Understanding E-mail Headers

Content

Header basics
Sending messages with SMTP
Receiving messages with POP3
The Received lines
Headers in detail

Header basics

The data transmitted in an e-mail message begins with the header lines, followed by the actual message, including attachments.

The end of the header lines is marked by a blank line (two consecutive line breaks).

Long header lines can be wrapped, with the new lines indented with at least one space or tab character.

Headers contain:

Technical information (content type and encoding for display)
Information such as sender, recipient, creation date, or subject
Delivery notes from the mail server in the Received lines
Processing notes from various programs such as spam filters or virus scanners
Information to and from e-mail clients (sender's user agent, Thunderbird on the recipient side, etc.)

The headers do not follow a uniform order - with a few exceptions such as the Received lines. All programs involved in delivery at the sender, the mail exchange servers, and the recipient can modify the headers as desired.

Sending messages with SMTP

Sending and receiving e-mails is usually handled by e-mail clients such as Microsoft Outlook Express or Mozilla Firebird. However, for a better understanding, it is beneficial to understand the principle of message sending.

Before the message can be sent to the mail server, information required for delivery is exchanged. This communication between the sender and the receiving server is called an SMTP dialog or SMTP envelope.

To send e-mails, e-mail programs usually use their own provider's mail server, which then handles further delivery to the recipient. However, messages can also be delivered directly. This requires a DNS query of the type "MX", which provides the available MX (Mail eXchange) servers for a domain. Special programs or online services can be used for this.

In the following example, the fictitious sender "test@tester.tld" wants to send a message to "noname@example.tld". This requires the MX server of the domain "example.tld". A DNS query reveals that the MX server "mail.example.tld" accepts messages for the domain "example.tld". Using a terminal program, a connection can now be established to the host "mail.example.tld" on port 25 (SMTP).

After establishing the connection, the mail server responds with the line:

220 mail.example.tld ESMTP

The number "220" at the beginning of the line means that the following text is just a normal message and that no error has occurred. The SMTP server now waits for a "introduction", which is initiated with the "HELO" or "EHLO" command.

helo faked.tester.tld

With HELO or EHLO, the sender usually introduces themselves with their public hostname. The server confirms this with status code 250, which indicates a valid command.

If the sender is not a mail server, such as the PC of the message sender, the computer name or the public or private IP address is specified after HELO or EHLO instead of the public hostname.

This information is specified in the respective Received line either directly after "from" or in the form "(HELO hostname)".

250 mail.example.tld

Now comes the addressing of the message, starting with the sender's e-mail address, which is marked with the command "mail from:".

mail from: test@tester.tld

The sender's e-mail address specified here can also be found in the headers Original-Sender, X-Envelope-From, X-Env-From, X-Env-Sender, X-Envelope-Sender, or X-Sender. Sometimes this address is also specified in the Received line, e.g., with "Received: from ... (envelope-from <test@tester.tld>) ... by ...".

After the SMTP server has verified the sender's address and found it to be valid, it returns status code 250, usually followed by the text "ok".

250 ok

Next, the recipient's e-mail address is specified, beginning with the "rcpt to:" command.

rcpt to: noname@example.tld

This is the address of the actual recipient to whom the message will be delivered. The "To" header is merely informative and has nothing to do with the delivery of the message.

The e-mail address specified here may appear in the Envelope-To or X-Envelope-To headers, or in the Received line after "for", e.g., "Received: from ... by ... with ... for <noname@example.tld>; ...".

The recipient address is confirmed by the SMTP server:

250 ok

The addressing is now complete, and the actual message can be sent to the server. The "data" command is used for this purpose.

data

The SMTP server acknowledges the data command with status code 354, which prompts for text input. Following the status code, text such as "go ahead" or "Enter mail, end with "." on a line by itself" may follow.

354 go ahead

None of the above information needs to be included in the message that reaches the recipient. Therefore, the typical message headers such as "From", "To", and "Subject" are now entered. A fake "Received" line is also included at the beginning, intended to deceive the recipient about the true sender. This will be discussed in more detail below.

After the headers, the actual message text is entered, separated by a blank line.

Received: from faked.tester.tld (faked.tester.tld [203.0.113.89])
  by mail.example.tld with SMTP; 1 Sep 2018 13:53:24 +0200
Message-Id: <1234567890@tester.tld>
X-Sender: test@tester.tld
From: "The Faker" <test@tester.tld>
To: "NoName" <noname@example.tld>
Subject: A Test

Text, Text, Text
Line 2
Line 3
.

The message text always ends with a single period on a separate line. The server again confirms receipt of the message with code 250:

250 ok 1157111913 qp 7263

The "quit" command closes the connection to the SMTP server.

quit

Before the server closes the connection, it returns status code 221 (confirmation of the quit command):

221 mail.example.tld

This closes the connection and the message is stored in the recipient's mailbox.

The complete dialog between server and client described above now looks like this:

220 mail.example.tld ESMTP
helo faked.tester.tld
250 mail.example.tld
mail from: test@tester.tld
250 ok
rcpt to: noname@example.tld
250 ok
data
354 go ahead
Received: from faked.tester.tld (faked.tester.tld [203.0.113.89])
  by mail.example.tld with SMTP; 1 Sep 2018 13:53:24 +0200
Message-Id: <1234567890@tester.tld>
X-Sender: test@tester.tld
From: "The Faker" <test@tester.tld>
To: "NoName" <noname@example.tld>
Subject: A Test

Text, Text, Text
Line 2
Line 3
.
250 ok 1157111913 qp 7263
quit
221 mail.example.tld

Were the free content on my website helpful for you?
Support the further free publication with a donation via PayPal.

Receiving messages with POP3

Receiving e-mails works similarly to sending them. However, a separate protocol, the Post Office Protocol (POP), is used. The POP3 server is usually accessible via port 110.

The following retrieves the message sent above:

+OK Hello there.
user xxxxxxxx
+OK Password required.
pass xxxxxxxx
+OK logged in.
list
+OK
1 598
.
retr 1
+OK 598 octets follow.
Return-Path: <test@tester.tld>
Received: (qmail 7881 invoked from network); 1 Sep 2018 13:58:33 +0200
Received: from host123.provider.tld
  (HELO tester.tld) (192.0.2.170)
  by mail.example.tld with SMTP; 1 Sep 2018 13:55:38 +0200
Received: from faked.tester.tld (faked.tester.tld [203.0.113.89])
  by mail.example.tld with SMTP; 1 Sep 2018 13:53:24 +0200
Message-Id: <1234567890@tester.tld>
X-Sender: test@tester.tld
From: "The Faker" <test@tester.tld>
To: "NoName" <noname@example.tld>
Subject: A Test

Text, Text, Text
Line 2
Line 3
.
quit
+OK Bye-bye.

The text highlighted in red was inserted by the mail server. Depending on the mail server and the data provided when sending the message, the header lines may vary. However, the first, or in this case, the first and second "Received" lines from the top, are always inserted by the mail server, ensuring authenticity.

The Received lines

Received lines are delivery confirmations from the mail servers through which the message was sent. A mail server always appends the Received line to the top of the message. This means that the Received entry of the first mail server is at the bottom, and the entry of the last mail server through which the message was transported is at the top.

Each mail server logs the receipt of the message from its perspective with the following information.

from: Hostname and IP address of the sender
by: Hostname of the receiving mail server (the server that added this line)
from: Type (protocol) of the connection, usually "SMTP", "ESMTPS" etc. For webmail also "HTTP".

This is followed by the current date and time of the receiving server.

In our example, the following Received lines result:

Received: (qmail 7881 invoked from network); 1 Sep 2018 13:58:33 +0200
Received: from host123.provider.tld
  (HELO tester.tld) (192.0.2.170)
  by mail.example.tld with SMTP; 1 Sep 2018 13:55:38 +0200
Received: from faked.tester.tld (faked.tester.tld [203.0.113.89])
  by mail.example.tld with SMTP; 1 Sep 2018 13:53:24 +0200

Received: (qmail 7881 invoked from network); 1 Sep 2018 13:58:33 +0200

This "Received" line appears quite frequently in messages; it's a note from the mail server "QMail". This line has only limited significance for tracing the sender.

Received: from host123.provider.tld
  (HELO tester.tld) (192.0.2.170)
  by mail.example.tld with SMTP; 1 Sep 2018 13:55:38 +0200

This line, like the first one, was inserted by the recipient's mail server and is therefore a good starting point for tracing. However, the structure of a Received line isn't bound by fixed guidelines, so you should check all the information. Let's take a closer look at the individual parts:

from host123.provider.tld

"From" can contain the sender's actual hostname, as in this case. But the computer name or hostname, as specified under "HELO", is also possible./p>

(HELO tester.tld)

After "HELO", the text specified in the greeting when sending the message is displayed. However, this information is not always required.

(192.0.2.170)

At the end of the sender (but before "by...") is the actual sender in parentheses. This IP address established the connection to the mail server and transmitted the e-mail. This means that the IP address 192.0.2.170 had the hostname "host123.provider.tld" at the time of sending. Since this is identical to the hostname after "from...", it is not listed again. The following information is also possible here:

(host123.provider.tld [192.0.2.170])

There is no standardized representation, which is why all hostnames should be checked against the IP address.

by mail.example.tld with SMTP

This shows that the server "mail.example.tld" received the message. The transmission protocol used was SMTP.

1 Sep 2018 13:55:38 +0200

The date and time of receipt by the mail server are always separated by a semicolon. Despite standardization, the format of the time information can vary. In our case, the e-mail was received by the mail server on September 1, 2018, at 1:55:38 PM. The times in the Received lines are always given in the mail server's local time. To determine the UTC time, the offset from UTC is added. In this case, it is "+0200", which means that the specified time is plus 2 hours from UTC. Thus, the message was received on September 1, 2018, at 11:55:38 AM UTC.

Those are the mail server entries. Now follow the header lines provided by the sender, some of which are also forged:

Received: from faked.tester.tld (faked.tester.tld [203.0.113.89])
  by mail.example.tld with SMTP; 1 Sep 2018 13:53:24 +0200

As already mentioned, the message can also be sent through multiple mail servers, with the "Received" line of one mail server always being added at the top. Each "Received" line contains both the sender ("from...") and the recipient ("by..."). This means that the sender of the first line and the recipient of the second line must be identical or at least similar. However, this is not the case in our example:

Received: from host123.provider.tld (192.0.2.170)
          by mail.example.tld

Received: from faked.tester.tld (faked.tester.tld [203.0.113.89])
          by mail.example.tld

A plausible message flow could look something like this (simplified representation):

Received: from mail.target.tld (198.51.100.78)
          by mx.target.tld

Received: from mx3.provider1.tld (203.0.113.3)
          by target.tld

Received: from mx1.provider1.tld (203.0.113.1)
          by mx3.provider1.tld

Received: from user1.provider1.tld (203.0.113.89)
          by mx1.provider1.tld

The following list contains only the most important headers. Depending on the mail client, mail server, or mailing list used, additional lines may appear.

Bcc

Webmaster <webmaster@domain.tld>
Das Header-Feld "Bcc" (Blind Carbon Copy) enthält zusätzliche Empfänger, die die Nachricht als "unsichtbare Kopie" erhalten sollen. Im BCC-Feld werden jene zusätzlichen Empfänger eingetragen, die die anderen Empfänger nicht sehen sollen. Die Empfänger in der To- und CC-Zeile sind für alle Empfänger sichtbar.

Cc

Name <name@domain.tld>
Das Header-Feld "Cc" (Carbon Copy) enthält zusätzliche Empfänger, die die Nachricht in "Kopie" erhalten sollen. Diese Angabe ist nur für administrative Zwecke vorgesehen. Die E-Mail wird jedoch so zugestellt, als ob die Adressen im To-Feld enthalten wären.

Content-Language

de-AT, en-US
Das Header-Feld "Content-Language" enthält einen Code für die im MIME Body-Part verwendete Sprache, z.B. "de" für Deutsch. Es können auch mehrere Sprachen, mit einem Komma getrennt, angegeben werden. Ein MIME Body-Part kann beispielsweise eine Anlage wie ein Bild oder ein Dokument enthalten, oder auch die Text- bzw. HTML-Version der Nachricht.

Content-Transfer-Encoding

quoted-printable
Das Header-Feld "Content-Transfer-Encoding" gibt an, wie der Nachrichtentext oder der MIME Body-Part kodiert ist. Übliche Angaben sind "quoted-printable", "base64", "7bit" und "8bit". Ein MIME Body-Part kann beispielsweise eine Anlage wie ein Bild oder ein Dokument enthalten, oder auch die Text- bzw. HTML-Version der Nachricht.

Content-Type

text/plain; charset=ISO-8859-1
Das Header-Feld "Content-Type" gibt den Typ der Nachricht oder des MIME Body-Parts an. Gebräuchlich sind beispielsweise "text/plain" für Textnachrichten oder "text/html" für HTML-Nachrichten. Hinter "charset" folgt der verwendete Zeichensatz. Ein MIME Body-Part kann beispielsweise eine Anlage wie ein Bild oder ein Dokument enthalten, oder auch die Text- bzw. HTML-Version der Nachricht.

Date

Wed, 6 Sept 2018 10:02:47 +0000
Das Header-Feld "Date" enthält die Erstellungszeit bzw. die Zeit des Versendens. Diese Zeitangabe wird vom Mail-Programm des Versenders eingefügt. Die Uhrzeit ist in der Lokalzeit des versendenden Rechners angegeben. Nach der Zeit folgt entweder die Abweichung zur UTC (z.B. "+0200" für +2 Stunden), oder in manchen Fällen auch die Zeitzone.

From

Name <name@domain.tld>
Das Header-Feld "From" enthält die Mail-Adresse und eventuell auch den Namen des Absenders. Diese Angabe wird vom Mail-Programm des Versenders eingefügt.

In-Reply-To

webmaster@domain.tld
Das Header-Feld "In-Reply-To" enthält bei einer Antwort die Message-ID der beantworteten Nachricht.

Organization

Example Company Ltd.
Das Header-Feld "Organization" gibt die Organisation oder den Firmennamen des Absenders an. Die Organisation kann im Mail-Programm eingestellt werden.

Received

from sender.tld (sender.tld [10.1.2.3]) by server.tld with SMTP; 4 Oct 2019 15:40:53 +0200
Das Header-Feld "Received" enthält Informationen über den Absender, den Empfänger und die Empfangszeit einer Nachricht. Dieses Header-Feld wird vom empfangenden Mailserver als oberste Zeile hinzugefügt. Je nach Anzahl der beteiligten Mailserver, können mehrere "Received"-Felder enthalten sein.

References

<DCEA2913.6003005@domain.tld>
Das Header-Feld "References" enthält die Message-IDs von zusammengehörigen Nachrichten. Bei einer Antwort wäre dies die Message-ID der beantworteten Nachricht. Diese Angabe wird von Mailprogrammen verwendet, um die Nachrichten zu sortieren oder um sie hierarchisch darzustellen.

Return-Path

name@domain.tld
Das Header-Feld "Return-Path" enthält die Rücksendeadresse, falls eine Zustellung der Nachricht nicht möglich war. Zu der ursprünglichen E-Mail wird vom Mailserver, der die Nachricht nicht zustellen konnte, eine Fehlermeldung angefügt. Der Return-Path kann auch von einem Mailserver auf Grund der Angabe unter "MAIL FROM" nachgetragen werden.

Subject

Example subject
Das Header-Feld "Subject" enthält den Betreff der Nachricht.

To

"Webmaster" <webmaster@domain.tld>, name@domain.tld, support@domain.tld (Support Center)
Das Header-Feld "To" enthält den oder die Empfänger. Bei mehreren Adressen müssen diese durch einen Beistrich getrennt sein. Die Reihenfolge der Adressen und Namen kann variieren.

X-Mailer

ExampleMailer 1.23
Das Header-Feld "X-Mailer" enthält Informationen zur Software, die zum Versenden der Nachricht benutzt wurde. Übliche Angaben sind der Name und die Versionsnummer der Software, aber auch der URL oder sonstige Angaben sind möglich.

X-Priority

3 (Normal)
Das Header-Feld "X-Priority" gibt die Priorität der Nachricht an. Der Wert hat keinen Einfluss auf die Geschwindigkeit des Versands. Mögliche Werte sind: 1 (Sehr hoch), 2 (Hoch), 3 (Normal), 4 (Niedrig), 5 (Sehr niedrig). Manchmal ist nur die Zahl angegeben. Dieses Header-Feld wird in Spam mit einem hohen Prioritätswert verwendet.