destination. Each server adds a Received header. Although there is no standard format for this header, most servers add the following information:

  • IP address that sent the message
  • Their own hostname
  • Time when this message was received

Can this be forged? Yes, but is usually not. Since these headers are added by intermediate SMTP servers, the sender has no control over them. They can only forge the headers that are added prior to hitting the first SMTP server.
DKIM Signature:

This header is used to detect email forgery and contains a cryptographic signature. The receiving SMTP can use this signature to validate the sender. The receiving end typically puts the message in the Junk folder if this signature is invalid.

Can this be forged? No. Since it contains a digital signature, this header cannot be forged.
From:

This is supposed to contain the sender's email address and name, provided the messages composed by a real human. However, many emails are generated by back-end systems. In those case, you may not see a real name. This value is not used for email delivery and therefore, can be misleading. Refer to this page for more information.

Can this be forged? Yes. Spam message will most likely forge this value.
Reply-To:

This is similar to the From header but instructs the email client to use this address when composing a reply. In many cases, this header is missing since it is identical to the From value.

Can this be forged? Yes, not is usually not since there is no benefit.
To:

In most cases this value refers to the recipient's address. This header is not used for actual message delivery and therefore, does not have to real or valid. In cases where the recipient's address was put in BCC, you would a different address than the recipient. Refer to this page for more information.

Can this be forged? Yes. Since this value is not used for actual delivery, it is often forged in spam messages.
Subject:

Contains the subject of an email. Since email headers can only be in US-Ascii characters, this header is often encoded using base-64 or q-encoding representing data in UTF-8, which is usually the case when emails are sent in a language other than English.

Can this be forged? No, because there is no value.
Date:

Contains the date this message was composed. If the system clock on the sender's machine has an incorrect time, you will see an incorrect value in this field.

Can this be forged? Yes.

In-Reply-To:

This header is often used by email clients to display related messages together. It does not have any value as far as email delivery is concerned.

Can this be forged? No, because there is no value.
X-??????:

Headers that start with X- are custom headers that are added by SMTP server for different reasons. Most SMTP servers relay these headers as-is to the next server. For example, Xeams adds the score of the message using X-SMScore: -100, allowing downstream servers to steer messages into appropriate folders.

Can this be forged? Yes, but there is no value.

Important Questions

Now, let's talk about some important questions that users typically ask and how to answer them by analyzing these headers.

Question: Could you tell me the country where this email originated from?

This question can be answered by analyzing the Received header. Since there are multiple received headers, the first step is to identify the header that was added by your spam filter or email server. In the snippet above, this is on line number 2, which shows 40.92.40.72 as the IP address. A simple WHOIS look on this IP will reveal it belongs to Microsoft. This means your server received this message from Microsoft.

Some SMTP servers also add a X-originating-ip header, revealing the IP address where this message was composed. A WHOIS lookup on that IP could potentially reveal the sender's actual location.

Question: Why do I get my emails after ten minutes?
Since emails go through several SMTP server, any of them could cause a delay. The first step in troubleshooting such problems is to identify the server that took the longest. This is done by comparing the time difference between each received line. Refer to this page, which talks about this in details.
Question: I get junk messages from my own email. Why?

The sender's email address is specified in two locations:

  • SMTP envelope
  • Email header

Refer to this page for further explanation. The sender's email address can be forged in both locations. However, when using technologies like SPF, DKIM and DMARC, most forgeries are caught by your spam filter.

Consider the following example, where SPF, DKIM and DMARC will not be able to detect a forgery.

  • The MAIL FROM: value in the envelope is set to john.doe@NotYourDomain.com. Since the sender's domain name does not match with your domain, SPF will not play any role in detecting this junk.
  • The From header is set to "Your Name <your.name@NotYourDomain.com>. Notice instead of John Doe, the sender puts your name in the From header.

Most email clients only display the user's full name and do not display the email address. Giving an impression to the user they received a message from themselves. Spam filters like Xeams can efficiently detect such tricks and remove the user's name so the recipient can make a better decision before trusting the message.

Question: I received an email with a future date. Why?

Email clients use the date header to determine when an email is composed. Since this header can be easily forged, spammers often put incorrect dates in an attempt to make their message appear on top of other messages.

Using a spam filter like Xeams can detect such tricks and block them from reaching the user's Inbox.

Question: I received an email from a gmail.com address but when I reply, it goes to a different recipient. Why?

Many spammers misuse free public services like gmail.com, hotmail.com, and others. Emails generated from these services often follow best practices, such as SPF, DKIM, DMARC and their IP addresses are also not blocked. The accounts they create are often very short-lived because they get deactivated as soon as Google detect their real purpose.

By using a different value in the Reply-To header, spammers ensure replies do not go to a deactivated account.

Using a spam filter like Xeams can detect such tricks and block them from reaching the user's Inbox.