• ARTICLES
SEARCH

How-To Geek

HTG Explains: What Can You Find in an Email Header?

Whenever you receive an email, there is a lot more to it than meets the eye. While you typically only pay attention to the from address, subject line and body of the message, there is lots more information available “under the hood” of each email which can provide you a wealth of additional information.

Why Bother Looking at an Email Header?

This is a very good question. For the most part, you really wouldn’t ever need to unless:

  • You suspect an email is a phishing attempt or spoof
  • You want to view routing information on the email’s path
  • You are a curious geek

Regardless of your reasons, reading email headers is actually quite easy and can be very revealing.

Article Note: For our screenshots and data, we will be using Gmail but virtually every other mail client should provide this same information as well.

 

Viewing the Email Header

In Gmail, view the email. For this example, we will use the email below.

image

Then click the arrow in the upper right corner and select Show original.

image

The resulting window will have the email header data in plain text.

Note: In all the email header data I show below I have changed my Gmail address to show as myemail@gmail.com and my external email address to show as jfaulkner@externalemail.com and jason@myemail.com as well as masked the IP address of my email servers.

 

Delivered-To: myemail@gmail.com
Received: by 10.60.14.3 with SMTP id l3csp18666oec;
Tue, 6 Mar 2012 08:30:51 -0800 (PST)
Received: by 10.68.125.129 with SMTP id mq1mr1963003pbb.21.1331051451044;
Tue, 06 Mar 2012 08:30:51 -0800 (PST)
Return-Path: <jfaulkner@externalemail.com>
Received: from exprod7og119.obsmtp.com (exprod7og119.obsmtp.com. [64.18.2.16])
by mx.google.com with SMTP id l7si25161491pbd.80.2012.03.06.08.30.49;
Tue, 06 Mar 2012 08:30:50 -0800 (PST)
Received-SPF: neutral (google.com: 64.18.2.16 is neither permitted nor denied by best guess record for domain of jfaulkner@externalemail.com) client-ip=64.18.2.16;
Authentication-Results: mx.google.com; spf=neutral (google.com: 64.18.2.16 is neither permitted nor denied by best guess record for domain of jfaulkner@externalemail.com) smtp.mail=jfaulkner@externalemail.com
Received: from mail.externalemail.com ([XXX.XXX.XXX.XXX]) (using TLSv1) by exprod7ob119.postini.com ([64.18.6.12]) with SMTP
ID DSNKT1Y7uSEvyrMLco/atcAoN+95PMku3Y/9@postini.com; Tue, 06 Mar 2012 08:30:50 PST
Received: from MYSERVER.myserver.local ([fe80::a805:c335:8c71:cdb3]) by
MYSERVER.myserver.local ([fe80::a805:c335:8c71:cdb3%11]) with mapi; Tue, 6 Mar
2012 11:30:48 -0500
From: Jason Faulkner <jfaulkner@externalemail.com>
To: “myemail@gmail.com” <myemail@gmail.com>
Date: Tue, 6 Mar 2012 11:30:48 -0500
Subject: This is a legit email
Thread-Topic: This is a legit email
Thread-Index: Acz7tnUyKZWWCcrUQ+++QVd6awhl+Q==
Message-ID: <682A3A66C6EAC245B3B7B088EF360E15A2B30B10D5@MYSERVER.myserver.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative;
boundary=”_000_682A3A66C6EAC245B3B7B088EF360E15A2B30B10D5HARDHAT2hardh_”
MIME-Version: 1.0

 

When you read an email header, the data is in reverse chronological order, meaning the info at the top is the most recent event. Therefor if you want to trace the email from sender to recipient, start at the bottom. Examining the headers of this email we can see several things.

Here we see information generated by the sending client. In this case, the email was sent from Outlook so this is the metadata Outlook adds.

From: Jason Faulkner <jfaulkner@externalemail.com>
To: “myemail@gmail.com” <myemail@gmail.com>
Date: Tue, 6 Mar 2012 11:30:48 -0500
Subject: This is a legit email
Thread-Topic: This is a legit email
Thread-Index: Acz7tnUyKZWWCcrUQ+++QVd6awhl+Q==
Message-ID: <682A3A66C6EAC245B3B7B088EF360E15A2B30B10D5@MYSERVER.myserver.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative;
boundary=”_000_682A3A66C6EAC245B3B7B088EF360E15A2B30B10D5HARDHAT2hardh_”
MIME-Version: 1.0

The next part traces the path the email takes from the sending server to the destination server. Keep in mind these steps (or hops) are listed in reverse chronological order. We have placed the respective number next to each hop to illustrate the order. Note that each hop shows detail about the IP address and respective reverse DNS name.

Delivered-To: myemail@gmail.com
[6] Received: by 10.60.14.3 with SMTP id l3csp18666oec;
Tue, 6 Mar 2012 08:30:51 -0800 (PST)
[5] Received: by 10.68.125.129 with SMTP id mq1mr1963003pbb.21.1331051451044;
Tue, 06 Mar 2012 08:30:51 -0800 (PST)
Return-Path: <jfaulkner@externalemail.com>
[4] Received: from exprod7og119.obsmtp.com (exprod7og119.obsmtp.com. [64.18.2.16])
by mx.google.com with SMTP id l7si25161491pbd.80.2012.03.06.08.30.49;
Tue, 06 Mar 2012 08:30:50 -0800 (PST)
[3] Received-SPF: neutral (google.com: 64.18.2.16 is neither permitted nor denied by best guess record for domain of jfaulkner@externalemail.com) client-ip=64.18.2.16;
Authentication-Results: mx.google.com; spf=neutral (google.com: 64.18.2.16 is neither permitted nor denied by best guess record for domain of jfaulkner@externalemail.com) smtp.mail=jfaulkner@externalemail.com
[2] Received: from mail.externalemail.com ([XXX.XXX.XXX.XXX]) (using TLSv1) by exprod7ob119.postini.com ([64.18.6.12]) with SMTP
ID DSNKT1Y7uSEvyrMLco/atcAoN+95PMku3Y/9@postini.com; Tue, 06 Mar 2012 08:30:50 PST
[1] Received: from MYSERVER.myserver.local ([fe80::a805:c335:8c71:cdb3]) by
MYSERVER.myserver.local ([fe80::a805:c335:8c71:cdb3%11]) with mapi; Tue, 6 Mar
2012 11:30:48 -0500

While this is pretty mundane for a legitimate email, this information can be quite telling when it comes to examining spam or phishing emails.

 

Examining a Phishing Email – Example 1

For our first phishing example, we will examine an email which is an obvious phishing attempt. In this case we could identify this message as a fraud simply by the visual indicators but for practice we will take a look at the warning signs within the headers.

image

Delivered-To: myemail@gmail.com
Received: by 10.60.14.3 with SMTP id l3csp12958oec;
Mon, 5 Mar 2012 23:11:29 -0800 (PST)
Received: by 10.236.46.164 with SMTP id r24mr7411623yhb.101.1331017888982;
Mon, 05 Mar 2012 23:11:28 -0800 (PST)
Return-Path: <securityalert@verifybyvisa.com>
Received: from ms.externalemail.com (ms.externalemail.com. [XXX.XXX.XXX.XXX])
by mx.google.com with ESMTP id t19si8451178ani.110.2012.03.05.23.11.28;
Mon, 05 Mar 2012 23:11:28 -0800 (PST)
Received-SPF: fail (google.com: domain of securityalert@verifybyvisa.com does not designate XXX.XXX.XXX.XXX as permitted sender) client-ip=XXX.XXX.XXX.XXX;
Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of securityalert@verifybyvisa.com does not designate XXX.XXX.XXX.XXX as permitted sender) smtp.mail=securityalert@verifybyvisa.com
Received: with MailEnable Postoffice Connector; Tue, 6 Mar 2012 02:11:20 -0500
Received: from mail.lovingtour.com ([211.166.9.218]) by ms.externalemail.com with MailEnable ESMTP; Tue, 6 Mar 2012 02:11:10 -0500
Received: from User ([118.142.76.58])
by mail.lovingtour.com
; Mon, 5 Mar 2012 21:38:11 +0800
Message-ID: <6DCB4366-3518-4C6C-B66A-F541F32A4C4C@mail.lovingtour.com>
Reply-To: <securityalert@verifybyvisa.com>
From: “securityalert@verifybyvisa.com”<securityalert@verifybyvisa.com>
Subject: Notice
Date: Mon, 5 Mar 2012 21:20:57 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”—-=_NextPart_000_0055_01C2A9A6.1C1757C0″
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-ME-Bayesian: 0.000000

 

The first red flag is in the client information area. Notice here the metadata added references Outlook Express. It is unlikely that Visa is so far behind the times that they have someone manually sending emails using a 12 year old email client.

Reply-To: <securityalert@verifybyvisa.com>
From: “securityalert@verifybyvisa.com”<securityalert@verifybyvisa.com>
Subject: Notice
Date: Mon, 5 Mar 2012 21:20:57 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”—-=_NextPart_000_0055_01C2A9A6.1C1757C0″
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-ME-Bayesian: 0.000000

Now examining the first hop in the email routing reveals that the sender was located at IP address 118.142.76.58 and their email was relayed through the mail server mail.lovingtour.com.

Received: from User ([118.142.76.58])
by mail.lovingtour.com
; Mon, 5 Mar 2012 21:38:11 +0800

Looking up the IP information using Nirsoft’s IPNetInfo utility, we can see the sender was located in Hong Kong and the mail server is located in China.

image

image

Needless to say this is a bit suspicious.

The rest of the email hops are not really relevant in this case as they show the email bouncing around legitimate server traffic before finally being delivered.

 

Examining a Phishing Email – Example 2

For this example, our phishing email is much more convincing. There are a few visual indicators here if you look hard enough, but again for the purposes of this article we are going to limit our investigation to email headers.

image

Delivered-To: myemail@gmail.com
Received: by 10.60.14.3 with SMTP id l3csp15619oec;
Tue, 6 Mar 2012 04:27:20 -0800 (PST)
Received: by 10.236.170.165 with SMTP id p25mr8672800yhl.123.1331036839870;
Tue, 06 Mar 2012 04:27:19 -0800 (PST)
Return-Path: <security@intuit.com>
Received: from ms.externalemail.com (ms.externalemail.com. [XXX.XXX.XXX.XXX])
by mx.google.com with ESMTP id o2si20048188yhn.34.2012.03.06.04.27.19;
Tue, 06 Mar 2012 04:27:19 -0800 (PST)
Received-SPF: fail (google.com: domain of security@intuit.com does not designate XXX.XXX.XXX.XXX as permitted sender) client-ip=XXX.XXX.XXX.XXX;
Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of security@intuit.com does not designate XXX.XXX.XXX.XXX as permitted sender) smtp.mail=security@intuit.com
Received: with MailEnable Postoffice Connector; Tue, 6 Mar 2012 07:27:13 -0500
Received: from dynamic-pool-xxx.hcm.fpt.vn ([118.68.152.212]) by ms.externalemail.com with MailEnable ESMTP; Tue, 6 Mar 2012 07:27:08 -0500
Received: from apache by intuit.com with local (Exim 4.67)
(envelope-from <security@intuit.com>)
id GJMV8N-8BERQW-93
for <jason@myemail.com>; Tue, 6 Mar 2012 19:27:05 +0700
To: <jason@myemail.com>
Subject: Your Intuit.com invoice.
X-PHP-Script: intuit.com/sendmail.php for 118.68.152.212
From: “INTUIT INC.” <security@intuit.com>
X-Sender: “INTUIT INC.” <security@intuit.com>
X-Mailer: PHP
X-Priority: 1
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”————03060500702080404010506″
Message-Id: <JXON1H-5GTPKV-0H@intuit.com>
Date: Tue, 6 Mar 2012 19:27:05 +0700
X-ME-Bayesian: 0.000000

 

In this example, a mail client application was not used, rather a PHP script with the source IP address of 118.68.152.212.

To: <jason@myemail.com>
Subject: Your Intuit.com invoice.
X-PHP-Script: intuit.com/sendmail.php for 118.68.152.212
From: “INTUIT INC.” <security@intuit.com>
X-Sender: “INTUIT INC.” <security@intuit.com>
X-Mailer: PHP
X-Priority: 1
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”————03060500702080404010506″
Message-Id: <JXON1H-5GTPKV-0H@intuit.com>
Date: Tue, 6 Mar 2012 19:27:05 +0700
X-ME-Bayesian: 0.000000

However, when we look at the first email hop it appears to be legit as the sending server’s domain name matches the email address. However, be wary of this as a spammer could easily name their server “intuit.com”.

Received: from apache by intuit.com with local (Exim 4.67)
(envelope-from <security@intuit.com>)
id GJMV8N-8BERQW-93
for <jason@myemail.com>; Tue, 6 Mar 2012 19:27:05 +0700

Examining the next step crumbles this house of cards. You can see the second hop (where it is received by a legitimate email server) resolves the sending server back to the domain “dynamic-pool-xxx.hcm.fpt.vn”, not “intuit.com” with the same IP address indicated in the PHP script.

Received: from dynamic-pool-xxx.hcm.fpt.vn ([118.68.152.212]) by ms.externalemail.com with MailEnable ESMTP; Tue, 6 Mar 2012 07:27:08 -0500

Viewing the IP address information confirms the suspicion as the mail server’s location resolve back to Viet Nam.

image

While this example is a bit more clever, you can see how quickly the fraud is revealed with only a slight bit of investigation.

 

Conclusion

While viewing email headers probably isn’t a part of your typical day to day needs, there are cases where the information contained in them can be quite valuable. As we showed above, you can quite easily identify senders masquerading as something they are not. For a very well executed scam where visual cues are convincing, it is extremely difficult (if not impossible) to impersonate actual mail servers and reviewing the information inside of email headers can quickly reveal any chicanery.

 

Links

Download IPNetInfo from Nirsoft

Jason Faulkner is a developer and IT professional who never has a hot cup of coffee far away. Interact with him on Google+

  • Published 03/15/12

Comments (35)

  1. Kedar

    How does one extract the header out of an outlook document? (It seems unnecessarily complicated to try and pull it out of that program.)

  2. Jason Faulkner

    @Kedar – In Outlook 2010:
    1. Open the email
    2. File > Info > Properties
    3. Look under the Internet Headers section

  3. Maria Wendt

    Wow, this is really interesting. Usually, though, you can tell a phishing site by the vague language in the email, although not always. Thanks for this article!

  4. TerryRay

    Thanks Jason for this article. I was looking all over the web to find an article like this & couldn’t find one.

  5. 4ensicPenguin2

    Good article. Covered this early on in computer forensics classes. Everyone needs to know how to check e-mail headers.

  6. RH

    How would one get this info via yahoo? Thanks in advance

  7. Jason Faulkner
  8. Art€

    Brilliant article, very worthwhile and interesting! Thanks. (downloaded to my ‘tool-box’ 8;-D )

  9. John Derry

    I have half deleted files and programs which i cannot remove from this computer,every single way i have been told from local so called Tec’s and no advice has worked thus far . Please help me I’d like to have this acer working up to part. let me know something useful to save the acer! Also how do i un-stick a button on the dell computer?

  10. John Derry

    please help new to the internet guy johnjohn sr.

  11. LaDonna

    Great article! I had started having tons of problems with phishing e-mails and scams with a different service I had been using for years so I wrote to their help department about it and they told me to use my filters. I explained that I was using my filters but my junk folder was getting at least 60 to 80 of these messages every day. They wanted to me send the header from one of these and told me how to do it but not how to read it. When I pulled up one of the headers it showed every message in my entire inbox, junk folder, and any other folder I had created. The header list was endless and they wanted me to copy that and send it to them? I don’t think so. If I had known how to read headers at that time I could have sent just the information they needed, but I couldn’t so I didn’t, and now I don’t use their service anymore. Out of four different accounts that I use, and all from different services, you would think that one that’s owned by such a massive company would be able to find a way to prevent at least some of that from coming through, especially when my other 3 accounts don’t get anywhere near that much spam, much less phishing, or scam-type, e-mails. Again, thanks.

  12. audiophiler

    Good stuff to know

  13. Kedar

    Thank you, Mr. Faulkner, for the informative article. I failed at first step, open the email rather than trying to access through the preview pane, found the desired options and information.

  14. DisTurbo

    Won’t work for me. By the comments, it obviously works, but I can’t figure out what I’m doing wrong. And I’m in Gmail. Just can’t open the header.

  15. Jason Faulkner

    @DisTurbo – In Gmail, you have to open the message and then in the drop down menu for that message (should be next to the message date) one of the items should be “Show Original”.
    In the screenshots above, the default Gmail theme is in use so if you have an alternate theme the drop down menu might be in a different location.

  16. robert

    Good too know the What Can You Find in an Email Header.

  17. Slomem

    @John Derry download revo uninstaller http://www.revouninstallerpro.com The Pro version is under $40.00 .usd However, there is a limited free version which works quite well. This Application will remove the junk from your hard drive and delete the hard to uninstall programs. Br careful and read the instructions carefully. Good Luck.

  18. Cliff

    I’ve been reading howtogeek for about a year now and never commented… but this was an excellent article. Thanks!

  19. Jimmy

    Is Outlook 2007 same procedure as 2010?

  20. Wayne Riker

    Is there a way to block them? Outlook uses the from: field, which is the one they spoof. I s there an add-on that I can use to block by IP’s. Lately I’ve gotten dozens daily tha spoof legitimate sites that I do business with. Many are seemingly from my ISP provider or a forward from myself. It takes an hour or more to view and discard the junk.

  21. Jason Faulkner

    @Jimmy – Google is your friend. Search “outlook 2007 view headers”

    @Wayne Riker – There are some ways you can eliminate these at the server level. You can perform reverse DNS and/or SPF blocking, but there is a possibility this could end up flagging legit messages.

  22. John

    And yet we kept being told to not even open email that is probably junk. Seems as though using GMail, you have to, so that at least you can check and then tag as spam. But opening anything can also let the sender know that they’ve found a legit email address.
    Don’t have to open at all in hotmail. Just right click on the sender in the inbox, all of this comes up, and no one at the the senders’ end will ever know that you did some digging or that your account is still active. So if it is evil, you can confidently delete as spam without ever having actually even read it (or god forbid, clicking on any links within).

  23. darrell

    explain how you can tell it is from outlook instead of a block of gobble gook text. is it the MS in “X-MS-Has-Attach:
    X-MS-TNEF-Correlator” that’s the only thing I recognize that it could be a microsoft product.

  24. Jehanne

    I am not sure why you did not publish my comment about Mixmaster. Anonymous speech is protected speech. What are you afraid of?

  25. talbert

    hmm! doesn’t work with Yahoo mail.

  26. Mike J

    In Outlook, you can use the ‘pocketknife peek’ add-in to view the email in plain text, html code, internet header info and list of attachments without having to open the email. Free for personal use at

    http://www.xintercept.com/peek/pkpeek.htm

    Works in Outlook up to version 2010

  27. Jason Faulkner

    @John – By viewing an email, someone cannot tell whether or not you have opened it unless it has remote images embedded with a querystring encoded in the graphic URL or you click on a link. For spam, you (hopefully) won’t click on a link and for the remote images, most every email client now has this disabled to where you have to either whitelist senders or explicitly allow them for a message.

    @darrell – Personally, I’ve examined enough headers to recognize these types of things, but if in doubt Google is your friend. Just search for the header key text and you should be a able to figure it out quickly.

    @Jehanne – Comments with links have to be manually moderated. If it has too many links it gets flagged as spam and deleted. I don’t know what you comment looks like, but just keep these things in mind for future comments.

  28. dctudu

    thanks for the article.
    It is very informative.

  29. Jason

    Why isn’t there a box that just tells you the origin of each email? That would cut out the manual work.

  30. Where's Jason

    How in the world did you manage to spell Vietnam as “Viet Nam”? WTF is a “Viet Nam2?

  31. Jason Faulkner

    @Jason – I’m sure there are plugins out there for (some) mail clients which do this. For the most part, however, this isn’t something the typical user would care to see or know what to do with.

    @Where’s Jason – Thanks for the incredibly constructive comment. However, you might want to check your facts.
    The first line from Wikipedia’s entry for Vietnam/Viet Nam:
    Vietnam – sometimes spelled Viet Nam

  32. kevin

    Great info.

    Instantly knowing the country to which the domain resolves would be a huge shortcut in identifying a phishing email. Anyone know of an outlook add in or yahoo mail feature that would display, say, the country’s flag in the visible email header?

  33. Jehanne

    I only posted one link, to my relay site. Users who want to learn more about Mixmaster can simply Google it — “Quicksilver Lite” or my relay site, “Anon USA.” No spam — we’re not trying to sell anything.

  34. Nem Novakovic

    Do you know if it is possible to view this information in mail on the iPhone iOS 5
    I can’t find it so am trying to figure out if it’s not possible or if it’s just not simple to view using VoiceOver (apples accessibility software for blind individuals)

  35. tony

    i am very interested in your “geek” articles .but, i don’t understand 70% of what every body is saying.i’ll keep trying though .thanks for what you guys do!

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!