How to Read Email Headers: A Tutorial for Non-Sysadmins

What Headers Are

Every email has two parts: the body (what you read) and the headers (technical metadata about how the message got to you). Headers include the sender, the chain of mail servers the message passed through, authentication results, the original subject and date, and dozens of other fields. Most are invisible to you in your normal mail UI — you have to explicitly request the 'original' or 'raw' source view.

How to Show Headers

Gmail: open the message, click the three-dot menu (top right of the message), pick 'Show original'. Opens in a new tab with parsed and raw views.

Outlook (web): open the message, click the three-dot menu, View → View message source.

Outlook (desktop): File → Properties → Internet Headers.

Apple Mail: View → Message → All Headers (or Cmd+Shift+H).

ProtonMail: open the message, click the three-dot menu, View headers.

The Fields That Matter

• From: — what you see in your inbox. Can be spoofed if the sender's domain has no DMARC enforcement.
• Return-Path: — the envelope sender. Where bounces go. This is the SPF-checked address; differs from From: when the message is sent via a third-party relay.
• Received: — one of these per server hop. Read bottom-up (oldest first) to trace the path. Reveals the originating IP.
• Authentication-Results: — the receiving server's verdict on SPF, DKIM, and DMARC. spf=pass dkim=pass dmarc=pass = fully authenticated.
• DKIM-Signature: — the cryptographic signature, including the signing domain (d=).
• Message-ID: — unique identifier. Format <random>@<sender-domain>. If the domain here doesn't match the sender's, that's suspicious.
• List-Unsubscribe: — for bulk mail, gives the unsubscribe URL (and increasingly, a One-Click mailto: per RFC 8058).

What to Check for Phishing

1. Compare From: with the Return-Path:. If the visible From: is your bank but the Return-Path: is a random Gmail address, it's a forgery.
2. Read Authentication-Results:. dkim=fail or dmarc=fail on a message from a major brand is a strong forgery signal.
3. Trace Received: headers bottom-up. The originating server's IP and country are visible here. Mail from your bank should originate from your bank's mail servers, not a residential ISP in another country.
4. Check Message-ID: domain matches the sender domain.

Reading Received: Headers

Each Received: header records one server-to-server handoff. The format is:

Received: from sending.example.com (sending.example.com [192.0.2.1]) by receiving.gmail.com with ESMTPS id ...; Mon, 02 Jun 2026 12:34:56 +0000

Read multiple Received: headers in reverse order (top of email = most recent hop = closest to you). The bottom-most Received: header is where the message entered the public mail system — that's the originating server.

Worked Example: Spotting a Phishing Email

You receive what looks like a PayPal notification asking you to confirm a payment. View headers. You see:

• From: PayPal <[email protected]>
• Return-Path: [email protected]
• Authentication-Results: spf=fail dkim=none dmarc=fail

Verdict: spoofed. The visible From: is forged. The actual envelope sender is a Russian mail service. Authentication failed across the board. Delete and report.

Tools That Parse Headers for You

• mxtoolbox.com/EmailHeaders.aspx — paste headers, get an annotated breakdown
• messageheader.azurewebsites.net — Microsoft's official analyser
• headers.google.app — Google's tool, also free

Related Guides

See also: how to verify a sender is legitimate, how to spot a phishing email visual guide, and how DMARC works.