Email Security Blog

Understanding Email Header Information

Danielle Tristao July 27, 2016 Email Security
Fallback Featured Image

There comes a time when you find yourself wanting to know more about an email you received. Maybe you are questioning its legitimacy, maybe you are curious of the authentication that took place before it ended up in your mailbox.

You can’t be too careful these days and sometimes you need answers you cannot simply receive by viewing the basic information provided. Sometimes you need to “View Full Headers”. If you have never looked into email headers, you may find this a bit daunting. But fret not! Here is a breakdown on how to read email header information..

Authentication-Results: This is where you can find what your email client authenticated when the email was sent. It will provide you with SPF and DKIM authentication:

spf=pass (sender IP is 65.54.190.161; identity alignment result is pass and alignment mode is relaxed) smtp.mailfrom=account-security-noreply@account.microsoft.com; dkim=none (identity alignment result is pass and alignment mode is relaxed) header.d=account.microsoft.com; x-hmca=pass header.id=account-security-noreply@account.microsoft.com

You can see by reviewing this header information, the SPF authentication passed because the sender IP of 65.54.190.161 is allowed to send from account.microsoft.com. Dkim=none indicates that the message was not DKIM signed.

Received: The received section is a list of all of the servers the message traveled in order to reach your mailbox. In order to read this information in the order it traveled, you will want to read from the bottom up. This means the first line in the “Received:” header should be your own mail system as that is the end of its journey.

From: The from field is who the message is sent from. This field can be easily forged and is why we suggest ensuring you only open email that has been authenticated. In our sample, the message passes SPF. This is a good sign of legitimacy. However, you still want to be cautious.

Return Path: The return path is the email address the sender would like you to use to reply to the email. This is the same as the Reply-To address.

Envelope-to: The email address that the email is intended to.

To: This displays who the message is addressed to, but may not contain the recipient’s email address.

Message ID: The message ID is given to the message by the mail server when the message was first created. These ID’s can help track information and are easily forged by malicious senders.

Subject: Created by the sender, generally the high level topic of the message being sent.

For more information, check out the RFC for the email header specification.

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

April 11, 2019 Raymond Lim

Beware of Phishing Attacks as Tax Day Looms Closer

The April 15th deadline to file taxes in the United States is almost here, which…

Agari Blog Image

March 13, 2019 Ernest Yuen

W-2 Scams Likely to Continue as Driver for Phishing Attacks in 2019

With the 2019 tax season reaching full throttle, a volatile mix of conditions could fuel…

Agari Blog Image

March 6, 2019 Mandeep Khera

Winning with Channel Partners: How Agari Continues to See Success

Channel partners have become a strategic extension for technology businesses all over the world.  Within…

Advanced Threat Capture Rate

February 7, 2019 Paul Chavez

Why You Should Care About an Advanced Threat Catch Rate

Artificial intelligence (AI), machine learning, and deep learning analysis have become common buzzwords synonymous with…

Brand Design is New Demand Generation

February 4, 2019 Armen Najarian

Brand Marketing is the New Demand Generation

First, An Apology Sorry, demand generation professionals.  We still love you and your jobs aren’t…

mobile image