Loading

How To: Read Email Headers

Data pubblicazione: Oct 2, 2025
Operazione

Email headers are a hidden block of metadata in every email that provides technical details about the message's origin, delivery path, and authentication, acting like a digital passport for the email. While visible fields like "From," "To," and "Subject" are the basic header, the complete header contains crucial information for email delivery, spam detection, and identifying forged sender information, which can be viewed by selecting options like "view message source" or "original message" in an email client.  
Email headers are read from the bottom up. The oldest information is at the bottom, and the newest is at the top. Each time an email is handled by a mail server, a new "Received" header is added to the top of the email's header section. 


Email Header Fields

Header FieldDescription
From
The sender's name and email address.
To
The recipient's name and email address.
Date
The date and time the email was sent.
Subject
The title of the email as it appears in the subject line.
Return-Path
The email address where the message will be sent if it cannot be delivered.
Also known as the "envelope sender" or "bounce address".
Reply-To
The email address that will receive the reply if the recipient clicks the reply button.
Message-ID
A unique identifier for the email message.
Received
A record of each server the email passed through to get to the recipient.
The most recent server is listed first.
DKIM-Signature
DomainKeys Identified Mail is an email authentication method that uses a digital
signature to verify that the email was sent from the domain it claims to be from
and that the content has not been tampered with in transit.
SPF
Sender Policy Framework is an email authentication method that specifies
which mail servers are authorized to send email for a domain.
MIME-Version
Multipurpose Internet Mail Extensions is an internet standard that extends the
format of email to support text in character sets other than ASCII, as well as
attachments of audio, video, images, and application programs.
The value is typically "1.0".
Content-Type
This describes the format of the message, such as text/plain or text/html.
X-SFDC-LK
The Salesforce organization ID from which the email originated.
X-SFDC-User
The Salesforce user ID from which the email originated.
X-SFDC-EntityId
The ID of the Salesforce entity that triggered the email.
X-SFDC-EmailCategory
The type of email, according to Salesforce's categorization.
X-SFDC-ORGTYPE
The type of Salesforce organization that sent the email, such as "FREE" or "Trial".
This field only appears for emails from "Free" or "Trial" orgs.

 

Fasi

Here's how to trace an email's journey:

  1. Open the Full Email Header: In your email client (like Gmail, Outlook, or Apple Mail), find the option to "Show Original," "View Message Source," or "View Full Headers." This will display the complete header information.

  2. Start at the Bottom: Scroll down to the bottom of the header. The first Received header you find is the starting point of the email's journey. This is the server of the original sender.

  3. Analyze the Received Headers: Each Received header provides a snapshot of one "hop" in the email's journey. Here's a breakdown of a typical Received header:
    Received: from [sending server] ([IP address of sending server])
        by [receiving server] with [protocol];
        [date and time]

  • from: The name of the server that sent the email.

  • by: The name of the server that received the email.

  • with: The protocol used for the transfer (e.g., ESMTP, ESMTPS for encrypted transfer).

  • id: A unique message ID assigned by the receiving server for logging.

  • for: The recipient's email address.

  • Date and Time: A timestamp of when the server received the email.

  1. Follow the Path Upwards: As you move up through the Received headers, you are following the email from one server to the next. The by server in one Received header should match the from server in the header above it. This creates a chain that shows the exact path the email took.

  2. Check Authentication and Security: While tracing the path, look for these headers to understand how the email was authenticated and if it was flagged as spam:

  • DKIM-Signature and SPF: These headers indicate whether the email passed authentication checks. A "pass" result means the email is likely from a legitimate source. A "fail" or "softfail" could indicate a spoofed or forged email.

  • X-Spam-Status or similar X- headers: Many email servers add their own custom headers (prefixed with X-) to show the results of spam filtering. You might see a spam score or a "Yes" or "No" indicating if the email was flagged as spam.

 

Example of Tracing an Email

 

Let's say you have the following (simplified) Received headers:




Received: from mail-server-3.recipient.com (mail-server-3.recipient.com [203.0.113.1])
    by mx.google.com with ESMTP id ...
    for <youremail@gmail.com>;
    Tue, 10 Sep 2025 10:00:00 -0700 (PDT)

Received: from mail-server-2.intermediate.com (mail-server-2.intermediate.com [198.51.100.1])
    by mail-server-3.recipient.com with ESMTP id ...
    for <youremail@gmail.com>;
    Tue, 10 Sep 2025 09:59:58 -0700 (PDT)

Received: from mail.sender.com (mail.sender.com [192.0.2.1])
    by mail-server-2.intermediate.com with ESMTP id ...
    for <youremail@gmail.com>;
    Tue, 10 Sep 2025 09:59:55 -0700 (PDT)

Here's how you would read this:

  1. Start at the bottom: The email originated from mail.sender.com.

  2. First Hop: It was sent to mail-server-2.intermediate.com.

  3. Second Hop: mail-server-2.intermediate.com then sent it to mail-server-3.recipient.com.

  4. Final Hop: Finally, mail-server-3.recipient.com delivered it to Google's mail server (mx.google.com), which then placed it in your inbox.

By following this process, you can gain a clear understanding of an email's journey and how it was handled by each server along the way.

Numero articolo Knowledge

005167069

 
Caricamento
Salesforce Help | Article