- What are email headers?
- How to find the email headers?
- Which are the most important headers of an email?
- Reading and understanding the email headers
- In Conclusion
What are email headers?
Email headers contain valuable information about the path of the message from its initial sender to the final recipient. This includes IP addresses, server names, authentication data, originating entity to mention a few. This part of the email is usually hidden and can be analyzed by viewing the source code of the message. The email headers, however, could be modified by every server along the route and could be altered even upon sending due to a flaw in the global email system itself.
For example, in the so-called spoofing attacks, the sender forges certain email headers in an attempt to trick the recipients of the message that the spoofed message originates from a legitimate source - their bank, a service provider, a popular website, etc. In such attacks, scammers take advantage of the flaws of the global email system to create a false sense of trust and deceive their victims so steal sensitive data, e.g. credit card information, website login credentials, mail passwords, etc.
How to find the email headers?
Most email clients (desktop programs and web-based solutions) have the option to display the full headers of an email.
We have published instructions for viewing the full email headers in some of the most popular email clients, such as Outlook, Thunderbird, Mail for Mac, Windows Mail, Gmail, Hotmail.com/Outlook.com/Live.com, Yahoo Mail, etc. at the ICDSoft Knowledge Base:
Viewing e-mail message headers
Which are the most important headers of an email?
Reading email headers is usually done for two reasons - checking if the email is legitimate or finding its real sender. By analyzing the email headers, you can also find when the message was sent, and how long it took for it to be delivered. You can also find if you received it directly or as a forwarded message. Some of the most important headers are:
- From: name and email address of the sender
- To: name and email address of the recipient
- Date: time and date when the message was sent, including the timezone of the sending system
- Subject: shows the topic of the message
- Return-Path: the email address to which a message can be returned in case it is not successfully delivered, e.g. in case of a server error, insufficient space, non-existent mailbox, etc.
- Reply-To: the email address to which a recipient will respond if they decide to reply back to a message
- Received: lists all mail servers through which a message has gone prior to arriving at its final destination; a message usually has more than one Received headers, and the first one shows the original sending server.
- Delivered-To: shows the email address to which a received email was delivered; one message could have multiple Delivered-To headers due to email forwarding
- DKIM-Signature: this is the text value of the DKIM record added to the message to allow validation
- Received-SPF: an advisory header showing whether the IP address through which the message was sent is designated as a permitted sender
- Authentication-Results: shows whether SPF, DKIM, and DMARC checks pass or not
- Message-ID: a unique combination of letters and numbers that identifies each message; this globally-unique identifier can be used to distinguish one message from other emails
- User-Agent or X-Mailer: shows the name of the email program used for sending the message
- MIME-Version: Multipurpose Internet Mail Extensions (MIME) is an internet standard of encoding, which converts non-text content (images, videos, and other attachments) into text, so they can be attached to an email and sent via SMTP
- X-Originating-IP: shows the IP address of the original sender; this header is not always present, so you may have to look for the first Received header instead.
Reading and understanding the email headers
Let's dissect a few emails and their email headers.
Received: from CPWPR80MB6141.lamprd80.prod.outlook.com (2603:10d6:103:10f::10)
by SCZPR80MB6981.lamprd80.prod.outlook.com with HTTPS; Mon, 10 Apr 2023
20:38:29 +0000
Received: from DS7PR03CA0238.namprd03.prod.outlook.com (2603:10b6:5:3ba::33)
by CPWPR80MB6141.lamprd80.prod.outlook.com (2603:10d6:103:10f::10) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6277.34; Mon, 10 Apr
2023 20:38:27 +0000
Received: from DM6NAM10FT094.eop-nam10.prod.protection.outlook.com
(2603:10b6:5:3ba:cafe::26) by DS7PR03CA0238.outlook.office365.com
(2603:10b6:5:3ba::33) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6277.36 via Frontend
Transport; Mon, 10 Apr 2023 20:38:26 +0000
Authentication-Results: spf=pass (sender IP is 192.252.146.28)
smtp.mailfrom=icdtest.net; dkim=pass (signature was verified)
header.d=icdtest.net;dmarc=bestguesspass action=none
header.from=icdtest.net;compauth=pass reason=109
Received-SPF: Pass (protection.outlook.com: domain of icdtest.net designates
192.252.146.28 as permitted sender) receiver=protection.outlook.com;
client-ip=192.252.146.28; helo=s466.sureserver.com; pr=C
Received: from s466.sureserver.com (192.252.146.28) by
DM6NAM10FT094.mail.protection.outlook.com (10.13.153.58) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.6298.26 via Frontend Transport; Mon, 10 Apr 2023 20:38:26 +0000
X-IncomingTopHeaderMarker:
OriginalChecksum:297C7E56DB8DA6E6AC3DB36FDFECEAF23A80446DD23588094814949752EC5A1E;UpperCasedChecksum:FF301AF182321DCE2B20470C944DE12327C269E3E917E3EA6E2B9F88FB3CE6BB;SizeAsReceived:1059;Count:13
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=icdtest.net; h=
message-id:date:mime-version:to:from:subject:content-type
:content-transfer-encoding; s=dkim; bh=fdkeB/A0FkbVP2k4J4pNPoeWH
6vqBm9+b0C3OY87Cw8=; b=ibNFtfV9TDB2T9WLkpQgr7Cz+nnjLhALlKhp9t1U2
q/6KbP8Gyr0C1KjngkzdfsFAGtSRlgX9iMeMaqYbyIUbMdePSr0t8cp/DqCkVKOH
fDTUgqxjt4xU/M8d41n3z1fMZna8PXTeDmtyKPobwdNEqUuCWBvh+KTsdwZ5EPMA
Ws=
Received: (qmail 54628 invoked by uid 1003); 10 Apr 2023 20:38:25 -0000
Received: from unknown (HELO ?213.145.98.191?) ([email protected]@213.145.98.191)
by s466.sureserver.com with ESMTPA; 10 Apr 2023 20:38:25 -0000
Message-ID: <[email protected]>
Date: Mon, 10 Apr 2023 23:38:22 +0300
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101
Thunderbird/102.6.1
Content-Language: bg, en-US
To: [email protected]
From: John Smith ICDSoft <[email protected]>
Subject: Test
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-IncomingHeaderCount: 13
Return-Path: [email protected]
X-MS-Exchange-Organization-ExpirationStartTime: 10 Apr 2023 20:38:26.3714
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
e510d1e0-8d30-4dd0-b95c-08db3a03892b
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic:
DM6NAM10FT094:EE_|CPWPR80MB6141:EE_|SCZPR80MB6981:EE_
X-MS-Exchange-Organization-AuthSource:
DM6NAM10FT094.eop-nam10.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Office365-Filtering-Correlation-Id: e510d1e0-8d30-4dd0-b95c-08db3a03892b
X-MS-Exchange-EOPDirect: true
X-Sender-IP: 192.252.146.28
X-SID-PRA: [email protected]
X-SID-Result: PASS
X-MS-Exchange-Organization-SCL: 1
X-Microsoft-Antispam: BCL:0;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Apr 2023 20:38:26.1995
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: e510d1e0-8d30-4dd0-b95c-08db3a03892b
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-AuthSource:
DM6NAM10FT094.eop-nam10.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg:
00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CPWPR80MB6141
X-MS-Exchange-Transport-EndToEndLatency: 00:00:03.0105348
X-MS-Exchange-Processed-By-BccFoldering: 15.20.6277.038
X-Microsoft-Antispam-Mailbox-Delivery:
abwl:0;wl:0;pcwl:0;kl:0;dwl:0;dkl:0;rwl:0;ucf:0;jmr:0;ex:0;auth:1;dest:I;ENG:(5062000305)(90000117)(90012020)(91020020)(91040095)(9050020)(9100338)(2008001134)(4810010)(4910033)(8820095)(9575002)(10195002)(9320005);
X-Message-Info:
qZelhIiYnPkx84CNH6AeQs2r1mfbx475RiI5K0+Xb2fvrntBfTJ10N2zNIvcvtf7VgXmo/rIiDQIXO6S3rtSdn/H4xrzDv+I2RFpBW+pxB4yhwf8VqBxAb2oTJ+jKAPjknpLKx0rGhWF/Oowozp6RA==
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MTtHRD0xO1NDTD0z
X-Microsoft-Antispam-Message-Info:
2XW49YUfX7Ef7WxmE6wjxj/fif+7fGH+twWXcfxQtR1vkKoi4TjYoV1cO+qhBcvp1abvYKtlHlmCQF0GP91JLj+JBe1smkhgc7MbdZnC61tH+tK8px9bwLvfV7+VA3tXaSid7Z399I1Cse4j5wGp/y6Q1UiBTB9I2WOWnXTD5+p6T4ih4Nj+IdT+qn7bEwtACvEqwT4MwMUXWE+9fSgWKULnwirt1jSJ4FcCLshMUYi5oo4+2J/QiKtAa5LgXiINr9RYkNlPQZr2wMm6Y9jOSDOSpBFXskFYA53Vz91nHIIJ2tjCSsnlEhoMOxzdNqGafUWqDexnwzEgKcw8riXh/V1g3Qpsm0aJn5Cw01BVdpZkI38fi1I36ymThNRZCzRTPLJlIzdd3eiWBi8qYFWS2DIlp1eLsMebuUP2U89bB9MedvQqpxTTn3Vn/qXl4RTEPBfo+Jl6Mht8yGrS+Sw8CrMhf8M8H9d6Q3uRsP0MqLxRm4yKNMNDdVB2LOXuzZ1tm1wdmPE2jejJxp2dcZfBRwaio/xNvKWFGHRGFHCkMXACrSMkC38UoguA4sVm1CyCiI7QuyPMbhqpXbTyM1vbRWQ4tGhcxnM995gwQ6S5oF7SovLiNlD4Mm0Wnf5z2R+WUFJxyRKrb2Kng+AbDGcAYrsV506J8dBL5kQDhOQC7ASlsUMKD5iQn//dTpUMI/0eJJniDQTNG45mPBQ0RUErwTN+CxLMHruIZyRiVPjWfqaqM2XnBctXIOsEEnnowIuyJpyndbpawHoA2IEk6SmJDRThlZsx2EzJrBDx5KA91hO5G4DDCDpYyL6o0yutK6nVFlJVbtns7q8XAFzEa5ENiQ==
MIME-Version: 1.0
The main headers show some basic information:
- From: John Smith ICDSoft <[email protected]>
- To: [email protected]
- Subject: Test
- Date: Mon, 10 Apr 2023 23:38:22 +0300
- Return-Path: [email protected]
We can find interesting information about this message from some additional email headers:
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.6.1
The message was sent via the email program called "Mozilla Thunderbird" - Received: from unknown (HELO ?213.145.98.191?) ([email protected]@213.145.98.191) by s466.sureserver.com with ESMTPA; 10 Apr 2023 20:38:25 -0000
The message originates from s466.sureserver.com and was sent using SMTP authentication through mailbox [email protected] from a device with IP address 213.145.98.191 - Received: from s466.sureserver.com (192.252.146.28) by DM6NAM10FT094.mail.protection.outlook.com (10.13.153.58) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6298.26 via Frontend Transport; Mon, 10 Apr 2023 20:38:26 +0000
The IP address of the sending mail server is 192.252.146.28 - Authentication-Results: spf=pass (sender IP is 192.252.146.28) smtp.mailfrom=icdtest.net; dkim=pass (signature was verified) header.d=icdtest.net;dmarc=bestguesspass action=none header.from=icdtest.net;compauth=pass reason=109
The SPF and DKIM checks passed, and the message has been verified as legitimate. The part "dmarc=bestguesspass action=none" means that the message is authenticated, but the matching authenticated domain is missing a DMARC record. Authenticated messages which pass the SPF/DKIM checks and have SPF, DKIM, and DMARC records would have "dmarc=pass action=none" instead (if the DMARC entry is using the "none" policy). Spam emails would have something like "dmarc=fail action=quarantine" (if the DMARC entry is using the "quarantine" policy).
Here is another example - a message sent from [email protected] to [email protected], and then forwarded to [email protected]:
Received: from 10.197.34.204
by atlas116.free.mail.bf1.yahoo.com pod-id NONE with HTTPS; Fri, 28 Apr 2023 15:12:41 +0000
Return-Path: <SRS1-LNPzUwy8=s466.sureserver.com=-dYsHhaIs=AT=icdtest.net=johnsmith@s807.sureserver.com>
X-Originating-Ip: [195.8.222.25]
Received-SPF: pass (domain of s807.sureserver.com designates 195.8.222.25 as permitted sender)
Authentication-Results: atlas116.free.mail.bf1.yahoo.com;
dkim=perm_fail [email protected] header.s=dkim;
dkim=pass [email protected] header.s=dkim;
spf=pass smtp.mailfrom=s807.sureserver.com;
dmarc=pass(p=QUARANTINE) header.from=icdtest.net;
X-Apparently-To: [email protected]; Fri, 28 Apr 2023 15:12:41 +0000
X-YMailAVSC: lF3DrzU3bBu0FPN6dthhAHxeo9QUblJEBPOplMaK4eHqTNQ
hXElN1TqInUx5XNgKv1R5J57VSg.5z5OP5Jm7n824cXEA9bHYs07gSt11sTH
qf2OO34xrz03_Ry2vl8nOdQd84K8ZO03UBcfIEX4QsV7VdgbSDaMeIwMNSvR
_dhveNFa0gqual8NoElmRv5F2ykyx_dziMmje_xv7_persOxcqHL12q3gAF8
Vo9nZJ6I2H1nldPiS0wZa3szvxi8.MDMrJ41ft5bPIXiaag4crF.R4mvWrQ0
4_xh2EbgQ5Y5wqroXM9rn.KPlS_6omJ0lOpMTRB2K9FrTOxEq2mSTz7ZYomN
7O2L0ZvymvmeDl5VWjbVfDIO8Uig_1Cx1z24bCebm6nVfszuqfTKmUViz3Yu
eyAFFBO4vXQ0PCq3RTTkKIui2J.MaXkhdf_amcruR07oqU8_tgHKZ1Ypldet
ECgsvdp4wWXziyxn7.kZUF0wB7dHdURUKBa18YVOr56l05lDJLengpb3FB4t
GGceVeaPzW9nz3SOMBtiRBGixCIVkdt5ncmw6gq0BQ5v0CqKU57XDxSBk_RN
K36vfIobf1qKsjNGzRX0JTEOnvssqxw9ysxyPR5jQZmZ2mPKN06dP05jhVKu
LxLT5jg469NNVnw2cvVaxJqEhEwbYQE6QMdYDfkolqerWqWv8pmEVA9VineX
Dm3SIwYjh5IvfGdzDdrOMowDooQfyi2xayCKIVop7EHa0.9dYmqG95Q.tg0n
pT7SY6cgM8dL14DAORl7NXGLviMXO6KPiOeKMkfK_.CQjO9O2BR5XNyCvWZl
uZs0_Vk4rmKEyFGpoIN_Jp2un.my4J6YqjMz3tW10Ixp9G0xEoDC9G7H0sFF
3AQ1HkzEu3Xb79gpErBn6YyACXyjKbd9dDUiKX1zfk115Jf58zVdkiMmid0A
jEc.cGdUgRemH6ei6o7XVFH54B7sLvPvKY7.B1EMO_QSqgpMxKo5ERRFsqRm
yFxMaCM2aECQeSOq_rUXQDizzVXQiK4z2AD.Okt.40jZ4sD8dUktUZIr2EIo
C.fVVoAtQq4wYPgoobQZgldwnfsVDgJOAq5QQbabj7ovBGLRoRfaeHUVfs8Q
c6yiFb5nTgh_GwPmvd.9Kdp5m5rUuVqTjq_t0SB94gC7PfOvuLTimSVaQ_WA
fDoTEpUu07RMSIwtwvoyYhGRP7vcr9O4mUt5qYhVsG4EItA--
X-YMailISG: 4az9ipwWLDsebazowrhLLkN2KLfEgrpylAoDv0Cd37ObwwjK
RMwMg3YDSz.6_m5b4n9TMm5liTJB8bk.yi56t446kr2H5lxjWT7FBOzSx6Ur
zGezZuDbXHf2B1l7gDz.X1ty9SoPcm637vrBHcKnSkktGfRsocaSKcLKAxqu
sP1K.TIHSHLqLZLdwP626GLbywnzLw0vYel.eW55jaAwo7.dG6pSnKgHHMuw
VCGno3yiEVhyESX7s4IuYCQBTmRGSsWoKQUdMQOxsOuOH9L9POKXk2.9voTc
VPrFttkSl7.wTsWEiQ5uChgLG1Xm.0cd1e3ea_LbDKoe.PQuqKTAyW6wFrJ2
KCu6CYIAsX8fmQADrvDhFAXE3fqTwH_oxh2byb03sXr315yeMDU79B9FWExn
EqLCT7aJFegmFhLpWzyBIyBF.iwJeObspLDN8IQLbIsZv1lbAx8rJblYV2z1
hqvuiaE9w7HUo5tfFIYS3H5KexsygT.jfCqryDSqAdro6HXLvQriyzNyisjd
kBEQ99wFLsMHamg.yoKTaqhh.aqJQZehFwZX07v9fzF5w.bnaK._Kiiuwwk9
S3v.RXdmHd4uRVKC2JyRcauDodXE7WSxiA6EYcxcUa3zO.iDyAIgAy2UuDPN
g5rLHtyIb19Fza812pUDO6Vt1b2_k2vyhoBysNsq29b8yKz5eMlr7Mt2aWT_
h8YrNRUPa8BEkA3uXdVJ3DqTBzX0nHRiFwkdFGSdZaq0NZf8bZg4Y._2rdu1
1hHWkGoMk3n1sInrKsKQgGZUz1_Ut5nldr6hsSaFGEshSIN0o3_gSUNUv6sn
zp88QvNnoB2ANToUs2hB2KSPKx53CPuHRWhIz2LDPul.SOj9jE2AUY.KGU17
ImxGpQKd6WPzU_ue9hK9.qIh5k..ESZyx4wOGi._6IsNTOQ42T7WybDNdTRP
8s1rjOjP8ZibzHeLniMMxo8FhykqRMOGCd5EQD.Ced0Mq8djFxOw4YkkauIW
oybO68ytasCmX_olsBOKykV6enAnqFZsPKBQi3_XBIlpghqV8geLjarLt4S2
0sLzlYWx0AdgxN6UE60KXpJwFgQfUoBMOeDq.hbZ66h6TLLmHpUPXLoQDoUe
W7xucUhLK4buh927.rzLwFsYt10C.WBdsjYUINTniReUWMCLyb_jpsbr02v4
jvOY1m3ZRmVPAkkXi3T.B4D3fl8DF7nKCurgk_zk6a..tUi0GvqgGW2cEE1G
92KdkJAimPxk9K1P269dA_FzFklD16TI8yMQhFAKVOzl1v4aWWlW8QLW9uZ8
M2.Z
Received: from 195.8.222.25 (EHLO s807.sureserver.com)
by 10.197.34.204 with SMTPs
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256);
Fri, 28 Apr 2023 15:12:41 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=icdtest.net; h=
message-id:date:mime-version:from:subject:to:content-type
:content-transfer-encoding; s=dkim; bh=a+6z9N9M4Z1sFKIixisE8eG5o
snzDYVSQob1aq6RKk8=; b=AO4HL7+LxttUHcalSW9vTkbWz3bzefdJRUO9Wzzhv
ss9XXmkk3WwuaB7iSwzHflyIfKfd8RSeBSIh38l3EB26Z+zGAZFx2C9F93YmyHRX
rrr/3Lv2zL7bn03sMNZer6Iusu/up/V+wIdYZqKcKUOZJC4mGMhJjQJ4lId9TZ40
t8=
Received: (qmail 20491 invoked by uid 1002); 28 Apr 2023 15:12:39 -0000
Received: (qmail 20465 invoked by uid 1002); 28 Apr 2023 15:12:38 -0000
Received: from s466.sureserver.com (192.252.146.28)
by s807.sureserver.com with SMTP; 28 Apr 2023 15:12:38 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=icdtest.net; h=
message-id:date:mime-version:from:subject:to:content-type
:content-transfer-encoding; s=dkim; bh=a+6z9N9M4Z1sFKIixisE8eG5o
snzDYVSQob1aq6RKk8=; b=M3l4kKN4prAHvtqIan3+dx+f4JDcuKUqltzOtZQiD
QBvBKM6ueBUDhN9tqNpIyhWi/b0fcN9W+PAUZAS2UF/aoTW1uQxjwdZ9SrQJvEPo
8Fd5LMF4FKtAPsBp9LH26hOZo0MVP2NcyCRRqk5HyGmtJTH+pWiLpjcN0orhuNDw
a0=
Received: (qmail 53050 invoked by uid 1003); 28 Apr 2023 15:12:36 -0000
Received: (qmail 53025 invoked by uid 1003); 28 Apr 2023 15:12:36 -0000
Received: from unknown (HELO ?94.155.37.245?) ([email protected]@94.155.37.245)
by s466.sureserver.com with ESMTPA; 28 Apr 2023 15:12:36 -0000
Message-ID: <[email protected]>
Date: Fri, 28 Apr 2023 18:12:34 +0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101
Thunderbird/102.6.1
From: John Smith ICDSoft <[email protected]>
Subject: Forwarding test
To: [email protected]
Content-Language: bg, en-US
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Delivered-To: [email protected]
Delivered-To: [email protected]
Content-Length: 32
This email will be forwarded.
Some email headers stand out:
- Delivered-To: [email protected]
Delivered-To: [email protected]
Two Delivered-To headers. This shows that the message was first delivered to [email protected], then to [email protected], and finally to [email protected]. - Received: from 10.197.34.204 by atlas116.free.mail.bf1.yahoo.com pod-id NONE with HTTPS; Fri, 28 Apr 2023 15:12:41 +0000
Received: from 195.8.222.25 (EHLO s807.sureserver.com) by 10.197.34.204 with SMTPs (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256); Fri, 28 Apr 2023 15:12:41 +0000
Received: from s466.sureserver.com (192.252.146.28) by s807.sureserver.com with SMTP; 28 Apr 2023 15:12:38 -0000
Received: from unknown (HELO ?94.155.37.245?) ([email protected]@94.155.37.245) by s466.sureserver.com with ESMTPA; 28 Apr 2023 15:12:36 -0000
These lines show the route of the message and are best read from the bottom to the top. The message was first sent from [email protected] via s466.sureserver.com, then it was delivered to s807.sureserver.com, after which it was forwarded and received at Yahoo. - Return-Path: <SRS1-LNPzUwy8=s466.sureserver.com=-dYsHhaIs=AT=icdtest.net=johnsmith@s807.sureserver.com>
The Return-Path header of the message forwarded to Yahoo is modified by the forwarding server via the Sender Rewriting Scheme (SRS). This improves the deliverability of forwarded emails, because the SPF configuration of the matching authenticated domain lists the server's IP address as permitted sender. This way, messages sent on behalf of icdtest.net (forwarded emails) through a third-party server (s807.sureserver.com) pass the SPF check. The SRS works backwards as well, so replies to the SRS address will still reach the original sender. In this case, if a reply is sent back to SRS1-LNPzUwy8=s466.sureserver.com=-dYsHhaIs=AT=icdtest.net=johnsmith@s807.sureserver.com, this address will be transformed to [email protected] on our end, and the reply will be delivered there. Many email service providers have not introduced SRS (Sender Rewriting Scheme) yet, and these providers suffer from increased rates of email delivery issues, particularly when it comes to forwarding emails. Without SRS, forwarded emails often fail SPF (Sender Policy Framework) checks because the original sender's IP address does not match the forwarding server's IP address. This mismatch can lead to legitimate emails being marked as spam or outright rejected by receiving email servers, significantly impacting email deliverability and sender reputation.
In Conclusion
Email headers can be very useful to trace an email - from the originating server to the final recipient. The headers also show important information regarding the authenticity of the message. Learning more about email headers could also protect you against spam and phishing emails, because spammers often send spoofed messages which only appear as sent from a known entity, but are actually sent via compromised servers and email systems.
If email headers still seem confusing, it is because they are. At ICDSoft, we have a team of experienced support persons, who can help you decipher the email headers, just post a ticket through our support systems.