Understanding Email Headers

Every email tells two stories. The first is the one you write—the subject, the body, the attachments. The second is the story the email writes about itself: where it came from, every server it touched along the way, and whether it can prove it is who it claims to be.

That second story lives in the headers.

The Autobiography of a Message

Email headers are name-value pairs that accumulate as a message travels from sender to recipient. Your email client adds some when you hit send. Every server that handles the message adds more. By the time a message reaches your inbox, it carries a complete record of its journey—a trail of breadcrumbs leading back to its origin.

Header-Name: Header Value
Another-Header: Another Value

Message body starts here...

Most email clients hide this autobiography, showing you only the polished version: From, To, Subject, Date. But the full headers reveal everything—delivery delays, authentication failures, spam verdicts, even signs of forgery.

The Headers Everyone Sees

From: The sender's claimed identity. Note that word: claimed. This header can say anything. It's what the sender asserts, not what's been verified.

From: sender@example.com

To: The primary recipients.

To: recipient1@company.com, recipient2@company.com

Subject: The subject line.

Subject: Project Update for Q4

Date: When the message was composed, including timezone.

Date: Mon, 10 Dec 2025 14:30:00 -0500

Message-ID: A unique identifier generated by the sending server. This is how email systems track conversations and avoid delivering the same message twice.

Message-ID: <abc123.def456@mail.example.com>

The Routing Log

The most revealing headers are the Received headers. Each server that handles a message stamps it with its own Received header, like passport stamps documenting international travel. These accumulate in reverse chronological order—the most recent stamp appears first.

Received: from mail.sender.com (mail.sender.com [198.51.100.25])
    by mail.recipient.com (Postfix) with ESMTPS id 5F7B2A041
    for <user@recipient.com>; Mon, 10 Dec 2025 14:30:15 -0500 (EST)

This single header tells you:

• The message came from mail.sender.com at IP address 198.51.100.25
• It was received by mail.recipient.com running Postfix
• The connection used ESMTPS (encrypted SMTP)
• It arrived at 14:30:15 EST on December 10, 2025

Read Received headers from bottom to top (oldest to newest) to trace a message's complete path. This is how you find where delays happened, where messages were rerouted, or where something went wrong.

The Identity Crisis

Email was designed in an era when the Internet was a small network of universities and research institutions. You could claim to be anyone because why would you lie? Everyone knew everyone.

That assumption aged poorly.

Modern email authentication exists because the From header can say literally anything. Three systems now work together to answer the question the original designers never thought to ask: How do I know you are who you say you are?

SPF (Sender Policy Framework): The sending domain publishes a list of servers authorized to send on its behalf. The receiving server checks if the message came from an authorized source.

DKIM (DomainKeys Identified Mail): The sending server cryptographically signs the message. The receiving server can verify the signature matches, proving the message wasn't modified in transit and came from someone with the domain's private key.

DMARC (Domain-based Message Authentication, Reporting, and Conformance): Ties SPF and DKIM together, telling receiving servers what to do when authentication fails.

The results appear in authentication headers:

Authentication-Results: mail.recipient.com;
    dkim=pass header.d=sender.com;
    spf=pass smtp.mailfrom=sender@sender.com;
    dmarc=pass header.from=sender.com

All three passed. This message can prove it is who it claims to be.

DKIM-Signature: v=1; a=rsa-sha256; d=sender.com; s=selector1;
    h=from:to:subject:date:message-id;
    bh=3c8f9d234a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d;
    b=a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4

The DKIM-Signature header contains the actual cryptographic proof—a signature over the headers listed in h= (from, to, subject, date, message-id) that anyone can verify using the public key published in the sender's DNS records.

The Visibility Game

Cc (Carbon Copy): Additional recipients, visible to everyone.

Cc: manager@company.com, team@company.com

Bcc (Blind Carbon Copy): Here's something genuinely strange. Bcc headers exist to be removed. You write them knowing your mail server will strip them before transmission. The Bcc recipients get the message, but no one else can see they were included. It's a message to your own server: "send this to these people too, but don't tell anyone."

Bcc headers never appear in received messages because they were deleted at the source.

Reply-To: Where replies should go, if different from From. Mailing lists use this to direct replies back to the list rather than the original sender.

Reply-To: discussions@mailinglist.com

The Body's Packaging

Email was originally plain ASCII text. MIME (Multipurpose Internet Mail Extensions) extended it to support formatting, international characters, and attachments.

MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

For messages with multiple parts—HTML plus plain text, or attachments—the Content-Type header defines boundaries:

Content-Type: multipart/alternative; boundary="boundary-string"

--boundary-string
Content-Type: text/plain; charset="UTF-8"

Plain text version...

--boundary-string
Content-Type: text/html; charset="UTF-8"

<html><body>HTML version...</body></html>

--boundary-string--

The boundary string acts as a separator, letting the email client know where one part ends and another begins.

The Spam Verdict

Spam filters document their decisions in headers:

X-Spam-Status: No, score=-0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID
X-Spam-Score: -0.1

This message scored -0.1 against a threshold of 5.0. It passed. The tests list shows what the filter checked—in this case, DKIM signatures were present and valid, which lowered the spam score.

Different spam filters add their own headers: X-Proofpoint-Spam-Details, X-Barracuda-Spam-Score, and countless others. When a legitimate message lands in spam, these headers explain why.

The Conversation Thread

Email clients group related messages using threading headers:

In-Reply-To: The Message-ID of the message being replied to.

In-Reply-To: <abc123.def456@mail.example.com>

References: All Message-IDs in the conversation thread, enabling clients to reconstruct the full history.

References: <msg1@mail.example.com> <msg2@mail.example.com>

This is how Gmail, Outlook, and other clients show replies nested under original messages rather than scattered across your inbox.

Viewing the Full Story

Most email clients hide headers by default. To see everything:

• Gmail: Open the message → three-dot menu → "Show original"
• Outlook: File → Properties, or View → Message → Message Source
• Apple Mail: View → Message → All Headers
• Thunderbird: View → Message Source

What Headers Reveal

When something goes wrong with email, headers tell you what happened:

Delivery delays: Timestamps in Received headers show where messages sat waiting. If there's a two-hour gap between one server receiving the message and the next, you've found your bottleneck.

Authentication failures: Authentication-Results shows which checks failed. SPF failures often mean the sender's DNS isn't configured correctly. DKIM failures might indicate message modification in transit.

Spam classification: X-Spam headers explain the verdict. Sometimes legitimate mail triggers filters because of specific words, suspicious links, or missing authentication.

Forgery detection: Compare the From header with the Received headers. If someone claims to be from bigcompany.com but the Received headers show the message originated from a server in a completely different country with no connection to that domain, you're looking at a spoofed message.

What Headers Expose

Headers reveal more than senders might intend:

• Internal IP addresses leak through Received headers when mail routes through corporate networks
• X-Mailer headers identify your email client and version
• Timestamps expose your timezone and when you're active
• Server hostnames reveal infrastructure details

Some organizations configure their mail servers to minimize header information, though excessive header stripping can itself trigger spam filters—it looks like you're hiding something.