Introduction to email headers
Summary
Email headers contain metadata about an email, including sender, recipient, routing, and security information. This guide introduces you to email headers, how to access them, and explains common fields including authentication mechanisms like DKIM and SPF.
What are email headers? #
Email headers are metadata attached to every email message. They contain information about the sender, recipient, routing, and security features. Headers help email servers deliver messages correctly and allow users to diagnosing delivery issues, verifying authenticity, and understanding the technical anatomy of an email.
How to view raw email headers #
Most email clients provide two ways to view headers:
- Standard headers
A simplified version showing only the basic information like sender, recipient, and subject. - Raw headers
The complete set of headers in their original format.
To switch between them:
- Open the an email in your client.
- Look for an option like View Headers, All Headers, Show Original, or View Source.
The exact steps vary by client, but most provide similar functionality.
When you select this option, you will see the raw structure of the email, including all metadata fields not normally displayed in the email interface. This can help you trace the message path and verify its legitimacy.
Common email header fields #
Email headers are structured according to the Internet Message Format defined in RFC 5322. Each header consists of a field name followed by a colon and the field value. Here are the most commonly found header fields:
From #
The email address of the sender.
From: Alice Example <alice@example.com>
To #
The primary recipient(s) of the email.
To: Bob Example <bob@example.org>
Cc #
Stands for “Carbon Copy”, for secondary recipients.
Cc: Carol Example <carol@example.net>
Bcc #
Stands for “Blind Carbon Copy”, for hidden recipients.
Bcc: Dave Example <dave@example.com>
The Bcc field is not visible in the received email header, but it can be present in the original source.
Date #
The date and time when the email was sent.
Date: Mon, 8 Apr 2025 10:23:45 -0400
Subject #
The subject line of the message.
Subject: Meeting reminder for Thursday
Message-ID #
A unique identifier for the email message.
Message-ID: <uniqueid.123456789@example.com>
Reply-To #
The email address to which replies should be sent.
Reply-To: Alice Example <reply@example.com>
In-Reply-To #
References a parent email’s Message-ID. This header is used to associate a reply with the original message in an email thread, helping email clients display messages in a conversational view.
In-Reply-To: <original-message-id@example.com>
Return-Path #
The email address where bounce messages are sent.
Return-Path: <bounce@example.com>
Received #
A list of servers that handled the message, added in reverse order.
Received: from smtp1.example.com (smtp1.example.com [192.0.2.1])
by mail.receiver.org with ESMTPS id abc123
for <bob@example.org>; Mon, 8 Apr 2025 10:23:40 -0400
Delivered-To #
The final recipient address used by the mail server.
Delivered-To: bob@example.org
MIME-Version #
Specifies the version of Multipurpose Internet Mail Extensions (MIME) used.
MIME-Version: 1.0
Content-Type #
Describes the media type of the message body, such as text/plain or text/html.
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding #
Describes how the email body is encoded for transport.
Content-Transfer-Encoding: quoted-printable
References #
Lists Message-IDs of related emails in a thread. This field includes the Message-IDs of the previous emails in the conversation, allowing for proper threading and context tracking.
References: <first-message-id@example.com> <original-message-id@example.com>
Precedence #
Used for bulk/auto-replies (e.g., bulk, list, junk). This header helps mail servers and autoresponders determine how to handle the message, especially to suppress automatic responses to mass emails.
Precedence: bulk
Security-related headers #
Security-related email headers provide critical information about the authentication and trustworthiness of a message. Among other purposes, they help verify the sender’s identity, detect spoofing, and ensure the message has not been tampered with during transit.
Authentication-Results #
Shows the results of email authentication checks such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC). This header is added by the receiving server and is key for verifying whether the message passed or failed authentication.
Authentication-Results: mx.example.org;
spf=pass smtp.mailfrom=example.com;
dkim=pass header.d=example.com;
dmarc=pass (p=none sp=none dis=none) header.from=example.com
DomainKeys Identified Mail (DKIM) #
DKIM adds a digital signature to verify the sender’s domain and detect tampering. The header looks like:
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1;
c=relaxed/relaxed; q=dns/txt; h=from:to:subject:date;
bh=...base64-hash...; b=...digital-signature...
Also see: Understanding DKIM.
DMARC-Filter #
Contains the applied DMARC policy or processing status from a DMARC filtering service. While not standardized, some mail servers include this to log how a message aligns with the sending domain’s DMARC policy.
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.example.org A1BC1234
Sender Policy Framework (SPF) #
SPF checks if the sender’s IP is authorized for the domain. While SPF itself does not have a dedicated header, its results appear in headers like:
Received-SPF: pass (example.com: domain of sender@example.com
designates 192.0.2.1 as permitted sender)
Also see: Understanding SPF.
ARC-Authentication-Results #
Part of the Authenticated Received Chain (ARC) system, this field captures the authentication results from an intermediate server that handled the message. It allows forwarders (such as mailing lists) to preserve original authentication outcomes.
ARC-Authentication-Results: i=1; mx.example.org;
spf=pass smtp.mailfrom=example.com;
dkim=pass header.d=example.com;
dmarc=pass header.from=example.com
ARC-Seal #
Provides a cryptographic seal that vouches for the validity of the ARC set at a specific point in the forwarding chain. It ensures that the authentication results and message signature have not been tampered with.
ARC-Seal: i=1; a=rsa-sha256; d=example.org; s=arcselector;
t=1681234567; cv=pass;
b=Zyx123abc456...
ARC-Message-Signature #
Digitally signs the content of the email and header fields included in the ARC chain. This works similarly to DKIM but applies to intermediaries forwarding the message.
ARC-Message-Signature: i=1; a=rsa-sha256; d=example.org; s=arcselector;
h=from:to:subject:date;
bh=examplehash;
b=Def789ghi012...
Routing & delivery headers #
These headers provide additional metadata about how the email was routed and processed. They are often added by mail servers or email clients for tracing, debugging, and filtering purposes.
Custom headers, starting with X-, are non-standard and vary by email provider.
X-Originating-IP #
Indicates the IP address of the original sender. This is often added by webmail interfaces or proxy servers.
X-Originating-IP: [192.0.2.55]
X-Mailer #
Identifies the email client or software used to send the message.
X-Mailer: Microsoft Outlook 16.0
X-Priority #
Indicates the priority level of the email, with values typically ranging from 1 (high) to 5 (low).
X-Priority: 1 (Highest)
X-Spam-Status #
Reports the result of a spam scan. It usually includes Yes or No along with additional metadata.
X-Spam-Status: No, score=1.0 required=5.0 tests=HTML_MESSAGE,DKIM_SIGNED
X-Spam-Score #
Provides a numeric score indicating the likelihood that the message is spam. Higher scores suggest higher spam probability.
X-Spam-Score: 3.2
X-Forwarded-For #
Indicates the original IP address of a sender when behind a proxy or load balancer, commonly used in multi-hop environments.
X-Forwarded-For: 198.51.100.22
X-Received #
Used by some email providers to include extra Received-like tracking information for internal routing or anti-abuse checks.
X-Received: by 2002:a0c:f3d:: with SMTP id xyz123abc;
Mon, 08 Apr 2025 10:15:00 -0700 (PDT)
Miscellaneous & custom headers #
These headers cover specialized features, mailing list functionality, user tracking, and client-specific data. Many of these are non-standard but widely used in practice.
List-ID #
Uniquely identifies the mailing list to which the email belongs. Useful for filtering and organizing list traffic.
List-ID: <dev-list.example.com>
List-Unsubscribe #
Provides a method (often a URL or mailto link) for unsubscribing from a mailing list.
List-Unsubscribe: <mailto:unsubscribe@example.com>, <https://example.com/unsubscribe>
X-Complaints-To #
Specifies the email address where abuse or spam complaints should be directed.
X-Complaints-To: abuse@example.com
X-Auto-Response-Suppress #
Prevents automatic responses such as out-of-office replies. Common values include OOF, AutoReply, or All.
X-Auto-Response-Suppress: OOF
X-UIDL #
Unique identifier used by Post Office Protocol version 3 (POP3) servers to track downloaded messages.
X-UIDL: 123456789.00001.mta1.example.com
X-Confirm-Reading-To #
Requests a read receipt from the recipient’s email client.
X-Confirm-Reading-To: alice@example.com
X-MS-Has-Attach #
Indicates that the message contains an attachment. Primarily used by Microsoft Outlook and Exchange servers.
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator #
Used by Microsoft systems to associate Transport Neutral Encapsulation Format (TNEF) encoded data, often related to Rich Text formatting.
X-MS-TNEF-Correlator: abcdef1234567890
FAQ's #
Most common questions and brief, easy-to-understand answers on the topic:
What is the purpose of email headers?
Email headers contain metadata about the email, including sender, recipient, routing information, and security details like DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF).
How do I view raw email headers?
Most email clients allow you to view raw headers by opening the email, accessing the menu or options, and selecting View Headers, All Headers, or Show Original.
What is DKIM in email headers?
DomainKeys Identified Mail (DKIM) is an email authentication method that uses a digital signature to verify the sender's domain and detect tampering.
Why is SPF important in email headers?
Sender Policy Framework (SPF) helps prevent email spoofing by verifying that the sender's IP address is authorized to send emails for the domain.
Can email headers be forged?
Some parts of the email header, such as the From field, can be spoofed. However, fields added by trusted mail servers are more difficult to forge.
Further readings #
Sources and recommended, further resources on the topic:
- RFC 5322 Internet Message Format
- DKIM.org Official DKIM Resources
- Wikipedia: Sender Policy Framework
- OpenSPF: Sender Policy Framework
Author
Jonas Jared Jacek (J15k)
Jonas works as project manager, web designer, and web developer since 2001. On top of that, he is a Linux system administrator with a broad interest in things related to programming, architecture, and design. See: https://www.j15k.com/License
Introduction to email headers by Jonas Jared Jacek is licensed under CC BY-SA 4.0.
This license requires that reusers give credit to the creator. It allows reusers to distribute, remix, adapt, and build upon the material in any medium or format, for noncommercial purposes only. To give credit, provide a link back to the original source, the author, and the license e.g. like this:
<p xmlns:cc="http://creativecommons.org/ns#" xmlns:dct="http://purl.org/dc/terms/"><a property="dct:title" rel="cc:attributionURL" href="https://www.ditig.com/introduction-to-email-headers">Introduction to email headers</a> by <a rel="cc:attributionURL dct:creator" property="cc:attributionName" href="https://www.j15k.com/">Jonas Jared Jacek</a> is licensed under <a href="https://creativecommons.org/licenses/by-sa/4.0/" target="_blank" rel="license noopener noreferrer">CC BY-SA 4.0</a>.</p>For more information see the Ditig legal page.
