How to read and analyze email headers

Email headers are lines of code that provide information about an email message, such as the sender, recipient, subject, and date of the message. Headers are used to route emails from the sender to the recipient and can contain a variety of information about the email's journey.

Headers are typically hidden from the user by default but can be accessed by viewing the raw source code of the email.

This article describes how to read message headers for Thexyz Email. See Displaying and Hiding the Full Header for detailed information on viewing email headers.

  1. Log in to your mailbox at webmail.thexyz.com

  2. Select the message for which you want to view the headers.

  3. In the message preview pane toolbar, click More, and then select View Full Header.

    image

    Looking at an Email Header

    The email header will show some important characteristics, including perhaps the most important part of an email - this is the KEY:VALUE pairs contained in the header. Looking at the below image, you can tell some of the KEY:VALUE pairs used.

    Email Header

Now you have successfully viewed the message headers in Thexyz Email, you can analyze them by referencing the below.

Understanding email headers

The following header is an example of a spoofed message. If you suspect that you have received a spoofing email, see What is email spoofing? for more information.

Delivered-To:	boss@exampledomain.com<br>
Return-Path:	<spoofer@exampledomain.com><br>
Delivered-To:	boss@exampledomain.com<br>
Received:	from sapps.net ([000.00.00.0]) by sapps.net (Dovecot) with LMTP id asdkasdfiwlefj for <boss@exampledomain.com>; Tue, 11 Oct 2020 13:32:15 -0400
Received:	from proxy.net ([000.00.00.0]) by sapps.net; Tue, 11 Oct 2020 13:32:15 -0400
Received:	from smtp (000.00.00.0)  by apps.net; Tue, 11 Oct 2020 13:32:15 -0400
Return-Path:	<spoofer@exampledomain.com>
X-Originating-Ip:	[00.000.000.00]
Received:	from [000.00.00.0] ([000.00.00.0] server.com) by apps.net; Tue, 11 Oct 2020 14:52:40 -0400
Received:	from server.com (localhost [000.00.00.0]) by server.com for <boss@exampledomain.com>; Tue, 11 Oct 2020 14:52:40 -0400 (EDT)
Received:	from apps.net (sapps.net [000.00.00.0]) by server.com (SMTP Server)  for <boss@exampledomain.com>; Tue, 11 Oct 2020 14:52:40 -0400 (EDT)
X-Sender-Id:	spoofer@exampledomain.com
Received:	from  (apps.net [000.00.00.0]) by 0.0.0.0:00; Tue, 11 Oct 2020 14:52:40 -0400
Received:	from exampledomain.com (localhost.localdomain [000.00.00.0]) by apps.net (Postfix) with for <boss@exampledomain.com>; Tue, 11 Oct 2020 14:52:40 -0400 (EDT)
Received:	by webmail.thexyz.com (Authenticated sender: spoofer@exampledomain.com, from: assistant@exampledomain.com) with HTTP; Tue, 11 Oct 2020 14:52:40 -0400 (EDT)
Date:	Tue, 11 Oct 2020 14:52:40 -0400 (EDT)
Subject:	Send $$$
From:	"Assistant" <assistant@exampledomain.com>
To:	boss@exampledomain.com
Reply-To:	spoofer@scam.com
Message-ID:	<12345867.91012345@webmail.thexyz.com>
  • From: Displays the message sender. Spammers can easily fake sender addresses. See What is email spoofing? for guidance on detecting phishing emails.
  • Subject: The topic of the message as indicated by the sender.
  • Date: The date and time when the email message was composed.
  • To: Displays the addresses listed in the To: and CC: fields. Headers do not show any addresses that were included in the BCC: field, as these addresses were intended to remain private.
  • Received: Displays a sequential list of computer and servers that received this message, the time they received this message, and the final destination of the message. Received appear many times in a message header and should be read from bottom to top, as the first recipient is at the bottom of the header.
  • Reply-To: Determines which email address is auto-populated when you click the reply button to reply to an email in your email client. Spammers can easily fake reply-to addresses. See What is email spoofing? for guidance on detecting fraud email.
  • Return-Path: Like the Reply-To: address, this is where return mail is sent. Spammers can easily fake a return path. See What is email spoofing? for guidance on detecting fraud email.
  • Message-ID A unique identifier assigned to a message. The Message-ID is useful for diagnosing a duplicate email issue. If you compare the Message-ID for multiple emails, and the IDs match, you know those messages are duplicates.
  • X-Originating-Ip: The IP address of the computer that sent the message. While this is slightly more difficult to fake, it is still possible. The originating IP address is typically the most reliable information about where the message actually came from. See What is email spoofing? for guidance on detecting fraudulent emails.
  • 46 Users Found This Useful
Was this answer helpful?

Related Articles

Attachments received renamed to "winmail.dat"

This issue may occur if all of the following conditions are true: The email message is sent to...

I'm having issues composing messages in Webmail

If you're having issues composing mail in Webmail, there are a few things you can try: Make...

My contacts aren't syncing with my phone

If Mobile Sync is not active, that means it is not possible to synchronize your Contacts between...

I am getting a password prompt in Outlook

Here are some troubleshooting tips to follow if you are still having trouble accessing your...

My signature does not appear when composing a new message

If you're having trouble with your existing signature, create a new signature by following the...