Home > Resources > System Admin Guide to a Secure Network > Viewing and Analyzing an Email Message Header

Viewing and Analyzing an Email Message Header

What is an Email Message Header

Every email consists of two parts - the message header and the message body. The email message header is a block of text that contains a variety of information on how that particular email traveled from the sender's email server to your inbox. The header includes details such as sender, recipient, subject, various timestamps, and the routing information of the message. It can be very lengthy - sometimes longer than the message itself. It should be noted that other than the Received header, the remaining headers can be forged by spammers and cyber criminals.

  • To - Shows to whom the message is addressed to.
  • From - Shows who the message is from, however, this can be easily forged and can be the least reliable.
  • Subject - Shows the message subject line.
  • Date- The date and time the email message was sent.
  • Return-Path - Shows the email address delivery status notices will be sent to.
  • Reply-To - Shows the email address replies will be sent to. This overrides the "From" email address.
  • Envelope-To - Shows that this email address the message was delivered .
  • Delivery Date - Shows the date and time when the recipient's email server received the message.
  • Received - Shows information about each server that handled your message as it traverses the Internet to arrive at your mailbox. You will see multiple entries for this header as each server will add its own "Received" entry into the message header. This is typically the most critical part of the message header, and the most reliable as this cannot be easily forged. The multiple "Received" entries is sort with the most recent on top. Thus, the very first "Received" entry you see at the top of your message header is the last server that handled your message. Conversely, the last "Received" entry at the bottom of your header is the originating server that sent your email
  • Message-ID - This is a unique identifier assigned by an email system when it was first created.
  • Mime-Version - This identifies a particular standard (e.g., support for attachments, ) used to create the message.
  • Content-Type - Indicates what format of the message was composed in, such as HTML or plain text.
  • X-Spam-Status - Shows the message spam score and is used by filtering components. This is generated by the recipient's email server..
  • X-Spam-Level - Shows the message spam score. This is generated by the recipient's email server.
  • Message Body - Shows the actual content of the email itself, written by the sender.

Line beginning with X (e.g., X-Spam-Status and X-Spam-Level) are entries created by the recipient's email server and are considered to be trustworthy.

Every email sent has a message header. It is not typically readily visible and most email client software don't display this information by default. However it is accessible with a few mouse clicks.



How to View Email Message Header

Instructions for how to find the message header for your email varies greatly as each email client application is different. However, we've provided instructions for some of the popular email software below.

Outlook 2013

  1. Launch Outlook.
  2. Double-click on your particular email message to spawn it into its own window.
  3. Click on File.
  4. Click on the Properties button to launch the Properties dialog box.
  5. The message header for your email can be found in the large text box labeled Internet Headers as illustrated below.

    Office 365 Email Message Header

Outlook 2010

  1. Launch Outlook.
  2. Double-click on your particular email message to spawn it into its own window.
  3. Click on File and select Info.
  4. Click on the Properties button to launch the Properties dialog box.
  5. The message header for your email can be found in the large text box labeled Internet Headers.

Exchange Online/Outlook Web Access (OWA)

  • Login to your account.
  • Double-click on your particular email message to open it onto its own window.
  • Click to open the drop-down menu next to the Reply All button.
  • Click Show Message Details

Gmail

  1. Login to your Gmail account
  2. Open an email message
  3. Click on the ellipsis icon (the one with three dots vertically stacked) and select Show Original.
  4. The message header for your email can be found in the large text box labeled Internet Headers as illustrated below.

Why Analyze Email Message Header?

There are a few reasons why a system administrator or perhaps a information security specialist may want to review a message header:

  1. Identify if spoofing (email forgery) is involved
  2. Identify the source of the email
  3. Identify if encryption was used during delivery
  4. Identify potential delivery delays by analyzing timestamps

How to Analyze Email Message Header

Analyzing an email message header can help you identify delivery issues (such as delays) or authenticity of the message (such as an from your "bank" or your "boss"). Attempting to manually read and analyze the header can be confusing and prone to misinterpretation. Fortunately, there are easy-to-use online tools that will do the analysis for you and provide you with a human-friendly report on the information it extracted from the header. You simply paste your message header in the provide text box, click a button and within second, you'll have your analysis result ready for you. The two the we use frequency are the Microsoft Remote Connectivity Analyzer and the MXToolbox.

Microsoft Remote Connectivity Analyzer

Located at https://testconnectivity.microsoft.com, the Microsoft Remote Connectivity Analyzer is easy to use. Simply paste your message headers into the text box provided and click the Analyze headers button.

Microsoft Remote Connectivity Analyzer

MXToolbox

Located at https://mxtoolbox.com/EmailHeaders.aspx, MXToolbox is also easy to use. Simply paste your email message headers into the provided text box and click Analyze headers.

MXToolbox Email Message Header Analyzer