E-mails enable us to send messages and files around the world in seconds. E-mail correspondence is an indispensable part of everyday life for most internet users, but most users, however, don’t actually know how an e-mail is sent. A lot happens in the short time between a message being dispatched to it being delivered.
Every e-mail that finds its way into your inbox is made up of a header and a body. These are both separated by a blank line. The body usually contains what is of interest to you, i.e. the content of the message. Usually you will only see a few compulsory details of the e-mail header such as the sender, the subject, and the date it was sent. There are additional elements to the header such as extra information about the sender and the path of the message. These are, however, hidden by the mail application, but can be shown upon request. If you are skeptical about an e-mail’s authenticity then you should make use of this option and display the complete e-mail header.
The structure of the e-mail header
The header of an e-mail is roughly divided into two categories: message headers and envelope headers. Message headers are generated directly by the respective sender and then sent on their way to the recipient. While en route, the e-mail is expanded by envelope headers, which are created by the mail server during transfer. This extra information (received lines) is fundamental for tracing e-mails. Each line of an e-mail header begins with a keyword (the name), followed by a colon and then the content.
Compulsory details of an e-mail header
From: This is the information about the sender or writer in the form of an e-mail address. There are also e-mail clients that allow several senders. If the technical sender is not the writer of the e-mail, this will be mentioned in the additional “sender” line.
Example: From: Sender <email@example.com>
To: In this e-mail header line you find the name of the recipients separated by commas. The information does not have to correspond with the “envelope-to” information that is transmitted by the transfer protocol. It could even be the case that your e-mail address does not even appear in this line.
Example: To: Recipient <firstname.lastname@example.org>, Recipient 2 <email@example.com>
Cc: This optional information contains the address(es) of one or several recipients that are to receive a copy of the e-mail.
Example: Copy-recipient <firstname.lastname@example.org>, Copy-recipient 2 <email@example.com>
Subject: The subject lets the recipient know what kind of content to expect. The sender should make it clear to the reader what the e-mail is regarding.
Example: Cc: Re: Your appointments for the coming year
Hidden e-mail header information
Return-Path: When available, this line is almost always at the beginning and gives the mail server a return option in case delivery is not possible. The delivered e-mail address is identical to the one that the server receives via the “envelope-from” information.
Example: Return-Path: <firstname.lastname@example.org>
Received: Received lines are generated by the mail servers that are involved in the transfer. There are at least two of these lines per e-mail header since one server is used to send and one is used to receive. The lines reveal the e-mail’s transmission route including the date and address of the mail server involved (usually inside square parentheses)
- Example: Received: from hostname.example.com (hostname.example.com [xxxxxxxx])
- by mailserver.recipient.com with SMTP
- for <email@example.com>; Thu, 24 Dec 2015 17:36:20
- +0200 (EST)
Message-ID: Every e-mail contains this clear identification, mostly from the mail servers or from the sender’s mail program. The first part of the ID is made up of a character code, and the second part is a domain name, separated by an “@” sign.
Example: Message-ID: <434571BC.firstname.lastname@example.org>
Content-Type: In this line of the e-mail header you will find information about the type and character set of the text body. The individual parameters are separated by semicolons.
Example: Content-Type: text/plain; charset=UTF-8</email@example.com></firstname.lastname@example.org>
The benefit of an e-mail header
You can retrace and check the transmission route of your e-mail to see if the alleged sender is the actual sender. This can be achieved with the help of a thorough analysis of the mostly hidden information in the e-mail header. If you receive an e-mail and question its authenticity, you should definitely consult the header. The following explains how to display the e-mail header and which tricks spammers employ.
E-Mail header analyzer: how it works
Before you can begin to analyze the header, you first need the complete excerpt. Since a standard e-mail program conceals the relevant content for the transfer, it first needs to be uncovered. Open the respective message in Microsoft Outlook followed by the complete address line: “File --> Info --> Properties”. In Mozilla Thunderbird activate the information in the application menu by clicking on “View --> Headers --> All”.
In order to identify the sender, you need to search the full header content for the IP address and the name of the first server that was involved in transmitting the message. Go through the different received information from the top (your utilized mail server) until you find the outgoing mail server. This server usually constitutes the lowest received information. Further information found under the header is most likely the result of a fraud attempt and you should therefore assume that you have already found the outgoing mail server. Upon completing this step, enter the IP address (which is indicated in the received information) into a web tool such as Network-Tools.com. You will then receive information about the server location. The result should match the name of the server that is shown in the identified time zone line.
If you don’t want to search for inconsistencies in the received information of the e-mail header yourself, you can use programs such as the free eToolz tool. Click on “E-Mail Header Analyzer” and enter the full header excerpt in the “E-mail Header” field to start the search. The application lists all involved mail servers in chronological order. Next to “sent from:” there is the IP address of the first server that you can check manually using Network-Tools.com.
How e-mail headers are spoofed
In most cases spammers have no interest in receiving answers to their e-mails. Normally whoever sends spam wants to stay anonymous. This means that the “from” and “return-path” lines of spam e-mails rarely speak the truth. The actual writers therefore use false identities. In the more recent past lots of e-mail recipients received mails allegedly from PayPal, eBay, or even from the local authorities. Apart from the fact that these e-mails encourage you to open external links, the fake addresses, for the most part, had a few similarities to the original addresses and were quickly exposed as spam through an e-mail header analyzer. It is often difficult to identify the actual creators of these spam e-mails due to the fact that such e-mails were sent via a misconfigured mail server or an infected computer. These serve as intermediate stations during dispatch, which allows many spam senders to avoid being identified by the e-mail header.
The received information is the only element of the e-mail header that cannot be faked. This is because spammers do not have access to the last piece of received information that normally contains the output IP. This is generated from the recipient’s mail server. Manipulating the lines helps the spammer in so far as to cause confusion and to throw the recipient off track. They achieve this by placing their own server part of the way through instead of at the beginning of the chain.