Pinterest Stumbleupon Whatsapp
Advertisement

Did you ever get an email and really wondered where it came from? Who sent it? How could they have known who you are? Surprisingly a lot of that information can be from from the email header, or by using info from the email header to do some detective work.

The header is a part of the email message that most people never even see. It contains a lot of data that seems like gobbledygook to the average computer user, so as email use became a daily tool in everyone’s life, email clients started to hide this information out of convenience for you. These days, it can even be a bit troublesome to unhide the header, even for those who know it is there. There are so many different email clients out there, both desktop and web-based, that to cover how to unhide the email header could end up being a small book. Today, we’re just going to focus on how to unhide the header in Gmail, and then look at what we can glean from the header.

What is an Email Header?

An email header is a collection of information that documents the path by which the email got to you. There may be a lot of information in the header or just the basics. There is a standard for what information should be included in a header, but not really a limit to what information an email server might put into the header. If you are curious about what a standard for an email protocol looks like, check out RFC 5321 – Simple Mail Transfer Protocol. It’s a bit hard on the head, especially if you don’t need to know this stuff.

Gmail – Unhide the Email Header

Once you have an email message open in Gmail, click on the downward facing arrow near the top-right hand corner of the message. A new menu will show itself. Click on Show original to see the raw email message with its full contents and header revealed.

gmail-show-original

A new window or tab will open and you’ll see a plain text version of your email with the header at the top, of course. The content of the header will look something like this:

Advertisement

Delivered-To: guy@makeuseof.com
Received: by 10.223.200.70 with SMTP id ev6csp162209fab;
Mon, 29 Jul 2013 14:15:09 -0700 (PDT)
X-Received: by 10.236.227.202 with SMTP id d70mr27737943yhq.86.1375132508769;
Mon, 29 Jul 2013 14:15:08 -0700 (PDT)
Return-Path: <gmcdowell@somecompany.com>
Received: from mx21.exchange.telus.com (MX21.exchange.telus.com. [205.206.208.34])
by mx.google.com with ESMTPS id y27si28720489yhc.101.2013.07.29.14.15.08
for <guy@makeuseof.com>
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Mon, 29 Jul 2013 14:15:08 -0700 (PDT)
Received-SPF: neutral (google.com: 205.206.208.34 is neither permitted nor denied by best guess record for domain of gmcdowell@somecompany.com) client-ip=205.206.208.34;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 205.206.208.34 is neither permitted nor denied by best guess record for domain of gmcdowell@somecompany.com) smtp.mail=gmcdowell@somecompany.com
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AkYBAN3a9lHNztK7hGdsb2JhbABYA4JCebVsiEWBHBYOAQEBChZDgiQBAQEEBSAIARsoAhQEARUQAQEBCh4FEAEDCQIMJgEEEgEGAgaIAgyYE6BeBI5KfggOCyiDB28DiSqCBIYRAVmJM4JZjjkdgTU
X-IronPort-AV: E=Sophos;i=”4.89,772,1367992800″;
d=”jpg’145?scan’145,208,217,145″;a=”14712973″
Received: from unknown (HELO mail.exchange.telus.com) ([205.206.210.187])
by mx21.exchange.telus.com with ESMTP/TLS/AES128-SHA; 29 Jul 2013 15:15:07 -0600
Received: from HEXMBVS12.hostedmsx.local ([10.9.6.115]) by
HEXHUB13.hostedmsx.local ([::1]) with mapi; Mon, 29 Jul 2013 15:13:48 -0600
From: Guy McDowell <gmcdowell@somecompany.com>
To: “guy@makeuseof.com” <guy@makeuseof.com>
Date: Mon, 29 Jul 2013 15:15:03 -0600
Subject: What’s an E-mail Header?
Thread-Topic: What’s an E-mail Header?
Thread-Index: Ac6MoKVNNmE/49PeSfezKxVNOP2KEQ==
Message-ID: <5FE22E33565B894BBE2CB78DD0396DA01808A1B1B2@HEXMBVS12.hostedmsx.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/related;
boundary=”_004_5FE22E33565B894BBE2CB78DD0396DA01808A1B1B2HEXMBVS12host_”;
type=”multipart/alternative”
MIME-Version: 1.0

That’s nice. What does that mean?

How is the Email Header Created?

By knowing how the header is created along the path an email travels, you will develop keener insight into what a header’s data means. Let’s look at the parts as they are added, and what the most important parts mean.

On the Sender’s Computer

outbox

Part of the header is created when the sender creates the email to send to the recipient. This will include such information as when the email was composed, who composed it, the subject line and to whom the email is being sent. This is the part of the header that you are most familiar seeing as the Date:, From:, To:, and Subject: lines on the top of your email.

From: Guy McDowell <gmcdowell@somecompany.com>
To: “guy@makeuseof.com” <guy@makeuseof.com>
Date: Mon, 29 Jul 2013 15:15:03 -0600
Subject: What’s an Email Header?

On the Sender’s Email Service

server-room

More information is added to the header once the email is actually sent. This is provided by the email service that the sender is using. In this case, the sender is using a hosted email service, so the IP address shown is an address that is internal to the service provider’s network. Performing a WHOIS search on it will not provide any useful information. What we can do is perform a Google search on the server name HEXMBVS12.hostedmsx.local and we can find that the service provider is Telus. If we do some digging around in the Telus website, we’ll find that they offer a Hosted Microsoft Exchange service. That suggests that the sender is probably using either Microsoft Outlook, Outlook Express, or Outlook Web Access. Information added here includes, the IP address of the sender ([10.9.6.115]), the time sent by the sender’s email service (Mon, 29 Jul 2013 15:13:48 -0600), and the Message-ID for that particular message as added by the email service.

(5FE22E33565B894BBE2CB78DD0396DA01808A1B1B2@HEXMBVS12.hostedmsx.local).
Received: from HEXMBVS12.hostedmsx.local ([10.9.6.115]) by HEXHUB13.hostedmsx.local ([::1]) with mapi; Mon, 29 Jul 2013 15:13:48 -0600
Message-ID: <5FE22E33565B894BBE2CB78DD0396DA01808A1B1B2@HEXMBVS12.hostedmsx.local>

Along the Way to the Recipient’s Email Service

From there, the email may take any number of routes to end up at the recipient’s email service. This can be added to the header to show the ‘hops’ the email had to make to get to you. These hops start at the server that most recently handled the email and go back to the server that originally handled it, in reverse chronological order. In this example, all the hops are internal at the sender’s email service.

Third, and Final Hop

Received: from mx21.exchange.telus.com (MX21.exchange.telus.com. [205.206.208.34])
by mx.google.com with ESMTPS id y27si28720489yhc.101.2013.07.29.14.15.08
for <guy@makeuseof.com>
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Mon, 29 Jul 2013 14:15:08 -0700 (PDT)
Received-SPF: neutral (google.com: 205.206.208.34 is neither permitted nor denied by best guess record for domain of gmcdowell@somecompany.com) client-ip=205.206.208.34;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 205.206.208.34 is neither permitted nor denied by best guess record for domain of gmcdowell@somecompany.com) smtp.mail=gmcdowell@somecompany.com
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AkYBAN3a9lHNztK7hGdsb2JhbABYA4JCebVsiEWBHBYOAQEBChZDgiQBAQEEBSAIARsoAhQEARUQAQEBCh4FEAEDCQIMJgEEEgEGAgaIAgyYE6BeBI5KfggOCyiDB28DiSqCBIYRAVmJM4JZjjkdgTU
X-IronPort-AV: E=Sophos;i=”4.89,772,1367992800″;
d=”jpg’145?scan’145,208,217,145″;a=”14712973″

Third Hop Explanation
This is the hop that takes it from Telus to the recipients email server. We can tell that it was received by mx.google.com, so the recipient has their email service with Google. Here it is good to note the line Received-SPF: SPF, or Sender Policy Framework, is a standard by which a sender’s email server can declare itself to be the legitimate sender of the email. In this case, the qualifier is neutral, which means that nothing can be said about the validity of this e-mail, good or bad. Had it registered as fail, it would have been rejected by Gmail’s servers. If it were softfail, Gmail would have accepted it, but flagged it as possibly not being from whom it says it is from.

Just below that, you’ll also see three lines starting with X-IronPort-Anti-Spam. The first, X-IronPort-Anti-Spam-Filtered: true, is tacked on by Telus’ IronPort anti-spam appliance. IronPort is a part of Cisco, so it’s considered to be pretty reliable. The X-IronPort-Anti-Spam-Result line is meant solely for the IronPort appliances and cannot be decoded for human eyes – unless you work for Cisco and need to decode it. The third, X-IronPort-AV, shows that the sender has their own anti-spam appliance from Sophos. It could have read McAfee or Norton, or whatever filter your email goes through. As the recipient, this can give you a little more confidence that the email is valid.

Second Hop

Received: from unknown (HELO mail.exchange.telus.com) ([205.206.210.187])
by mx21.exchange.telus.com with ESMTP/TLS/AES128-SHA; 29 Jul 2013 15:15:07 -0600

Second Hop Explanation
It becomes obvious here that Telus is the service provider. If there is any doubt about this, perform a WHOIS check on the IP address shown: 205.206.210.187. If you aren’t familiar with what a WHOIS check is or how to do one, take a read over Dave Leclairs review, WhoIsrequest: Find Out WhoIs Information About Any Site. You’ll find that the IP address also leads to Telus. That gives you a little more confidence that the email is legitimate. We can also tell that the message took a little over one-minute to go from the first hop to the second hop. That doesn’t tell us a whole lot unless you’re a network engineer. In theory, you could calculate roughly how far apart are the two servers.

First Hop

Received: from HEXMBVS12.hostedmsx.local ([10.9.6.115]) by
HEXHUB13.hostedmsx.local ([::1]) with mapi; Mon, 29 Jul 2013 15:13:48 -0600

First Hop Explanation
The first hop is the sender’s email server that receives his email message. At this point the email is still moving internally within the sender’s email server’s network. You can tell by the fact that the IP address starts with 10. IP address that start with 10 are reserved for internal use only.

At the Recipient’s E-mail Server

Delivered-To: guy@makeuseof.com
Received: by 10.223.200.70 with SMTP id ev6csp162209fab;
Mon, 29 Jul 2013 14:15:09 -0700 (PDT)
X-Received: by 10.236.227.202 with SMTP id d70mr27737943yhq.86.1375132508769;
Mon, 29 Jul 2013 14:15:08 -0700 (PDT)
Return-Path: <gmcdowell@somecompany.com>

inbox

Once it gets to the recipient’s email service, more information is added to the header — which of the recipient’s email services servers received it and when, what email server the message was received from, the intended recipient’s email address, and the sender’s stated ‘reply to’ email address. back in the Third Hop, we saw that the recipient’s email service was with Google. We can tell that this email was received by one internal server and passed on to another – 10.236.227.202 to 10.223.200.70. Most importantly we can tell by the Return-Path: <gmcdowell@somecompany.com> that the email to reply to and the email of the sender is the same. This also tells us that there is a good chance this email is legitimate.

Other Things from Other Headers

This particular email header is limited in its information because a hosted email service is being used. If the sender were using their own email server, we might be able to gain a little more information. We might be able to determine exactly what mail client they are using. Or we could perform a WHOIS on the sender’s IP address and get an approximate location of the sender. We could also perform a simple web search on the sender’s domain and see if there is a website for them. Based on that website, we may be able to find out even more information about the sender. You might conduct a web search on the email address itself and start doxing the person. If you’re not familiar with the concept of ‘doxing’ familiarize yourself with Joel Lee’s What Is Doxing & How Does It Affect Your Privacy? What Is Doxing & How Does It Affect Your Privacy? [MakeUseOf Explains] What Is Doxing & How Does It Affect Your Privacy? [MakeUseOf Explains] Internet privacy is a huge deal. One of the stated perks of the Internet is that you can remain anonymous behind your monitor as you browse, chat, and do whatever it is that you do.... Read More Also take a read over Ryan Dube’s article, 15 Websites to Find People On The Internet 15 Websites to Find People On The Internet 15 Websites to Find People On The Internet Read More .

The Take Away

All electronic communications leave footprints. Some are larger and easier to follow. Some are obscured by web filters and proxy servers. Either way, what is left behind tells us something about the person that created them. From that metadata, we might conduct further investigations to learn more about the people involved. Are they hiding something by using a VPN? Are they really from a legitimate business with a legitimate web presence? Is this someone I really want to go on a date with? What can ordinary people learn about me, let alone the NSA?

Take a look at your email headers and see what they say about you. If you find some header lines that don’t make much sense, put them in the comments and we’ll try to decode them. Have you had to do some email header investigating? Tell us about it! That’s how we all learn.

Image Credit: Server Room by torkildr via Flickr.

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. shawn t
    January 12, 2017 at 10:05 pm

    Gary, great article. I was doing some investigating on an issue with our mail here. We have one particular external sender that had two internal people on his mail but it was only delivered to one of them. Looking at the header, the original portion included the two recipients, but along one of the hops, an X-MDaemon-Deliver-To header was added with only one of the recipients listed under it. Looking at the exchange SMTP receive logs, the SMTP communication only shows the delivering server asking to deliver the mail to the one person and not both, so the mail was delivered accordingly, only to one person, even though the original header shows both persons. MDaemon is by Alt-n Technologies. Is it possible for intermediary hops to add headers that modify the delivery of the mail? do you thing this is what happened here?

    Thanks for your input

    Shawn

  2. Sankar
    January 11, 2017 at 10:04 am

    Dear ,

    I got a spam error (***[SUSPECTED SPAM]*** ) with Subject line.How to Filter it.Anyone please help me..

    Thanks.

  3. Anonymous
    September 8, 2015 at 11:08 am

    Hey there,

    shouldn't the message id contain the host who sent the message?
    I have a mail at my gateway with message id and this message coultn't be delivered to the user's mailbox (Lotus Notes). I wonder if this is an error of the sender or a problem in my environment...

    I would be thankful for any hints!

    Regards,
    Florian

    • Anonymous
      September 8, 2015 at 11:16 am

      I'm sorry, the message ID got lost in my posting. So here it is: 55dc318bf3071_4d92d4fe18365277@i-1f4ebde2.mail

      • Guy McDowell
        September 8, 2015 at 4:45 pm

        It should. But, in your example it's saying the host that sent it was i-1f4ebde2.mail.

        I don't know what that means, but if I was guessing I'd say that it was an e-mail server on your network OR someone has obfuscated the host name somehow.

        Sorry, that's a bit beyond my knowledge.

  4. Mayank
    April 3, 2015 at 7:48 am

    Hi, i have received an email from an anonymous person using gmail service. I have tried my best going through various articles over the net to try to trace the IP of the sender. However, i could only trace it till the google servers in california. Please do let me know if there is a way i could locate from which city at least he has sent this email, or in which city has he created this email.

    Cheers

  5. Chris
    December 9, 2014 at 3:03 pm

    Can the header show my actual location at the time I sent the email? I sent an email from an iPad using ATT data. I was at my home at the time it was sent. The person receiving the email believes the header on that email can place me at a location 75 miles away. How can that be possible. I know where I was.

  6. Dave Pointon
    November 24, 2013 at 5:36 am

    I have investments with this guy and he sends me emails from all over the world but I think he is lying as to were he sends them. this one was sent from China but my investigation says its from California can you take a look at the header and tell me what you think.

    Delivered-To: pointon.dave@gmail.com
    Received: by 10.76.97.234 with SMTP id ed10csp157962oab;
    Mon, 18 Nov 2013 23:05:01 -0800 (PST)
    X-Received: by 10.69.19.161 with SMTP id gv1mr6638432pbd.134.1384844701330;
    Mon, 18 Nov 2013 23:05:01 -0800 (PST)
    Return-Path:
    Received: from mail-pb0-f49.google.com (mail-pb0-f49.google.com [209.85.160.49])
    by mx.google.com with ESMTPS id vs7si11296856pbc.55.2013.11.18.23.05.00
    for
    (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
    Mon, 18 Nov 2013 23:05:01 -0800 (PST)
    Received-SPF: softfail (google.com: domain of transitioning neil@freevi.com does not designate 209.85.160.49 as permitted sender) client-ip=209.85.160.49;
    Authentication-Results: mx.google.com;
    spf=softfail (google.com: domain of transitioning neil@freevi.com does not designate 209.85.160.49 as permitted sender) smtp.mail=neil@freevi.com
    Received: by mail-pb0-f49.google.com with SMTP id jt11so3371878pbb.36
    for ; Mon, 18 Nov 2013 23:05:00 -0800 (PST)
    X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
    d=1e100.net; s=20130820;
    h=x-gm-message-state:mime-version:date:message-id:subject:from:to:cc
    :content-type;
    bh=ldNqgD6+ZwsGPN4i5G9JHhv6bXp9dZfBa8qtMI8YshM=;
    b=c2Q/PMt9MM2PwWufwES74DpwsGqsvqC2sGC0rKRDBTpq5se3V0/23yPRwpDo+8ZGa+
    tr6WtKvzEHFb+A3zuadQdgk5+a9QN4Kp7K8E4EsQslCwVQDvSGH18ePFpC9JRpt8n5Ua
    lvIoShiLKfjFBBiRQrXuU8yqmkRf8NScSxbbNxamFlR+lcsOfHN/q0hgjmdFM2nHAvrl
    YcsJcdGvBcKnUuN94mL9OCP0MiNlnItwyv31DTL5L427IYJ1dSRzMiFHXskGxCG40y9Q
    0QQR0YE2Zq4Dy39cQtedNJW5Q8aELJZLV7fu5V0fe8vMD+C85z9xn9wJFSw3o/tI7lEP
    M8Ng==
    X-Gm-Message-State: ALoCoQkNVgOq8HCUQrRycWyq4K82UXKuSAbjOzE8vJ1ljqzJ8Hha9j+8pO5TNLAuTbzkYkMsF16u
    MIME-Version: 1.0
    X-Received: by 10.66.184.168 with SMTP id ev8mr5772576pac.152.1384844700713;
    Mon, 18 Nov 2013 23:05:00 -0800 (PST)
    Received: by 10.69.26.137 with HTTP; Mon, 18 Nov 2013 23:05:00 -0800 (PST)
    Date: Mon, 18 Nov 2013 23:05:00 -0800
    Message-ID:
    Subject: Insider Report #3 19/11/13
    From: Neil Chandran
    To: "Neil ."
    Cc: "Compliance ."
    Content-Type: multipart/alternative; boundary=047d7bdc78ea74a25e04eb8248c1
    Bcc: pointon.dave@gmail.com

    --047d7bdc78ea74a25e04eb8248c1
    Content-Type: text/plain; charset=ISO-8859-1

    Dear Insider,

    We are in Shenzen approaching 2pm and attending to the 2nd voluntary
    portion of the affidavit asserting our sole disbursement via Europay today.
    Upon completion of this component we will be providing electronic scans of
    the affidavits to Europe for confirmation that their request has been met
    after which we will be cleared for registration in DC and disbursement.

    We will complete the affidavits, confer with Europe and then issue a report
    by morning US time, confirming disbursement status. We are a couple of
    hours away from open in Europe where the FCA can provide confirmation that
    the documents are in order.

    Regards,

    Neil Chandran

  7. Diana Ronchetti
    September 17, 2013 at 3:30 pm

    Somebody sent me an email. That person has two computers. He always sent me email from the first computer. Now he sent me an email from the other one. It was probably send from the same network as he has only one. Could I find out the name who pays for the network if I have his IP address? Thank you

    • Guy M
      September 19, 2013 at 1:05 pm

      Probably not. You may be able to determine who is his Internet Service Provider, however the ISP should not release billing details to anyone but the account owner and designated people. Sorry.

      Is there a larger problem that you are trying to solve? If so, we might be able to help you in our Q&A section.

      If it's something you don't want discussed in a public forum, I can still try to help you. Just e-mail me at guy@makeuseof.com. I can't promise anything other than looking at the situation and letting you know if I can help or not.

  8. Scott
    August 23, 2013 at 12:10 am

    What has happened to you. There are so many ads surrounding this article I can't read it.
    Everyone succumbs eventually

    • Guy M
      August 23, 2013 at 1:08 pm

      I can't personally take credit for that, but we all got bills to pay. At the same time, you do have the choice to use Evernote Clearly.

      The nice thing about Clearly is that we still get our ad impressions, and you get your easier-to-read article. Win-Win as the self-help people say. Who knows, you might actually see an ad that is of use to you? I actually have.

  9. greebo
    August 16, 2013 at 8:43 am

    very interesting like it,thanks

  10. Mack McManus
    August 15, 2013 at 4:03 pm

    Very informative, thank you. On TV cop shows,some resident nerd/geek/cop will be at a laptop, and suddenly declaim the source of the email, even though 'they used several proxys". Now is this sort of what they are referring to having accomplished, and can you actually pick through a mail path containing one or more proxy servers? I realize that for drama's sake there is more than a few keystrokes involved.

  11. Saumyakanta S
    August 15, 2013 at 9:42 am

    good work MUO for sharing this knowledge

  12. Shafiq Khan
    August 14, 2013 at 9:25 am

    I also sometimes notice X-Mailer in the headers which tells the software the sender used to send the message.