Cipafilter Support:
Support@Cipafilter.com
309 517 2022 option 2
Mon - Fri 7 AM - 6 PM CT
Email Headers - Reading and Understanding Email Transit
Posted by , Last modified by on 20 November 2013 10:22 AM

 

Email headers provide an invaluble first step to troubleshooting potential issues with email delivery. They are designed to be formulaic, and they adhere to strict structural guidelines, allowing you to accurately identify a message's source and trace its delivery route. As an email is relayed from sending source to recipient desitination, it passes through various MTAs (mail transfer agents), each of which leaves its mark on the header. When reading a header, you should start at the bottom and work your way up, because each MTA down the line from the sender will add its header lines to the top of the message as the email moves towards you.

 

Below is an example email header. We will dissect it part by part and discuss what each means, as well as which parts are relevant to an analysis. Typically, headers do not contain spaces between parts, and resemble a wall of text. For ease of analysis, I have separated header entries into significant parts.

Delivered-To: recipient@example.com

Received: by 10.100.100.168 with SMTP id cz8csp354151wjc;
Wed, 20 Nov 2013 07:38:41 -0800 (PST)
X-Received: by 10.0.0.129 with SMTP id s1mr881472icu.30.1384961920494;
Wed, 20 Nov 2013 07:38:40 -0800 (PST)
Return-Path: <sender@gmail.com>

Received: from cipafilter.example.com (smtp.example.com. [203.0.113.3])
by mx.google.com with ESMTPS id yo2si4718440icb.145.2013.11.20.07.38.39
for <recipient@example.com>
(version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
Wed, 20 Nov 2013 07:38:40 -0800 (PST)
Received-SPF: pass (google.com: domain of sender@gmail.com designates 198.51.100.180 as permitted sender) client-ip=198.51.100.180;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of sender@gmail.com designates 198.51.100.180 as permitted sender) smtp.mail=sender@gmail.com;
dkim=pass header.i=@gmail.com

Received: from mail-qc0-f180.google.com (mail-qc0-f180.google.com [198.51.100.180])
by cipafilter.example.com (8.14.4/8.14.1/Debian-8ubuntu1) with ESMTP id rAKFca9A022454
for <recipient@example.com>; Wed, 20 Nov 2013 09:38:37 -0600

Received: by mail-qc0-f180.google.com with SMTP id e16so3972808qcx.11
for <recipient@example.com>; Wed, 20 Nov 2013 07:38:30 -0800 (PST)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:date:message-id:subject:from:to:content-type;
bh=17CDCtuWRfspufurt68Hwb2G+/c6zHbls7IMchMEgPA=;
b=Ul56Qxedox52VZTGgb0ISwhxRhUCe1UqSBF8mjnCLzPHaEksxDIr/fpJQCRUpeDA41
gaXm7hzoE2tQ1wkIB1NeE8Drj9SpVoP/lwInK2/RXLZ7c6pJACh4gppefpLEwQPr3Rkt
ictoBbZuIfDddRiW2rskONspc0ITvn9hzYQQlPC54bHvSxnYlyV9qz1nMqHgFvynRU8e
xnoHcG/J8rqS8VxqhPKZMoiMkK4nW3cmsrWc6vih8fjrjQ7TzRVxyq22zzIP/YX5eKb6
IC6zkxfkAQw74q4v/G15s83xX19G9+p1HMgpt2xmj+/XXfoyw4HDMNCmx8vxLSMXU+UB
CRHg==
MIME-Version: 1.0
X-Received: by 10.1.1.237 with SMTP id b13mr2437991qec.15.1384961910893;
Wed, 20 Nov 2013 07:38:30 -0800 (PST)
Received: by 10.200.200.70 with HTTP; Wed, 20 Nov 2013 07:38:30 -0800 (PST)
Date: Wed, 20 Nov 2013 09:38:30 -0600
Message-ID: <CADx6jH7FqknAU0E51C43kEJk_a-ecsTUa-8tY9LcAZqv7tv8Zw@mail.gmail.com>
Subject: Test Email-Headers
From: Jane Doe <sender@gmail.com>
To: Me <recipient@example.com>
Content-Type: multipart/alternative; boundary=047d7b5dbf62b9f40d04eb9d920d

X-Derby-GreyList-Bypass: Message skipped greylisting
X-Derby-SPF-Pass: SPF Check Passed
X-Derby-AntiSpamStatistics: colo.example.com: CIPAFilter/Spamassassin Spam Statistics Content analysis details: (-1.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (laurent.sauvage[at]mail.ru) (mailer-daemon[at]googlemail.com) (mailer-daemon[at]googlemail.com) (adityasarawgioo7[at]gmail.com) (mailer-daemon[at]googlemail.com) (united.newsletters.inc[at]gmail.com) (jason_shah[at]globaldatahouse.onmicrosoft.com) (mailer-daemon[at]googlemail.com) (mailer-daemon[at]googlemail.com) (mailer-daemon[at]googlemail.com) !
(mailer-daemon[at]googlemail.com) (mailer-daemon[at]googlemail.com) (sender[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 1.0 AWL AWL: From: address is in the auto white-list
X-Scanned-By: MIMEDefang 2.71 on 203.0.113.3 

 

Cipafilter-Specific Headers

Typically, reading an email header means starting at the bottom and working your way up. When a Cipafilter is operating on the recipient end and performing spam analysis, it will insert SpamAssassin and MIMEDefang header lines at the bottom of the header beneath the original "From," "To," and any "Content-Type" MIME headers. These Cipafilter-specific header lines will be prefaced with X-Derby and X-Scanned-By. There might also be other recipient server tags, such as "X-MS-Exchange-Organization" if you are running an Exchange server.

X-Derby-GreyList-Bypass: Message skipped greylisting
X-Derby-SPF-Pass: SPF Check Passed
X-Derby-AntiSpamStatistics: colo.example.com: CIPAFilter/Spamassassin Spam Statistics Content analysis details: (-1.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (laurent.sauvage[at]mail.ru) (mailer-daemon[at]googlemail.com) (mailer-daemon[at]googlemail.com) (adityasarawgioo7[at]gmail.com) (mailer-daemon[at]googlemail.com) (united.newsletters.inc[at]gmail.com) (jason_shah[at]globaldatahouse.onmicrosoft.com) (mailer-daemon[at]googlemail.com) (mailer-daemon[at]googlemail.com) (mailer-daemon[at]googlemail.com) !
(mailer-daemon[at]googlemail.com) (mailer-daemon[at]googlemail.com) (sender[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 1.0 AWL AWL: From: address is in the auto white-list
X-Scanned-By: MIMEDefang 2.71 on 203.0.113.3 

 

Original Sender's Header

When a message is created, certain information is inserted by the original sender's mail user agent (MUA). Items of particular note have been highlighted. Working from the bottom to the top, we see that the recipient's address is listed in the "To" field and the sender's in the "From" field. This portion of the header may also contain a "Subject" line. It is important to remember that these fields can be and frequently are forged or hidden by spammers.

The "Message-ID" field is of particular interest. Message IDs are intended to be unique for each email message. The domain listed after the @ in the Message-ID field will, in the majority of cases, indicate the domain of the host responsible for creating the email. In this case, the email was created using a service that is part of the mail.gmail.com domain, which is typical of webmail. Message IDs tend to be considerably more difficult to forge than other header fields, but doing so is not impossible.

The "Date" field indicates the date and time a message was created, as well as the GMT offset of the creating host's MUA. In this example, -0600 indicates that the message was created in the Central Time Zone at 9:38:30 a.m.

There may or may not be lines referencing encryption algorithms and internal mail client transfers using private IP addresses (as in this case, where Google mail was used to create and send the message).

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:date:message-id:subject:from:to:content-type;
bh=17CDCtuWRfspufurt68Hwb2G+/c6zHbls7IMchMEgPA=;
b=Ul56Qxedox52VZTGgb0ISwhxRhUCe1UqSBF8mjnCLzPHaEksxDIr/fpJQCRUpeDA41
gaXm7hzoE2tQ1wkIB1NeE8Drj9SpVoP/lwInK2/RXLZ7c6pJACh4gppefpLEwQPr3Rkt
ictoBbZuIfDddRiW2rskONspc0ITvn9hzYQQlPC54bHvSxnYlyV9qz1nMqHgFvynRU8e
xnoHcG/J8rqS8VxqhPKZMoiMkK4nW3cmsrWc6vih8fjrjQ7TzRVxyq22zzIP/YX5eKb6
IC6zkxfkAQw74q4v/G15s83xX19G9+p1HMgpt2xmj+/XXfoyw4HDMNCmx8vxLSMXU+UB
CRHg==
MIME-Version: 1.0
X-Received: by 10.1.1.237 with SMTP id b13mr2437991qec.15.1384961910893;
Wed, 20 Nov 2013 07:38:30 -0800 (PST)
Received: by 10.200.200.70 with HTTP; Wed, 20 Nov 2013 07:38:30 -0800 (PST)
Date: Wed, 20 Nov 2013 09:38:30 -0600
Message-ID: <CADx6jH7FqknAU0E51C43kEJk_a-ecsTUa-8tY9LcAZqv7tv8Zw@mail.gmail.com>
Subject: Test Email-Headers
From: Jane Doe <sender@gmail.com>
To: Me <recipient@example.com>
Content-Type: multipart/alternative; boundary=047d7b5dbf62b9f40d04eb9d920d 

 

MTA Headers - Relaying Email to Your Server

The next important line to evaluate will be the line indicating receipt of the message by an MTA for external delivery. This indicates the first mail relay to receive the message and the first stop along the route to your mail server. Headers inserted by an MTA will begin with the lable "Received:" and will include information about that relay and its interaction with the email.

The first step taken by our example email, apart from being internally-relayed by Google's servers, was to be received by a Google outbound relay server (mail-qc0-f180.google.com). The message is given a queue id unique to that server, and the intended recipient of the message is emphasized again. The time stamp revelas that this mail server is located in the Pacific Time Zone.

Received: by mail-qc0-f180.google.com with SMTP id e16so3972808qcx.11
for <recipient@example.com>; Wed, 20 Nov 2013 07:38:30 -0800 (PST)

The second hop made by the example email was to the recipient's Cipafilter itself. The header inserted at this stage indicates that the email was received from Google's mail relay (at IP 198.51.100.180) by the Cipafilter and assigned a new queue id (rAKFca9A022454 in this example). This id can be used by Cipafilter staff to find the message in the Cipafilter's internal logs. The intended recipient and a date stamp are again listed.

Received: from mail-qc0-f180.google.com (mail-qc0-f180.google.com [198.51.100.180])
by cipafilter.example.com (8.14.4/8.14.1/Debian-8ubuntu1) with ESMTP id rAKFca9A022454
for <recipient@example.com>; Wed, 20 Nov 2013 09:38:37 -0600

The third step for our example message was to be relayed from the Cipafilter to the end user's internal mail server or service. In this case, the message is being relayed to an email address that is joined with a Google domain. This can easily be determined by looking at the MTA header. The email is shown as being received from the Cipafilter (which has an alias, smtp.example.com, and the public IP address 203.0.113.3) by a google mail exchange (mx.google.com). It is again given a unique queue id. The recipient and a date stamp are included, but this MTA header also contains information about actions performed on the MTA (such as SPF record evaluation, which indicates that the sending relay, mail-qc0-f180.google.com with the IP address 198.51.100.180, is authorized by the sending agent to transmit email on its behalf) and encryption used. 

Received: from cipafilter.example.com (smtp.example.com. [203.0.113.3])
by mx.google.com with ESMTPS id yo2si4718440icb.145.2013.11.20.07.38.39
for <recipient@example.com>
(version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
Wed, 20 Nov 2013 07:38:40 -0800 (PST)
Received-SPF: pass (google.com: domain of sender@gmail.com designates 198.51.100.180 as permitted sender) client-ip=198.51.100.180;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of sender@gmail.com designates 198.51.100.180 as permitted sender) smtp.mail=sender@gmail.com;
dkim=pass header.i=@gmail.com

The final entries indicate internal routing of the message in Google's mail servers, as well as an indication that the message was successfully delivered to the intended recipient.

Delivered-To: recipient@example.com

Received: by 10.100.100.168 with SMTP id cz8csp354151wjc;
Wed, 20 Nov 2013 07:38:41 -0800 (PST)
X-Received: by 10.0.0.129 with SMTP id s1mr881472icu.30.1384961920494;
Wed, 20 Nov 2013 07:38:40 -0800 (PST)
Return-Path: <sender@gmail.com>

If you are running a Microsoft Exchange server, your last header entry may look something like the following:

Received: from cipafilter.example.com (10.0.0.1) by exchange.your_domain.loc (10.0.0.2)
with Microsoft SMTP Server (TLS) id 14.2.347.0; Mon, 18 Nov 2013 13:40:45 -0600

(12 vote(s))
Helpful
Not helpful

Comments (0)
©Cipafilter 2017. All Rights Reserved.