Blog Post View

How to locate your email header?

To trace an email, you'll need to locate an email header that came with the email. Every email has email header and message body. An email may be going through a number of hops, and a header is appended with the IP address of the email server processing the email. When an email reaches the final destination, your email provider appends it's IP address to the header. The IP address of the very first header added to the email is the IP address of the sender's mail server.

What is an email header?

The email header contains information about the email such as sender, recipient(s), subject, arrival date/time, attachments, and routing path of email message from the sender to the recipient. Not all email has proper email header which allows you to trace back to the original sender.

Here is an example of email header originating from Microsoft. Each time a mail transfer agent (known as MTA, or email server) receives an email, it adds it's information on top of the header. Hence,tThe IP shown at the very bottom of the email header represents the sender's IP address.

Delivered-To: john.doe@example.com Received: by 10.202.232.68 with SMTP id f65csp2602281oih; Tue, 22 Dec 2015 08:17:24 -0800 (PST) X-Received: by 10.50.62.20 with SMTP id u20mr25840125igr.26.1450801044377; Tue, 22 Dec 2015 08:17:24 -0800 (PST) Return-Path: Received: from BAY004-OMC3S24.hotmail.com (bay004-omc3s24.hotmail.com. [65.54.190.162]) by mx.google.com with ESMTPS id t8si952088igr.55.2015.12.22.08.17.24 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 22 Dec 2015 08:17:24 -0800 (PST) Received-SPF: pass (google.com: domain of account-security-noreply@account.microsoft.com designates 65.54.190.162 as permitted sender) client-ip=65.54.190.162; Authentication-Results: mx.google.com; spf=pass (google.com: domain of account-security-noreply@account.microsoft.com designates 65.54.190.162 as permitted sender) smtp.mailfrom=account-security-noreply@account.microsoft.com; dmarc=pass (p=NONE dis=NONE) header.from=account.microsoft.com Received: from BN3SCH030020417 ([65.54.190.187]) by BAY004-OMC3S24.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Tue, 22 Dec 2015 08:17:23 -0800 Message-ID: X-Message-Routing: sKFde7CS5BHygFZaC4gFZWeHmOM+Rjf1iOmv8meDbQqeD+9kHFgbAflrz5UYy6v/Ov/vRliTx0 hzi7ScTgwYCoH5DCnx80ifLw1+UJscClllWmb1w9Xha20ZpA1FACKOFiTsUdXl1Aqm3+JPmK0RI6hYQrw== Return-Path: account-security-noreply@account.microsoft.com From: Microsoft account team To: john.doe@example.com Date: Tue, 22 Dec 2015 08:17:22 -0800 Subject: Verify your email address X-Priority: 3 X-MSAPipeline: MessageDispatcher Message-ID: X-MSAMetaData: =?us-ascii?q?DY*HXqLmIK0rEk7b!0rzX65zXHsqI7KLnJbGbRE1AnoYvelEb8MEYnKPcCiik?= =?us-ascii?q?wfE7K5*ZmWi3Lm!mp*2RUetzPkAiqPj7rN*pqYv6XoQlL!o7GANXVLSjHVCHM?= =?us-ascii?q?RDnW5sPA$$?= MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=-Z4j6WgWpSqKaqHSnDy3lYw==" X-OriginalArrivalTime: 22 Dec 2015 16:17:23.0890 (UTC) FILETIME=[3DDA3920:01D13CD4]

Routing Path and IP addresses of the MTA

As shown in the example email header above, each email server (or MTA) receives an email it adds RECEIVED header with it's IP address and timestamp. In the example above, there are 3 RECEIVED headers as shown below.

Received: by 10.202.232.68 with SMTP id f65csp2602281oih; Tue, 22 Dec 2015 08:17:24 -0800 (PST) Received: from BAY004-OMC3S24.hotmail.com (bay004-omc3s24.hotmail.com. [65.54.190.162]) by mx.google.com with ESMTPS id t8si952088igr.55.2015.12.22.08.17.24 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 22 Dec 2015 08:17:24 -0800 (PST) Received: from BN3SCH030020417 ([65.54.190.187]) by BAY004-OMC3S24.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Tue, 22 Dec 2015 08:17:23 -0800

The sender's email server IP address is the one at the very bottom, which is 65.54.190.187 in the example above.

Where is email header?

To send and receive emails, we use email clients such as Outlook and Thunderbird. With proliferation of free email providers, many of us use webmail interface provided by Gmail, Yahoo, and Hotmail. Each client and webmail interface offer different means to retrieve an email header.

Gmail Web Client

Use the instruction below to view email header of an Gmail message.

  • Open the email message you want to locate email header.
  • Click on the down arrow next to the Reply link on the right-hand side.
  • Select Show Original to open a popup window with full header and body text.

Yahoo Web Client

Use the instruction below to view email header of an Yahoo message.

  • Open the email message you want to locate email header.
  • Click on the down arrow next to the More link.
  • Select View Full Header to open a popup window with full header.

Outlook Webmail Client

Use the instruction below to view email header of an Outlook message.

  • Open the email message you want to locate email header.
  • Click on the three dots (..." next to the Forward link on the right-hand side.
  • Select View Message Details to open a popup window with full header.

Share this post

Comments (0)

    No comment

Leave a comment

Login To Post Comment