Everything You Need to Know About Email Headers

Email headers still remain a mysterious part of email transfers. Those with a basic understanding of how email works still have trouble deciphering headers. When you look at an email, all you usually see is the message body, subject line, sender, and recipient. When you dig into the header, you see a large amount of enigmatic text that can be very confusing. However, headers tell you a lot about a message and could possibly prevent you from falling into trouble. 

Whenever you send a message, it gets relayed across different servers until it reaches its final destination. To keep record of the entire transaction (and to verify whether the information within it coincides with the email sent), a header is created. An email header is the full record of everything that happened from the time the email leaves the sender until it arrives at the recipient’s inbox. They will give you all the routing information, showing you where the email message has been before it arrived. It’s a rather useful tool for determining whether an email is a scam or not. Servers like Google and Yahoo sift through headers and use the information to help them find scams and spam ahead of time. A typical email header looks like this:

emailheaders-typicalheader

It can look a little intimidating, but it stops being confusing once you read each line carefully.

When looking through a header, you’ll notice several IP addresses (four groups of numbers from 0 to 255 separated by dots). These addresses represent either the sender’s or the relay server’s IP address. To read a header, you have to look from the bottom to the top. A header will show the oldest information at the bottom. So, the IP address you see at the oldest “Received:” between two brackets (“[" and "]“) represents the sender’s IP address. If the person isn’t using a proxy to send emails, this is most likely the IP address his/her computer used at the time the email was sent.

When determining if a sender is trying to scam you, you have one significant advantage: Scammers don’t usually try to hide their IP addresses, since they know most people don’t pay attention to email headers. Once you get the scammer’s address, just pop it into a blacklist checker like the one from What Is My IP Address or the MX Toolbox. Both of these are highly reliable and check many blacklists that major email providers use.

You still have to use your eyes. Watch out for the obvious ones that tell you about large sums of money you weren’t even aware of inheriting or receiving. There are even others that are creative enough to imitate major credible companies such as FedEx, PayPal, and UPS. Blacklists have some difficulty catching up with scams because they operate on an “innocent until proven guilty” premise. That gives new scammers time to set up shop and email tens of thousands of unsuspecting victims, most of which won’t even think about looking through the email header.

emailheaders-thunderbird

If you’re trying to get to a header, you might have some trouble finding it. Gmail has a guide for many different email clients and webmail providers that’s updated and consistent with any changes that providers may make. Since email interfaces are always updating, it’s always better to use Gmail’s guide, since it will compensate for any changes.

For Gmail, you just have to click the “Down” arrow in each email and select “Show original”. This will load the original email, including its header, in a new tab.

If you’re trying to understand email headers and still have trouble, post a question in the comments below and someone will be with you shortly. If you feel like you’ve got enough know-how to show us some cool new way to use email headers to detect troublemakers, go ahead and post it! Everyone benefits when we teach each other.