Email has the familiar header information –
From: To: CC: Bcc: Date: Subject:
Turns out there is a lot more information in the email header of each email that is not shown. This additional information tells us the route the email took and more. Reading the email header is useful for troubleshooting email delivery, revealing spam sources and validating email authenticity.
This article describes the email standards, how to access the full email header, some notes on email headers and references.
There are two main standards documents that describe Internet email – RFC 5322 Internet Message Format and RFC 5321 Simple Mail Transfer Protocol. The first describes the message format and the second describes how it arrives.
The Internet Message Format document describes the message format. Each Internet message is divided into a header and a body. The header includes header fields such as the ones we are all familiar with like From, To, Date and Subject. The header may include additional fields like Message-ID. The body includes the email message.
An example of a message (from the RFC):From: John Doe <email@example.com> To: Mary Smith <firstname.lastname@example.org> Subject: Saying Hello Date: Fri, 21 Nov 1997 09:55:06 -0600 Message-ID: <email@example.com> This is a message just to say hello. So, "Hello".
The Simple Mail Transport Protocol (SMTP) document describes how the messages are transported from the sender to the receiver over the Internet. SMTP does not use the From and To fields of the Internet Message Format but rather learns the From and To information from the dialog between the mail client and server programs.
A typical SMTP transaction( from the RFC (note: S=server and C=client)) –This SMTP example shows mail sent by Smith at host bar.com, and to Jones, Green, and Brown at host foo.com. Here we assume that host bar.com contacts host foo.com directly. The mail is accepted for Jones and Brown. Green does not have a mailbox at host foo.com. S: 220 foo.com Simple Mail Transfer Service Ready C: EHLO bar.com S: 250-foo.com greets bar.com S: 250-8BITMIME S: 250-SIZE S: 250-DSN S: 250 HELP C: MAIL FROM:<Smith@bar.com> S: 250 OK C: RCPT TO:<Jones@foo.com> S: 250 OK C: RCPT TO:<Green@foo.com> S: 550 No such user here C: RCPT TO:<Brown@foo.com> S: 250 OK C: DATA S: 354 Start mail input; end with <CRLF>.<CRLF> C: Blah blah blah... C: ...etc. etc. etc. C: . S: 250 OK C: QUIT S: 221 foo.com Service closing transmission channel
Each SMTP server must insert a header field to the message called “Received:” naming the server it received the message from as well as identifying itself (Received: from … by …).
The most interesting thing to take away from these two standards documents is that the Internet Message fields are not used for email delivery and therefore are easily forged.
The two ways most people send and read mail are by an email client or web mail client. Typical email clients are Windows Live Mail, Windows Mail, Outlook, Outlook Express (no longer supported by Microsoft), Thunderbird, Eudora, etc. Typical web mail clients are Hotmail, Yahoo mail, Gmail, etc.
Email clients by default just show you the basic message header fields – From, Date, Subject. To access the full header to see all header fields you must dig –
- Windows Live Mail – right click on the message, properties, details
- Outlook – right click on the message, Message options, Internet headers
- Thunderbird – select message, View, Message Source
- Hotmail – open message, down-arrow (next to Reply) View message source
- Yahoo mail – select message, Actions, View Full Header
- Yahoo mail – open message, (lower right) Full Headers
- Gmail – open message, down-arrow (next to Reply) Show original
This header is an actual header that has been modified for privacy and has note references added. The email was sent from hotmail web mail client to gmail while logged on to ISP Comcast. The red (note ) entries were added by me and refer to the notes below.
Delivered-To: firstname.lastname@example.org (note 2) Received: by 10.227.136.147 with SMTP id r19cs257980wbt; Thu, 10 Mar 2011 19:11:51 -0800 (PST) (note 8 ) Received: by 10.231.186.11 with SMTP id cq11mr968009ibb.43.1299813110370; Thu, 10 Mar 2011 19:11:50 -0800 (PST) (note 8 ) Return-Path: <email@example.com> (note 1) Received: from snt0-omc3-s42.snt0.hotmail.com (snt0-omc3-s42.snt0.hotmail.com [18.104.22.168]) by mx.google.com with ESMTP id 37si9198274ibi.3.2011.03.10.19.11.49; Thu, 10 Mar 2011 19:11:50 -0800 (PST) (note 7) Received-SPF: pass (google.com: domain of firstname.lastname@example.org designates 22.214.171.124 as permitted sender) client-ip=126.96.36.199; Authentication-Results: mx.google.com; spf=pass (google.com: domain of email@example.com designates 188.8.131.52 as permitted sender) firstname.lastname@example.org Received: from SNT107-W54 ([184.108.40.206]) by snt0-omc3-s42.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 10 Mar 2011 19:11:12 -0800 (note 6) Message-ID: <SNT107-W5483456B1A4B35B07E894796CB0@phx.gbl> Return-Path: email@example.com Content-Type: multipart/alternative; boundary="_d48cbdad-9bdd-4ff7-a4a8-84e147a1fe5e_" X-Originating-IP: [220.127.116.11] (note 5) From: Mr. Sender <firstname.lastname@example.org> To: "email@example.com" <firstname.lastname@example.org> Subject: ISP is Comcast - email from Hotmail to Gmail Date: Thu, 10 Mar 2011 19:11:11 -0800 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 11 Mar 2011 03:11:12.0199 (UTC) FILETIME=[F9AC2570:01CBDF99] Hello.
- The sender email was changed to email@example.com for privacy
- The recipient email address was changed to recipient@gmail for privacy
- The email was sent while logged on to Hotmail web mail client
- The client PC was logged on to ISP Comcast
- This is the public IP of the PC on ISP Comcast
- Relay email transfer in Hotmail
- Transfer email from Hotmail to Gmail
- Relay email transfer in Gmail (there are two)
Notes on reading email headers
- Read Received fields from the bottom up to get the correct order
- Internet Message Format header fields are simple to forge, just put whatever in your email client.
- Received fields as added by SMTP are the most reliable for tracing the path and origin of the email.
- Received fields may include more information than from and by, such as IP, hosts, HELO/EHLO, date/time, ID
- Received fields may be sparse for internal relay and gateway operations due to security
- Received: IP addresses are reliable (?)
- X- fields are experimental fields added by email clients or servers and may be useful valid information or may be forged
- any header fields may be forged (?)
- Email clients (Outlook, Thunderbird, etc) may send originating information including LAN IP, LAN node name
- Web email clients (Hotmail, Yahoo mail, Gmail, etc) may send originating ISP IP information
arin.net – who owns the IP
networldmap.com/TryIt.htm – geographic location of the IP
LuxSci – The Case For Email Security
Academic Computing and Communications Center – Headers of a Legit Email Message
Internet email headers can tell us a lot about the origin and travel of the message but must be read carefully because the information can be forged.