How to Interpret Email
Tracing the edges of your email, hiding from untrained eyes, are the
fingerprints of Simple Mail Transfer Protocol ... the headers. Email headers
contain quite a bit of information about a message that is not apparent at
first glance. I can't guarantee that you'll be in there with the experts,
but if you would like to learn a little more about where your email has
been, and who really sent it, allow me to show you the basics of what your
email headers may contain.
Basic Mail Headers The following is a simple message header, the address
label of an email message. It only contains the most basic information of an
email message: who the message is from, to whom the message was sent,
possibly a subject line indicating what the message is about, and the
time-stamp of when the message was written.
Date: Mon, 24 Feb 1997 19:30:34 -0500 (EST) To: MindSpring Technical
Support Desk firstname.lastname@example.org From: email@example.com Subject:
Reading Mail Headers Cc: firstname.lastname@example.org
Date: Mon, 24 Feb 1997 19:30:34 -0500(EST)
Like most basic email headers, this one is pretty self-explanatory. It
just indicates when the message was written. But what you may not know is
that the information in the Date: line is supplied by the time on the
sender's computer, which may or may not be set correctly. Also, the Date:
line does not normally indicate when the message was sent, but only when it
was written. In this example, the email message from which this header was
taken was written on Monday, February 24th 1997, at approximately 7:30pm
Eastern Standard Time (EST). The format of this line will vary depending on
which email client the sender uses to compose the message.
To: MindSpring Technical Support Desk<email@example.com>
The To: line is used to indicate the primary person or persons the mail
message is intended for. Usually a name will precede the actual address,
though this is certainly not required. The To: line may also contain more
than one address, each separated by commas. In this case, the mail will be
delivered to each address listed in this line, as well as the Cc: line and
the otherwise invisible Bcc: line (see Cc: and Bcc:) There really is no
functional difference between an address contained in the Cc: or To: lines
of an email message.
The From: line indicates who the message is from. Pretty simple.
Subject: Reading Mail Headers
The Subject: line is used to provide a short description of what the
message is about.
The Cc: , or Carbon Copy, line of an email message is used to list all of
the people who were sent a copy of the mail message. This line may contain
one or more addresses, each separated by a comma. Or, it may not contain
anything at all. In this example, the Cc: line contains the same address as
the From: -- I just wanted to send a copy of the mail to myself for my own
If this message had been Bcc' d to another address, you would not know it
from the headers of the received message. This is because Bcc stands for
Blind Carbon Copy -- the mail server actually removes this header line right
before it delivers it. So if you ever get a message delivered to your
mailbox, but do not see your address anywhere in either the To: or the Cc:
lines, it was probably sent to you via a Blind Carbon Copy. This is common
way of sending mail to large numbers of recipients without showing everyone
who the message was actually sent to or to keep the headers from scrolling
on for pages and pages on your screen.
Extended Mail headers Sample "extended" email header
Return-Path: firstname.lastname@example.org Received: from
mailmule0.mindspring.com (mailmule0.mindspring.com [184.108.40.206]) by
mailgrunt1.mindspring.com (8.7.4/8.7.3) with ESMTP id TAA09377 for <email@example.com>;
Mon, 24 Feb 1997 19:30:43 -0500 (EST) Received: from LOCALNAME
(user-37kb512.dialup.mindspring.com [220.127.116.11]) by
mailmule0.mindspring.com (8.8.4/8.8.4) with SMTP id TAA00875; Mon, 24 Feb
1997 19:30:34 -0500 (EST) Date: Mon, 24 Feb 1997 19:30:34 -0500 (EST)
Message-Id: firstname.lastname@example.org X-Sender:
email@example.com X-Mailer: Windows Eudora Light Version 1.5.4 (16)
Organization: MindSpring Enterprises Mime-Version: 1.0 Content-Type:
text/plain; charset="us-ascii" To: MindSpring Technical Support Desk
<firstname.lastname@example.org> From: email@example.com Subject: Reading Mail
Headers Cc: firstname.lastname@example.org
Your email client will automatically refer to this header line to
determine which address to use when replying, or by the mail server when
bouncing back undeliverable mail messages or mailer-daemon error messages.
Some mail clients will use variations which might include: Return-Errors-To:
Received: frommailmule0.mindspring.com (mailmule0.mindspring.com
[18.104.22.168]) bymailgrunt1.mindspring.com (8.7.4/8.7.3) with ESMTP id
TAA09377 for email@example.com; Mon, 24 Feb 1997 19:30:43 -0500 (EST)
A section is added to this field by each host service that relays the
message. Received: lines are read from bottom to top, the higher received
lines being the most recent to have been added. While not terribly
interesting to the casual user, the information in the Received: field can
be quite useful for tracing mail routing problems. The names of the sending
and receiving hosts and time-of-receipt may be specified.
The example above shows four pieces of useful information (reading from
back to front, in order of decreasing reliability):
The host that added the Received line - mailgrunt1.mindspring.com
The host/IP address of the incoming SMTP connection -
The reverse-DNS lookup of that IP address - 22.214.171.124
The name the sender used in the SMTP HELO command when they connected -
In short, mailmule0.mindspring.com passed the mail on to
mailgrunt1.mindspring.com for final delivery to <firstname.lastname@example.org> at
approximately 5:30 pm EST on Monday, February 24th.
Received: from LOCALNAME (user-37kb512.dialup.mindspring.com
[126.96.36.199]) by mailmule0.mindspring.com (8.8.4/8.8.4) with SMTP id
TAA00875; Mon, 24 Feb 1997 19:30:34 -0500 (EST)
This is actually the first Received: line. It indicates that the mail
message originated from a MindSpring dial-up PPP account with IP address
188.8.131.52. The mail server that eventually accepted the message was
mailmule0.mindspring.com , which was using SendMail version 8.8.4, a UNIX
mail delivery agent. The mail server also stamped the header with the actual
time it received the message. Note that the time indicated is a few seconds
before the header line above it.
Organization: MindSpring Enterprises
This line is used to identify the organization (or lack there of!) of the
sender. Typically the default configuration for your mail settings is going
to be "MindSpring Enterprises" but you can easily change this to something
more personal to your family or specific to your business.
Every mail message is assigned a unique Message-Id which helps your email
client, as well as mail server, to keep track of the status of a message,
and thought it looks like an email address, it really isn't. Generally this
information is of no use to you and only matters to the mail server. For
example, if you have Eudora configured to leave a copy of your email on the
mail server, the next time you check your mail, your email client will first
compare the message id's to determine if it has already seen a message, and
if it should download another copy of it or just skip it. Message-Id's are
also logged in special mail logs which can be called on by your system
administrators (in this case "postmasters") when trying to troubleshoot
technical issues like mail loops or forged mail messages.
Some email clients will include a X-Sender header to add another layer of
authentication to a mail message. In the example, Eudora uses information
supplied in its configurations settings. X- headers may be thought of as "X-tra"
information and are more or less X-traneous comments. They do not impact the
normal delivery process of the mail.
X-Mailer: Windows Eudora Light Version 1.5.4 (16)
Some email clients will add this header line to indicate the make and
version of the software used to send the message. In this case, the mailer
used was the 16 bit version 1.5.4 of Eudora Light for Windows, the email
client MindSpring currently ships with its software. If I had sent the mail
from Netscape's Mozilla mail program, the X-Mailer might have looked
something like this:
X-Mailer: Mozilla 3.01 (Win95; I)
Not all email clients include an X-Mailer header.
MIME-compatible email clients look for this line when first determining
what to do with attachment files-- if MIME attachments are included, email
clients first be sure they understand compatible MIME types. For those of
you obsessed with acronyms, MIME stands for Multipurpose Internet Mail
Extensions. It is an Internet standard for transferring non-textual data
through email. MIME is what makes it possible to exchange graphic documents
and multimedia files across systems.
This line tells the receiving email client exactly what MIME type or
types are included in the mail message. As long as the MIME-type referenced
is compatible with the mail program it should have no problems automatically
decoding the attachments. In the example above, [text/plain; charset="us-ascii"]
just tells us that the message contains a regular ASCII text message.
Resources Well, that about covers the basics of reading email headers.
Those of you who are curious about the messy details of mail and news
headers might be interested in the following World Wide Web sites:
"Figuring Out Fake Email & News Posts" (AKA "The Spam FAQ") Information
on deciphering the origins of unwanted email...
"Standard for the Format of ARPA Internet Text Messages" (RFC 822)
Request for Comments-- official documentation of Internet Protocols and
© 2000 EarthLink, Inc.