Understanding raw email headers

Emails are a ubiquitous part of our daily communication, but beneath the polished interfaces of our email clients lies a trove of detailed information embedded in what are known as email headers. For those involved in cybersecurity, IT, or simply curious about the intricacies of email, raw email headers offer invaluable insights. This comprehensive guide will explain what raw email headers are, why they are important, and how to read them in detail.

What Are Raw Email Headers?

Raw email headers are the metadata of an email, containing detailed information about the sender, recipient, the route taken by the email, and much more. They act as the email’s digital fingerprint, providing a thorough log of its journey from the sender to the recipient. Unlike the email body, which contains the actual message, headers are located at the top of the email’s source code and are usually hidden from regular view.

Importance of Raw Email Headers

Tracing the Source of an Email: Raw email headers reveal the path an email took, including all the servers it passed through. This information is crucial for identifying the true origin of an email, which is essential in cases of phishing, spam, or email spoofing.
Diagnosing Delivery Issues: If an email is delayed or fails to reach its destination, the headers can help pinpoint where the issue occurred, whether it’s due to a server problem or a misconfiguration.
Ensuring Security: Email headers can indicate if an email has been tampered with and display authentication results from protocols like SPF, DKIM, and DMARC, which help verify the sender’s legitimacy.
Analyzing Performance: For businesses, email headers provide insights into email campaign performance by showing delivery times, server response times, and more.

Accessing Raw Email Headers

Accessing raw email headers varies depending on the email client you use:

Gmail: Open the email, click the three dots in the top right corner, and select "Show original."
Outlook: Open the email, click "File" > "Properties," and look for the "Internet headers" section.
Apple Mail: Open the email, click "View" > "Message" > "All Headers."
Thunderbird: Open the email, go to "View" > "Headers" > "All."

Breaking Down the Components

Raw email headers can seem daunting at first, but breaking them down into their components makes them easier to understand. Here are some key components you’ll find in raw email headers:

From: John Doe <john.doe@example.com>

From: This field indicates the email address of the sender.

To: Jane Smith <jane.smith@example.com>

To: This field shows the email address of the recipient.

Subject: Meeting Agenda for May 2023

Subject: The subject line of the email.

Date: Mon, 15 May 2023 14:58:59 -0700

Date: The date and time the email was sent.

Message-ID: <1234567890@mail.example.com>

Message-ID: A unique identifier for the email, generated by the sending mail server. See RFC 5322 Section 3.6.4.

Received: from mail.example.com (mail.example.com [192.168.1.1]) by smtp.example.com with ESMTP id abc123; Mon, 15 May 2023 14:59:00 -0700

Received: This is one of the most critical headers, as it lists each mail server that has handled the email, starting from the sender’s server to the recipient’s server. Each "Received" line is added by a mail server that processes the email. See RFC 5321 Section 4.4.

Return-Path: <bounce@example.com>

Return-Path: The address where non-delivery notifications (bounces) are sent. See RFC 5321 Section 4.4.

Authentication-Results: spf=pass (sender SPF authorized) smtp.mailfrom=example.com; dkim=pass header.d=example.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=example.com

Authentication-Results: This header shows the results of various email authentication checks, such as SPF, DKIM, and DMARC. See RFC 8601.

MIME-Version: 1.0

MIME-Version: Indicates the MIME version used in the email, which helps email clients understand how to process the email content. See RFC 2045.

Content-Type: text/plain; charset=UTF-8

Content-Type: Specifies the media type and character encoding of the email body, ensuring the email client knows how to display the message correctly. See RFC 2046.

X-Mailer: Apple Mail (2.3445.104.21)

X-Mailer: Indicates the software used to send the email. This can be useful for identifying automated or mass email systems.

Interpreting Raw Email Headers

Interpreting raw email headers requires understanding the context provided by each component. Here’s a step-by-step approach:

Check the Received Fields: These fields show the servers that processed the email, listed in reverse order (the first line is the last server to handle the email). This can help trace the email’s route and detect any anomalies or detours that might indicate tampering.
```
Received: from mail.example.com (mail.example.com [192.168.1.1]) by smtp.example.com with ESMTP id abc123; Mon, 15 May 2023 14:59:00 -0700
```
Verify Authentication Results: Look at the SPF, DKIM, and DMARC results to ensure the email hasn’t been spoofed. These protocols help verify the sender’s identity and ensure the email’s integrity.
```
Authentication-Results: spf=pass (sender SPF authorized) smtp.mailfrom=example.com; dkim=pass header.d=example.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=example.com
```
Analyze Dates and Times: Compare the "Date" header with the timestamps in the "Received" headers to spot any delays or inconsistencies. The difference between these times can help identify where delays occurred.
```
Date: Mon, 15 May 2023 14:58:59 -0700
```
Check the Message-ID: This unique identifier can help track an email through various systems and detect duplicates or related emails in a thread.
```
Message-ID: <1234567890@mail.example.com>
```
Return-Path Analysis: The return-path can be useful to understand where bounce messages will be sent, which is particularly important for bulk email senders.
```
Return-Path: <bounce@example.com>
```

Advanced Analysis: Case Study

Let’s consider an example email to illustrate how to interpret raw email headers in practice. Suppose you receive an email that appears suspicious. Here’s how you might analyze its headers:

Inspect the Received Headers:
```
Received: from suspicious-domain.com (suspicious-domain.com [10.10.10.10]) by securemail.example.com with ESMTP id def456; Mon, 15 May 2023 14:59:00 -0700
```
This header indicates that the email passed through a server at "suspicious-domain.com," which might not be a legitimate or recognized server. The IP address can be cross-referenced with known malicious IP addresses.

Check Authentication Results:

Authentication-Results: spf=fail (sender SPF not authorized) smtp.mailfrom=suspicious-domain.com; dkim=fail header.d=suspicious-domain.com; dmarc=fail (p=NONE dis=NONE) header.from=suspicious-domain.com

The authentication results show that the email failed SPF, DKIM, and DMARC checks, indicating it may be spoofed and should be treated with caution.

Analyze Timing:
```
Date: Mon, 15 May 2023 14:58:59 -0700
```
Compare this with the timestamps in the received headers to detect any inconsistencies that might suggest tampering.

Conclusion

Raw email headers are a powerful tool for anyone looking to delve deeper into the mechanics of email. Whether you’re troubleshooting delivery issues, verifying email authenticity, or analyzing the flow of your messages, understanding how to read and interpret these headers is a crucial skill. By learning to navigate this metadata, you can gain greater control and insight into your email communications, ensuring they are both efficient and secure.

With practice, interpreting raw email headers will become second nature, empowering you to identify and address issues quickly and effectively. Happy email sleuthing!

For further reading and more detailed technical specifications, you can refer to the following resources:

Get started today

It’s time to take control of your data.

14 day money back guarantee! Pick your server now