- What are email headers?
- How to find the email headers?
- Which are the most important headers of an email?
- Reading and understanding the email headers
- In Conclusion
What are email headers?
Email headers contain valuable information about the path of the message from its initial sender to the final recipient. This includes IP addresses, server names, authentication data, originating entity to mention a few. This part of the email is usually hidden and can be analyzed by viewing the source code of the message. The email headers, however, could be modified by every server along the route and could be altered even upon sending due to a flaw in the global email system itself.
For example, in the so-called spoofing attacks, the sender forges certain email headers in an attempt to trick the recipients of the message that the spoofed message originates from a legitimate source - their bank, a service provider, a popular website, etc. In such attacks, scammers take advantage of the flaws of the global email system to create a false sense of trust and deceive their victims so steal sensitive data, e.g. credit card information, website login credentials, mail passwords, etc.
How to find the email headers?
Most email clients (desktop programs and web-based solutions) have the option to display the full headers of an email.
We have published instructions for viewing the full email headers in some of the most popular email clients, such as Outlook, Thunderbird, Mail for Mac, Windows Mail, Gmail, Hotmail.com/Outlook.com/Live.com, Yahoo Mail, etc. at the ICDSoft Knowledge Base:
Which are the most important headers of an email?
Reading email headers is usually done for two reasons - checking if the email is legitimate or finding its real sender. By analyzing the email headers, you can also find when the message was sent, and how long it took for it to be delivered. You can also find if you received it directly or as a forwarded message. Some of the most important headers are:
- From: name and email address of the sender
- To: name and email address of the recipient
- Date: time and date when the message was sent, including the timezone of the sending system
- Subject: shows the topic of the message
- Return-Path: the email address to which a message can be returned in case it is not successfully delivered, e.g. in case of a server error, insufficient space, non-existent mailbox, etc.
- Reply-To: the email address to which a recipient will respond if they decide to reply back to a message
- Received: lists all mail servers through which a message has gone prior to arriving at its final destination; a message usually has more than one Received headers, and the first one shows the original sending server.
- Delivered-To: shows the email address to which a received email was delivered; one message could have multiple Delivered-To headers due to email forwarding
- DKIM-Signature: this is the text value of the DKIM record added to the message to allow validation
- Received-SPF: an advisory header showing whether the IP address through which the message was sent is designated as a permitted sender
- Authentication-Results: shows whether SPF, DKIM, and DMARC checks pass or not
- Message-ID: a unique combination of letters and numbers that identifies each message; this globally-unique identifier can be used to distinguish one message from other emails
- User-Agent or X-Mailer: shows the name of the email program used for sending the message
- MIME-Version: Multipurpose Internet Mail Extensions (MIME) is an internet standard of encoding, which converts non-text content (images, videos, and other attachments) into text, so they can be attached to an email and sent via SMTP
- X-Originating-IP: shows the IP address of the original sender; this header is not always present, so you may have to look for the first Received header instead.
Reading and understanding the email headers
Let's dissect a few emails and their email headers.
Received: from CPWPR80MB6141.lamprd80.prod.outlook.com (2603:10d6:103:10f::10) by SCZPR80MB6981.lamprd80.prod.outlook.com with HTTPS; Mon, 10 Apr 2023 20:38:29 +0000 Received: from DS7PR03CA0238.namprd03.prod.outlook.com (2603:10b6:5:3ba::33) by CPWPR80MB6141.lamprd80.prod.outlook.com (2603:10d6:103:10f::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6277.34; Mon, 10 Apr 2023 20:38:27 +0000 Received: from DM6NAM10FT094.eop-nam10.prod.protection.outlook.com (2603:10b6:5:3ba:cafe::26) by DS7PR03CA0238.outlook.office365.com (2603:10b6:5:3ba::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6277.36 via Frontend Transport; Mon, 10 Apr 2023 20:38:26 +0000 Authentication-Results: spf=pass (sender IP is 188.8.131.52) smtp.mailfrom=icdtest.net; dkim=pass (signature was verified) header.d=icdtest.net;dmarc=bestguesspass action=none header.from=icdtest.net;compauth=pass reason=109 Received-SPF: Pass (protection.outlook.com: domain of icdtest.net designates 184.108.40.206 as permitted sender) receiver=protection.outlook.com; client-ip=220.127.116.11; helo=s466.sureserver.com; pr=C Received: from s466.sureserver.com (18.104.22.168) by DM6NAM10FT094.mail.protection.outlook.com (10.13.153.58) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6298.26 via Frontend Transport; Mon, 10 Apr 2023 20:38:26 +0000 X-IncomingTopHeaderMarker: OriginalChecksum:297C7E56DB8DA6E6AC3DB36FDFECEAF23A80446DD23588094814949752EC5A1E;UpperCasedChecksum:FF301AF182321DCE2B20470C944DE12327C269E3E917E3EA6E2B9F88FB3CE6BB;SizeAsReceived:1059;Count:13 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=icdtest.net; h= message-id:date:mime-version:to:from:subject:content-type :content-transfer-encoding; s=dkim; bh=fdkeB/A0FkbVP2k4J4pNPoeWH 6vqBm9+b0C3OY87Cw8=; b=ibNFtfV9TDB2T9WLkpQgr7Cz+nnjLhALlKhp9t1U2 q/6KbP8Gyr0C1KjngkzdfsFAGtSRlgX9iMeMaqYbyIUbMdePSr0t8cp/DqCkVKOH fDTUgqxjt4xU/M8d41n3z1fMZna8PXTeDmtyKPobwdNEqUuCWBvh+KTsdwZ5EPMA Ws= Received: (qmail 54628 invoked by uid 1003); 10 Apr 2023 20:38:25 -0000 Received: from unknown (HELO ?22.214.171.124?) ([email protected]@126.96.36.199) by s466.sureserver.com with ESMTPA; 10 Apr 2023 20:38:25 -0000 Message-ID: <[email protected]> Date: Mon, 10 Apr 2023 23:38:22 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.6.1 Content-Language: bg, en-US To: [email protected] From: John Smith ICDSoft <[email protected]> Subject: Test Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-IncomingHeaderCount: 13 Return-Path: [email protected] X-MS-Exchange-Organization-ExpirationStartTime: 10 Apr 2023 20:38:26.3714 (UTC) X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000 X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit X-MS-Exchange-Organization-Network-Message-Id: e510d1e0-8d30-4dd0-b95c-08db3a03892b X-EOPAttributedMessage: 0 X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0 X-MS-Exchange-Organization-MessageDirectionality: Incoming X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DM6NAM10FT094:EE_|CPWPR80MB6141:EE_|SCZPR80MB6981:EE_ X-MS-Exchange-Organization-AuthSource: DM6NAM10FT094.eop-nam10.prod.protection.outlook.com X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-Office365-Filtering-Correlation-Id: e510d1e0-8d30-4dd0-b95c-08db3a03892b X-MS-Exchange-EOPDirect: true X-Sender-IP: 188.8.131.52 X-SID-PRA: [email protected] X-SID-Result: PASS X-MS-Exchange-Organization-SCL: 1 X-Microsoft-Antispam: BCL:0; X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Apr 2023 20:38:26.1995 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: e510d1e0-8d30-4dd0-b95c-08db3a03892b X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-AuthSource: DM6NAM10FT094.eop-nam10.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: CPWPR80MB6141 X-MS-Exchange-Transport-EndToEndLatency: 00:00:03.0105348 X-MS-Exchange-Processed-By-BccFoldering: 15.20.6277.038 X-Microsoft-Antispam-Mailbox-Delivery: abwl:0;wl:0;pcwl:0;kl:0;dwl:0;dkl:0;rwl:0;ucf:0;jmr:0;ex:0;auth:1;dest:I;ENG:(5062000305)(90000117)(90012020)(91020020)(91040095)(9050020)(9100338)(2008001134)(4810010)(4910033)(8820095)(9575002)(10195002)(9320005); X-Message-Info: qZelhIiYnPkx84CNH6AeQs2r1mfbx475RiI5K0+Xb2fvrntBfTJ10N2zNIvcvtf7VgXmo/rIiDQIXO6S3rtSdn/H4xrzDv+I2RFpBW+pxB4yhwf8VqBxAb2oTJ+jKAPjknpLKx0rGhWF/Oowozp6RA== X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MTtHRD0xO1NDTD0z X-Microsoft-Antispam-Message-Info: 2XW49YUfX7Ef7WxmE6wjxj/fif+7fGH+twWXcfxQtR1vkKoi4TjYoV1cO+qhBcvp1abvYKtlHlmCQF0GP91JLj+JBe1smkhgc7MbdZnC61tH+tK8px9bwLvfV7+VA3tXaSid7Z399I1Cse4j5wGp/y6Q1UiBTB9I2WOWnXTD5+p6T4ih4Nj+IdT+qn7bEwtACvEqwT4MwMUXWE+9fSgWKULnwirt1jSJ4FcCLshMUYi5oo4+2J/QiKtAa5LgXiINr9RYkNlPQZr2wMm6Y9jOSDOSpBFXskFYA53Vz91nHIIJ2tjCSsnlEhoMOxzdNqGafUWqDexnwzEgKcw8riXh/V1g3Qpsm0aJn5Cw01BVdpZkI38fi1I36ymThNRZCzRTPLJlIzdd3eiWBi8qYFWS2DIlp1eLsMebuUP2U89bB9MedvQqpxTTn3Vn/qXl4RTEPBfo+Jl6Mht8yGrS+Sw8CrMhf8M8H9d6Q3uRsP0MqLxRm4yKNMNDdVB2LOXuzZ1tm1wdmPE2jejJxp2dcZfBRwaio/xNvKWFGHRGFHCkMXACrSMkC38UoguA4sVm1CyCiI7QuyPMbhqpXbTyM1vbRWQ4tGhcxnM995gwQ6S5oF7SovLiNlD4Mm0Wnf5z2R+WUFJxyRKrb2Kng+AbDGcAYrsV506J8dBL5kQDhOQC7ASlsUMKD5iQn//dTpUMI/0eJJniDQTNG45mPBQ0RUErwTN+CxLMHruIZyRiVPjWfqaqM2XnBctXIOsEEnnowIuyJpyndbpawHoA2IEk6SmJDRThlZsx2EzJrBDx5KA91hO5G4DDCDpYyL6o0yutK6nVFlJVbtns7q8XAFzEa5ENiQ== MIME-Version: 1.0
The main headers show some basic information:
- From: John Smith ICDSoft <[email protected]>
- To: [email protected]
- Subject: Test
- Date: Mon, 10 Apr 2023 23:38:22 +0300
- Return-Path: [email protected]
We can find interesting information about this message from some additional email headers:
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.6.1
The message was sent via the email program called "Mozilla Thunderbird"
- Received: from unknown (HELO ?184.108.40.206?) ([email protected]@220.127.116.11) by s466.sureserver.com with ESMTPA; 10 Apr 2023 20:38:25 -0000
The message originates from s466.sureserver.com and was sent using SMTP authentication through mailbox [email protected] from a device with IP address 18.104.22.168
- Received: from s466.sureserver.com (22.214.171.124) by DM6NAM10FT094.mail.protection.outlook.com (10.13.153.58) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6298.26 via Frontend Transport; Mon, 10 Apr 2023 20:38:26 +0000
The IP address of the sending mail server is 126.96.36.199
- Authentication-Results: spf=pass (sender IP is 188.8.131.52) smtp.mailfrom=icdtest.net; dkim=pass (signature was verified) header.d=icdtest.net;dmarc=bestguesspass action=none header.from=icdtest.net;compauth=pass reason=109
The SPF and DKIM checks passed, and the message has been verified as legitimate. The part "dmarc=bestguesspass action=none" means that the message is authenticated, but the matching authenticated domain is missing a DMARC record. Authenticated messages which pass the SPF/DKIM checks and have SPF, DKIM, and DMARC records would have "dmarc=pass action=none" instead (if the DMARC entry is using the "none" policy). Spam emails would have something like "dmarc=fail action=quarantine" (if the DMARC entry is using the "quarantine" policy).
Received: from 10.197.34.204 by atlas116.free.mail.bf1.yahoo.com pod-id NONE with HTTPS; Fri, 28 Apr 2023 15:12:41 +0000 Return-Path: <SRS1-LNPzUwy8=s466.sureserver[email protected]> X-Originating-Ip: [184.108.40.206] Received-SPF: pass (domain of s807.sureserver.com designates 220.127.116.11 as permitted sender) Authentication-Results: atlas116.free.mail.bf1.yahoo.com; dkim=perm_fail [email protected] header.s=dkim; dkim=pass [email protected] header.s=dkim; spf=pass smtp.mailfrom=s807.sureserver.com; dmarc=pass(p=QUARANTINE) header.from=icdtest.net; X-Apparently-To: [email protected]; Fri, 28 Apr 2023 15:12:41 +0000 X-YMailAVSC: lF3DrzU3bBu0FPN6dthhAHxeo9QUblJEBPOplMaK4eHqTNQ hXElN1TqInUx5XNgKv1R5J57VSg.5z5OP5Jm7n824cXEA9bHYs07gSt11sTH qf2OO34xrz03_Ry2vl8nOdQd84K8ZO03UBcfIEX4QsV7VdgbSDaMeIwMNSvR _dhveNFa0gqual8NoElmRv5F2ykyx_dziMmje_xv7_persOxcqHL12q3gAF8 Vo9nZJ6I2H1nldPiS0wZa3szvxi8.MDMrJ41ft5bPIXiaag4crF.R4mvWrQ0 4_xh2EbgQ5Y5wqroXM9rn.KPlS_6omJ0lOpMTRB2K9FrTOxEq2mSTz7ZYomN 7O2L0ZvymvmeDl5VWjbVfDIO8Uig_1Cx1z24bCebm6nVfszuqfTKmUViz3Yu eyAFFBO4vXQ0PCq3RTTkKIui2J.MaXkhdf_amcruR07oqU8_tgHKZ1Ypldet ECgsvdp4wWXziyxn7.kZUF0wB7dHdURUKBa18YVOr56l05lDJLengpb3FB4t GGceVeaPzW9nz3SOMBtiRBGixCIVkdt5ncmw6gq0BQ5v0CqKU57XDxSBk_RN K36vfIobf1qKsjNGzRX0JTEOnvssqxw9ysxyPR5jQZmZ2mPKN06dP05jhVKu LxLT5jg469NNVnw2cvVaxJqEhEwbYQE6QMdYDfkolqerWqWv8pmEVA9VineX Dm3SIwYjh5IvfGdzDdrOMowDooQfyi2xayCKIVop7EHa0.9dYmqG95Q.tg0n pT7SY6cgM8dL14DAORl7NXGLviMXO6KPiOeKMkfK_.CQjO9O2BR5XNyCvWZl uZs0_Vk4rmKEyFGpoIN_Jp2un.my4J6YqjMz3tW10Ixp9G0xEoDC9G7H0sFF 3AQ1HkzEu3Xb79gpErBn6YyACXyjKbd9dDUiKX1zfk115Jf58zVdkiMmid0A jEc.cGdUgRemH6ei6o7XVFH54B7sLvPvKY7.B1EMO_QSqgpMxKo5ERRFsqRm yFxMaCM2aECQeSOq_rUXQDizzVXQiK4z2AD.Okt.40jZ4sD8dUktUZIr2EIo C.fVVoAtQq4wYPgoobQZgldwnfsVDgJOAq5QQbabj7ovBGLRoRfaeHUVfs8Q c6yiFb5nTgh_GwPmvd.9Kdp5m5rUuVqTjq_t0SB94gC7PfOvuLTimSVaQ_WA fDoTEpUu07RMSIwtwvoyYhGRP7vcr9O4mUt5qYhVsG4EItA-- X-YMailISG: 4az9ipwWLDsebazowrhLLkN2KLfEgrpylAoDv0Cd37ObwwjK RMwMg3YDSz.6_m5b4n9TMm5liTJB8bk.yi56t446kr2H5lxjWT7FBOzSx6Ur zGezZuDbXHf2B1l7gDz.X1ty9SoPcm637vrBHcKnSkktGfRsocaSKcLKAxqu sP1K.TIHSHLqLZLdwP626GLbywnzLw0vYel.eW55jaAwo7.dG6pSnKgHHMuw VCGno3yiEVhyESX7s4IuYCQBTmRGSsWoKQUdMQOxsOuOH9L9POKXk2.9voTc VPrFttkSl7.wTsWEiQ5uChgLG1Xm.0cd1e3ea_LbDKoe.PQuqKTAyW6wFrJ2 KCu6CYIAsX8fmQADrvDhFAXE3fqTwH_oxh2byb03sXr315yeMDU79B9FWExn EqLCT7aJFegmFhLpWzyBIyBF.iwJeObspLDN8IQLbIsZv1lbAx8rJblYV2z1 hqvuiaE9w7HUo5tfFIYS3H5KexsygT.jfCqryDSqAdro6HXLvQriyzNyisjd kBEQ99wFLsMHamg.yoKTaqhh.aqJQZehFwZX07v9fzF5w.bnaK._Kiiuwwk9 S3v.RXdmHd4uRVKC2JyRcauDodXE7WSxiA6EYcxcUa3zO.iDyAIgAy2UuDPN g5rLHtyIb19Fza812pUDO6Vt1b2_k2vyhoBysNsq29b8yKz5eMlr7Mt2aWT_ h8YrNRUPa8BEkA3uXdVJ3DqTBzX0nHRiFwkdFGSdZaq0NZf8bZg4Y._2rdu1 1hHWkGoMk3n1sInrKsKQgGZUz1_Ut5nldr6hsSaFGEshSIN0o3_gSUNUv6sn zp88QvNnoB2ANToUs2hB2KSPKx53CPuHRWhIz2LDPul.SOj9jE2AUY.KGU17 ImxGpQKd6WPzU_ue9hK9.qIh5k..ESZyx4wOGi._6IsNTOQ42T7WybDNdTRP 8s1rjOjP8ZibzHeLniMMxo8FhykqRMOGCd5EQD.Ced0Mq8djFxOw4YkkauIW oybO68ytasCmX_olsBOKykV6enAnqFZsPKBQi3_XBIlpghqV8geLjarLt4S2 0sLzlYWx0AdgxN6UE60KXpJwFgQfUoBMOeDq.hbZ66h6TLLmHpUPXLoQDoUe W7xucUhLK4buh927.rzLwFsYt10C.WBdsjYUINTniReUWMCLyb_jpsbr02v4 jvOY1m3ZRmVPAkkXi3T.B4D3fl8DF7nKCurgk_zk6a..tUi0GvqgGW2cEE1G 92KdkJAimPxk9K1P269dA_FzFklD16TI8yMQhFAKVOzl1v4aWWlW8QLW9uZ8 M2.Z Received: from 18.104.22.168 (EHLO s807.sureserver.com) by 10.197.34.204 with SMTPs (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256); Fri, 28 Apr 2023 15:12:41 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=icdtest.net; h= message-id:date:mime-version:from:subject:to:content-type :content-transfer-encoding; s=dkim; bh=a+6z9N9M4Z1sFKIixisE8eG5o snzDYVSQob1aq6RKk8=; b=AO4HL7+LxttUHcalSW9vTkbWz3bzefdJRUO9Wzzhv ss9XXmkk3WwuaB7iSwzHflyIfKfd8RSeBSIh38l3EB26Z+zGAZFx2C9F93YmyHRX rrr/3Lv2zL7bn03sMNZer6Iusu/up/V+wIdYZqKcKUOZJC4mGMhJjQJ4lId9TZ40 t8= Received: (qmail 20491 invoked by uid 1002); 28 Apr 2023 15:12:39 -0000 Received: (qmail 20465 invoked by uid 1002); 28 Apr 2023 15:12:38 -0000 Received: from s466.sureserver.com (22.214.171.124) by s807.sureserver.com with SMTP; 28 Apr 2023 15:12:38 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=icdtest.net; h= message-id:date:mime-version:from:subject:to:content-type :content-transfer-encoding; s=dkim; bh=a+6z9N9M4Z1sFKIixisE8eG5o snzDYVSQob1aq6RKk8=; b=M3l4kKN4prAHvtqIan3+dx+f4JDcuKUqltzOtZQiD QBvBKM6ueBUDhN9tqNpIyhWi/b0fcN9W+PAUZAS2UF/aoTW1uQxjwdZ9SrQJvEPo 8Fd5LMF4FKtAPsBp9LH26hOZo0MVP2NcyCRRqk5HyGmtJTH+pWiLpjcN0orhuNDw a0= Received: (qmail 53050 invoked by uid 1003); 28 Apr 2023 15:12:36 -0000 Received: (qmail 53025 invoked by uid 1003); 28 Apr 2023 15:12:36 -0000 Received: from unknown (HELO ?126.96.36.199?) ([email protected]@188.8.131.52) by s466.sureserver.com with ESMTPA; 28 Apr 2023 15:12:36 -0000 Message-ID: <[email protected]> Date: Fri, 28 Apr 2023 18:12:34 +0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.6.1 From: John Smith ICDSoft <[email protected]> Subject: Forwarding test To: [email protected] Content-Language: bg, en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Delivered-To: [email protected] Delivered-To: [email protected] Content-Length: 32 This email will be forwarded.
Some email headers stand out:
- Delivered-To: [email protected]
Delivered-To: [email protected]
Two Delivered-To headers. This shows that the message was first delivered to [email protected], then to [email protected], and finally to [email protected].
- Received: from 10.197.34.204 by atlas116.free.mail.bf1.yahoo.com pod-id NONE with HTTPS; Fri, 28 Apr 2023 15:12:41 +0000
Received: from 184.108.40.206 (EHLO s807.sureserver.com) by 10.197.34.204 with SMTPs (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256); Fri, 28 Apr 2023 15:12:41 +0000
Received: from s466.sureserver.com (220.127.116.11) by s807.sureserver.com with SMTP; 28 Apr 2023 15:12:38 -0000
Received: from unknown (HELO ?18.104.22.168?) ([email protected]@22.214.171.124) by s466.sureserver.com with ESMTPA; 28 Apr 2023 15:12:36 -0000
These lines show the route of the message and are best read from the bottom to the top. The message was first sent from [email protected] via s466.sureserver.com, then it was delivered to s807.sureserver.com, after which it was forwarded and received at Yahoo.
- Return-Path: <SRS1-LNPzUwy8=s466.sureserve[email protected]>
The Return-Path header of the message forwarded to Yahoo is modified by the forwarding server via the Sender Rewriting Scheme (SRS). This improves the deliverability of forwarded emails, because the SPF configuration of the matching authenticated domain lists the server's IP address as permitted sender. This way, messages sent on behalf of icdtest.net (forwarded emails) through a third-party server (s807.sureserver.com) pass the SPF check. The SRS works backwards as well, so replies to the SRS address will still reach the original sender. In this case, if a reply is sent back to SRS1-LNPzUwy8=s466.sures[email protected], this address will be transformed to [email protected] on our end, and the reply will be delivered there. Many email service providers have not introduced SRS yet, and these providers suffer
Email headers can be very useful to trace an email - from the originating server to the final recipient. The headers also show important information regarding the authenticity of the message. Learning more about email headers could also protect you against spam and phishing emails, because spammers often send spoofed messages which only appear as sent from a known entity, but are actually sent via compromised servers and email systems.
If email headers still seem confusing, it is because they are. At ICDSoft, we have a team of experienced support persons, who can help you decipher the email headers, just post a ticket through our support systems.