HostMonster Web Hosting Help

Understanding Email Headers

What is the value of the Internet Email Header?

Here are few reasons it may be necessary to review the headers:

  • Investigate possible Spoofing and determine the source of the message.
  • Analyze timestamps along the delivery route and identify the source of any delay.
  • Test any of the mail servers in the path to see if they are on a blacklist.
  • Review Spam Assassin score.
  • Determine if the message was routed through the Postini filtering server prior to arrival.

While you may think reviewing email header information is too technical, Internet investigations are NOT rocket science. As with most detective work, you know what has happened and to whom. All you need to do now is find out who or what happened by reviewing the contents of the Email header.

What is a header?

The header is a section of code that contains information about from where the e-mail came and how the message reached its destination. Headers will contain the e-mail address of the originator and/or the computer the perpetrator/sender was using.

Here is what the typical Internet email header looks like. What you are looking for in the header is the IP address, sometimes conveniently identified as the "Originating IP". We can trace to the Internet service provider (ISP) with the date and time of the offending e-mail using the IP address of the sender's computer. The IP addresses in the example below are shown in bold font.

        Delivery-date: Wed, 02 Apr 2014 15:06:11 -0600
        Received: from [] (port=36531
        	by with esmtps (TLSv1:RC4-SHA:128)
        	(Exim 4.82)
        	(envelope-from )
        	id 1WVSMM-0003oR-Ny
        	for; Wed, 02 Apr 2014 15:06:10 -0600
        Received: from ([])
        	by with esmtps (TLSv1:RC4-SHA:128)
        	(Exim 4.82)
        	(envelope-from )
        	id 1WVSMJ-00049k-3X
        	for; Wed, 02 Apr 2014 23:06:10 +0200
        Received: by with SMTP id uq10so212231igb.2
                for ; Wed, 02 Apr 2014 14:06:02 -0700 (PDT)
        DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
      ; s=20120113;
        MIME-Version: 1.0
        X-Received: by with SMTP id c3mr2836464icp.28.1396472762166; Wed,
         02 Apr 2014 14:06:02 -0700 (PDT)
        Received: by with HTTP; Wed, 2 Apr 2014 14:06:02 -0700 (PDT)
        Date: Wed, 2 Apr 2014 15:06:02 -0600
        Subject: I can haz headers
        From: HostMonster Tutorials
        Content-Type: multipart/alternative; boundary=20cf302075e4ed71d604f615a6cd
        Received-SPF: pass ( domain of designates as permitted sender) client-ip=;;;
        X-SPF-Result: domain of designates as permitted sender
        X-Filter-ID: XtLePq6GTMn8G68F0EmQveOvoFo7+04sHaU+aQGjobYi0opp2x9AytcIxrAv/iEuaWmMHd4i6wCz
        Authentication-Results:; spf=pass
        Authentication-Results:; dkim=pass
        X-Spampanel-Class: unsure
        X-Spampanel-Evidence: Combined (0.15)
        X-Recommended-Action: accept
        X-Identified-User: {} {sentby:Delivered locally}

Which of the IP addresses above should you trace? Usually, the originating IP (in this case, is either called that, and/or is closer to the bottom of the stack, nearer to the actual body of the message.

It is important to note that this source IP address ( will not resolve on the Internet as it is within a block of IP addresses that are "reserved" private IP addresses. They are used behind corporate firewalls and proxy servers. They access the outside world through a NAT service, which stands for Network Address Translation. To find where this IP address is located, you will have to contact the network administrator responsible for the IP address, which is a legitimate internet IP address and through which this private IP address passes on its way to the internet.

RFC 1918 describes IP addressing guidelines for private networks and for which IANA (Internet Assigned Numbers Authority) has reserved for private networks. There are three sets of reserved private numbers, one respectively for each IP network Class A, B & C. They are:

  • to
  • to
  • 192.168.00 to

The difference between Full and Partial Headers

Partial Headers:

This is what you normally look at in your emails. The partial headers are the most important to your daily tasks. Such headers are the From Address, To Address, Subject, Date and Time, Reply To Address, CC, and BCC.

Full Headers:

The full headers are simply more technical information than you normally see when you check your email. Sometimes we need those extra headers to solve a problem.

Here is a few links which guides you to turn on Full Headers for whichever mail program you use:

Knowledgebase Article 90,706 views bookmark tags: email header ip (updated 551 days ago)

Was this resource helpful?

Did this resolve your issue?

Please add any other comments or suggestions about this content:

Recommended Help Content

How do I display the Internet email header? (updated 550 days ago)
Knowledgebase Article 229,728 views tags: email header mail

Email spoofing is when someone modifies the email header's "From:" line to be whatever they would like. (updated 1384 days ago)
Knowledgebase Article 108,268 views tags: email spoof spoofing

What is an IP address? (updated 1158 days ago)
Knowledgebase Article 40,482 views tags: ip

Related Help Content

Why do scripted e-mails come from < > when I have specified otherwise? (updated 82 days ago)
Knowledgebase Article 222,471 views tags: email forms header php script scripted sendmail

I am having problems with being spammed. I believe that my email address has been harvested (taken off my site and sold to spammers). Can I hide my email address, but still have people email me? (updated 1172 days ago)
Knowledgebase Article 86,679 views tags: address bots email hiding porn spam spammers spiders

Email is not being received when forwarded to free email services such as Gmail, Yahoo, or Hotmail and other ISP's that provide email service such as AOL, Comcast, Cox, etc. It can show completed in t (updated 567 days ago)
Knowledgebase Article 93,444 views tags: email forward

General Email issues where should I start? (updated 158 days ago)
Knowledgebase Article 55,568 views tags: blacklisted email

If emails were sent to my address before the email was created, is there a way to get those emails? (updated 970 days ago)
Knowledgebase Article 38,675 views tags: email webmail

The most common cause is that you are either sending to or sending from an invalid email address. You will want to create a new email address, and change your profile to use a different Email address. (updated 2195 days ago)
Knowledgebase Article 79,220 views tags: email fantastico php phpbb sending

Why do my email messages keep getting returned? (updated 158 days ago)
Knowledgebase Article 174,387 views tags: email messages returned sending

How do I add my HostMonster email account to Outlook Express 6.0? (updated 1334 days ago)
Knowledgebase Article 109,471 views tags: email emailclient outlook