X-received Email Header

[Dot Liljenquist]

Learninghow to read email headers and understand their contents can help you to troubleshoot deliverability issues, ensuring your sending reputation remains intact and your campaigns perform like a dream.

Other information is used by the email client so that it can understand what type of content the email contains, whether or not it is spam, and whether the sender is really who it claims to be. This information can also be used by senders to troubleshoot deliverability issues.

*Note: Mail Transfer Agents (MTAs) facilitate the routing of an email message from the sender to the receiver. It is possible for a single email to pass through multiple MTAs. If this happens, there may be multiple Received headers representing the destinations the email was received at before it was passed on.

X-Spam-Status: The status header tells you whether your email is spam, with a simple YES or NO. This is followed by your SpamAssassin score as a numeric value, for example, 4.3. It will also display the default score required, as well as the tests that were run.

When you view the email header in Gmail, it displays the email in a way that highlights important parts of the header. This allows you to easily view the Message ID, Date, From, To, Subject and Authentication (SPF and DKIM) headers.

Fail: The SPF check failed as the source is invalid

\tSoftfail: The SPF record designated the sending activity is suspicious but they are not rejected. Instead they are forwarded to spam

Neutral: The SPF record explicitly states that it does not assert that the IP address is authorized to send messages from the domain

None: The SPF record is not found

Temperror: A temporary error has occurred

Permerror: A permanent error has occurred

DKIM contains an encrypted digital signature to verify the sender and the message. The receiving mail server decrypts this signature using the DKIM key published in your DNS records. A hash string is then generated based on the contents of the email and compared to the hash string in the contents of the signature, verifying its authenticity.

If you want to optimize your email analysis and make troubleshooting more efficient, the best way is with an email analysis tool, like MailerCheck. Not only does MailerCheck fetch details from your email header information to identify issues, but it also checks your email content for typos, broken links and spam-like content.

But be careful trusting that this is the real source of the email. The blacklist complaint could just be added by the scammer to wipe out his traces and/or lay a false trail. There is still the possibility that the server 209.86.89.64 is innocent and just a relay for the real attacker at 168.62.170.129. In this case, 168.62.170.129 is clean so we can be nearly certain the attack was done from 209.86.89.64.

Another point to keep in mind is that Alice uses Yahoo! ([email protected]) and elasmtp-curtail.atl.sa.earthlink.net isn't on the Yahoo! network (you may want to re-check its IP Whois information). Therefore we may safely conclude that this email is not from Alice, and we should not send her money to the Philippines.

To determine who really sent the message, the return-path is helpful. However, it can be spoofed. A Return-path address which does not match the From address is cause for suspicion. There are legitimate reasons for them to be different, such as messages forwarded from mailing lists, or links sent from web sites. (It would be better if the web-site used the Reply-to address to identify the person forwarding the link.)

To determine the origin of the message read from the top down through the received headers. There may be several. Most will have the IP address of the server they received the message form. Some issues you will encounter:

I use -email.If you use Gmail, click Show original (on More, next to the Reply button, copy the headers, paste them onto this website and click Get source. You'll get the Geo-location information and map in return

When making queries to the gmail API, I've seen 'unexpected' behaviour. More or less I want to cache the last run epoch value and then subsequently use the API query with paramater "after:epoch". I presumed that this field would be the "internalDate" (/1000) but this is incorrect and I can't find clear guidance in documentation.

Through trial and error of reading a payload and then querying I've found various other dates that gmail may use that seem to correspond to correct outcomes and would greatly appreciate confirmation on which google actually uses. There is:

There are a host of other times that are very similar but don't appear to be candidates based on testing. If someone also knows whether the query "after" is inclusive or exclusive // any rounding considerations that would be most appreciated also (my understanding is it's inclusive).

Please keep in mind that there are a lot of header values called "Received" such as "Received-SPF" but also plain "Received" which are when each of the servers in charge of handling the email got it, email delivery infrastructure works by going through multiple servers, each has it's own purpose and is why you see so many received dates there.

The way you read those is by going from the first one (topmost) "Received" header which is when the server in charge of placing the email on your inbox received the message from there all the rest are hops from server to server but those happened before you even got the mail.

The other "Received" values there are for when the entity that handles your inbox received them, typically on a gmail you would see two "Received" headers with different information and possibly different dates/times but you have to remember that the one at the top is the one that more accurately depicts the moment when you can see the email on your inbox, this is better explained here.

Please keep in mind that you might see huge delays in comparison to other "received" type of headers, in the case of "Received-SPF" this means that the SPF checker received the email to then verify if the sender's SPF record allows for the email to be delivered in the recipient's inbox, this means that if the connection to the sender's SMTP server has a low quality the email might take a while to be delivered while both servers communicate so you should only trust the very first "Received" header.

Nowadays, email communication has established itself as the trending mode of information sharing. Millions of users rely upon email services to maintain communication channel worldwide. Gmail service being one of the most reliable and exclusive application is used by many users. The email communication takes place with complete efficiency and accuracy, thus satisfying needs of users. However, one of the major parameter associated with Gmail message is the Gmail header information. Every email contains a hidden header, which contains email tracking information for the respective Gmail message. So, Email Header Analyzer can be used to carry out Gmail email forensics and extract the crucial information. The following section aims to discuss how to view and analyze Gmail message header in a detailed manner.

The Gmail headers play a significant role in tracking the sensitive information about the sender and various network related components. Thus, on a careful analysis of Gmail header, one can easily come to know sensitive information. When extracted, the Gmail header portrays the following components:

Delivered To: The delivered-to email field indicates the email address of the intended recipient. Thus, it generally contains the same email id for which Gmail header is being analyzed.

Significance: By reading the email address in Delivered-to field, a user can easily detect phishing activity. If the email address does not correspond to your email Id, then it indicates that some kind of manipulation has been done that needs to be investigated.

Return Path: The return path email field specifies the email address or the path at which message needs to be bounced back in case of transmission failure. Thus, the notification is delivered to the return path in failure issues such as wrong email address etc.

Received-SPF: The server adds a received-SPF field to indicate whether the email message comes from a verified sender or not. It applies techniques to verify the sender's identity and only forwards the message if the sender is authenticated.

Significance: SPF(Sender Policy Framework) check is applied to check whether the email is from the valid sender or not. It verifies the identity with the domain address and adds the status of check in the header field. The most commonly used result codes include: CODE INTERPRETATION Pass The email source is valid Softfail There might be possibility of fake source Fail The email source is absolutely invalid Neutral Difficult to distinguish between valid & invalid source None The SPF record is not found for domain Unknown The SPF check cannot be performed Error An error has occurred while performing SPF check Authentication Results: The Mail Transfer Agents perform several authentications on the message before processing it. So, the results are added into authentication results email header field. As number of authentication techniques may be implied, so various results are separated by using semicolon.

DKIM Signature: The DKIM signature header is basically a field to represent the digital signature embedded in the email. It is basically another authentication key maintained by the mail server to share data in secure form.

X-Google-DKIM-Signature: In addition to various authentications, Google itself adds an X-Google-DKIM Signature field in email header to improve authentication of signatures. The subsequent fields located within the field signifies the information related to digital signatures encoding.

3a8082e126