Everything You Need to Know About Email Headers - 56juqingba: How-to instructions you can trust

Spread the love

The header your email was sent with plays a crucial role in authenticating the message and helps your email provider ensure you have a safe experience. This guide dives into what email headers are, why they’re useful, and how they help maintain the security of the entire messaging ecosystem of the Internet.

Content

Table of Contents

What Is an Email Header?

Whenever you send a message, it gets relayed across different servers until it reaches its final destination. To keep a proper record of the entire transaction, a header is created. Put simply, email headers tell a story of what happened to the email as it made its way to you from the sender. If there’s something wrong with that story, the email is filtered out of the systems of the recipient’s email provider.

To work properly, header information must include everything relating to the chain of custody between sender and recipient, authenticating that it was not modified in any way and ensuring that the sender was properly logged in to the email system that relayed the message. These documents must include all routing information, displaying in full every endpoint that the email touched before it arrived.

Because of all this, email headers are the first line of defense against scammers, and especially spoofers (people who impersonate real email services for malicious purposes).

How to Open and Read an Email Header

To truly understand the provenance of email messages, you have to learn how to look for key details in your email header. When you first open it, you may be a bit intimidated by what you see, but as soon as you know what to look for, the huge wall of text that greets you will suddenly look decipherable.

Accessing Your Email Header

Most email headers can be accessed from context menus provided by your application or web service close to the body of the email. In Gmail, for example, you can access your header by clicking the three dots next to the Reply button, then clicking Show original.

Our guide on tracing emails to their source, which also touches a little bit on message headers in general, gets more in-depth on how to do this in a number of different applications and websites.

It goes without saying that virtually all respectable email applications and email service providers have a more simple way to access this information. If you still use Thunderbird (and you just might if you’re on Linux), clicking More next to the Delete button on an email message, then clicking View source, gives you complete access to the header and raw markup data in that message.

Understanding What You’re Reading

The header of your email will always start with the Delivered-To field and end where the body of your email begins. Everything in this portion of your raw email message contains its “fingerprint.” An email header is read from top to bottom.

These are the most relevant fields to look for:

Delivered-To – this field will always have the recipient’s email address in it.
Received – this field affirms that the email has reached a particular server. You’ll often see at least two of these, but the number can go as high as five, depending on how many regional servers your email had to pass through before reaching your inbox.
X-Received – this field is exactly like the Received field, except the X denotes that the field does not always follow the standard set by the Internet Mail Consortium. Google will often use this field to note which server first received the message before it was redirected to another server meant to store it. For the purposes of this guide, it should be treated the same as the Received field.
Authentication-Results – this field, as its name implies, displays the results of cryptographic challenges that were made by the recipient’s mail server to verify the authenticity of the message. Other values (DKIM-Signature, DMARC, and SPF)in the header sent by the sender’s mail server are checked against a hash that’s stored in a domain record. If the values pair correctly, the message is authenticated.
From – the email address of the sender.
To/CC – the email address of the recipient and anyone else the message has been sent to. It’s important to note that blind carbon copy (BCC) recipients will not be revealed in the header.

The Authentication-Results field is perhaps the most important here. It contains four lines, the first of which reveals the domain of the server that authenticated the message. If you use Gmail, for example, that will universally be mx.google.com. The next three lines start with the results of each cryptographic challenge.

How to Tell If You’re Being Scammed

From an email header, there are multiple ways to tell if the message itself is suspicious. Here are a few guidelines:

Authentication failures: if any of the three authentication results (dkim, spf, or dmarc) don’t have a status of “pass,” your mail server is trying to tell you that the message does not meet the requirements to verify that it originated from the server it says it came from.
“From” field: pay close attention to the line in your header that starts with From. This always contains the origin address of the sender. If the sender is attempting to impersonate a company, the address may have a typo in the domain name (e.g., ussps.com instead of usps.com for the official US Postal Service, or yuotube.com instead of youtube.com). It also may even just be a regular email from a normal service (e.g., official-usps@gmail.com) that has nothing to do with the organization the sender purports to represent.
CC: if there is a large list of other email addresses in the CC: field, the sender is likely mass-mailing in one message to save time and avoid per-email limitations on their accounts. Official emails from organizations will always do blind carbon copies so that the recipients do not know the addresses of everyone else the message was sent to.

A well-thought-out phishing attack or other type of malicious email will usually pass these tests in one form or another. However, there’s one more ace you have up your sleeve: Bad actors sending emails very rarely hide their IPs. Even if they do, the SMTP servers that allow them to send their emails do not.

Close to the bottom of your email header, you’ll find the oldest Received: field. Within that line, there will be an IPv4 or IPv6 address. The former is a grouping of four numbers ranging from 0 to 255, separated by dots. IPv6 addresses will look like groupings of up to four numbers and letters separated by colons.

The oldest Received: field will have the IP address of either your sender or the server the email originated from in brackets (e.g., [127.0.0.1]). You can use this with reputation scanning tools to determine whether the address is associated with known bad actors. Plug what you found in to either MX Toolbox or Scamalytics, and these sites will tell you whether they’ve picked up on any reported fraudulent activity.

Are You Staying Safe?

Even with all this information and these great tools at your disposal, you should still exercise vigilance. If something doesn’t feel right about a message you receive, err on the side of caution. Look up the organization online, find their contact information, and call them to see if they sent a message to you. Many large organizations – like postal services, banks, insurance firms, and Internet service providers – are huge targets for impersonation.

Don’t forget: scammers can get to you from anywhere, not just your email inbox. Read our guide on spotting common LinkedIn scams to learn a little more about this and guard yourself.

Image credit: SDXL. All screenshots by Miguel Leiva-Gomez.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox

Sign up for all newsletters.
By signing up, you agree to our Privacy Policy and European users agree to the data transfer policy. We will not share your data and you can unsubscribe at any time. Subscribe

Miguel Leiva-Gomez

Miguel has been a business growth and technology expert for more than a decade and has written software for even longer. From his little castle in Romania, he presents cold and analytical perspectives to things that affect the tech world.

Comments (1)