Learn how to trace an email, verify authentication, and identify spoofing or phishing attempts.
Every email contains hidden metadata called the email header. While most people only see the sender, recipient and subject, the header contains valuable technical information about how the message traveled across the Internet. System administrators, security analysts and help desk technicians frequently use email headers to troubleshoot delivery issues, investigate phishing attempts and verify message authenticity.
| Header | Purpose |
|---|---|
| From | The sender displayed to the recipient. |
| To | The intended recipient. |
| Subject | Email subject line. |
| Date | When the email was sent. |
| Reply-To | Where replies will be sent. |
| Return-Path | The envelope sender used during SMTP delivery. |
| Message-ID | A unique identifier for the email. |
Every mail server that handles an email adds a Received: header. Reading these entries from the bottom up shows the path the message took from the original sender to your mailbox.
The lowest "Received" entry is typically where the email originated.
Modern email systems authenticate messages using three major standards:
| Technology | Purpose |
|---|---|
| SPF | Verifies the sending server is authorized. |
| DKIM | Verifies the message has not been modified. |
| DMARC | Defines what to do if SPF or DKIM fails. |
Many email headers include an Authentication-Results section showing whether each check passed or failed.
Many organizations add custom headers beginning with X-. Examples include:
These headers often provide useful information about the sending application, mail platform, or security scanning performed during delivery.
Instead of manually reading hundreds of header lines, paste the complete email header into our free analyzer. We'll help identify:
Want to inspect a real email? Use our Email Header Analyzer to decode message headers, verify authentication, and help identify suspicious emails.