All email messages are text files sent over SMTP—a store-and-forward, and so delay-tolerant protocol. The email messages themselves are text files with a specialized function and as a result a specialized format (not all text files are valid email messages).
The two main parts of email messages consist of two major sections, the message header and the message body. A typical example email message might be around 1000 lines of text (with around 50,000 characters). The header would likely be 80-90 lines.
What Can I Learn from Email Headers?
Header information is created when the email message is first created, and is also appended to the headers as it is processed from node to node and so can provide a lot of information about what has happened to an email message as it's travelled.
- Processing times and delays in “hops” along the messages path from origin to final destination.
- Email authentication checks, such as SPF, DKIM etc.
- Proprietary email scoring and categorization by the recipient’s email environment.
- Information in the Email Header
- Header Analysis
- Tracing a Message's Path
Email header data takes the form of Key-Value pairs. A data type that includes a group of key identifiers and a set of associated values. Each field has a name (field name or header field name), which is followed by the separator character ":", and a value (field body or header field body).
In an email, the body (content text) is always preceded by header lines that identify routing information of the message, including the sender, recipient, date and subject. Some headers are mandatory, such as the From, To, and Date headers. Others are optional, but very commonly used, such as Subject and CC.
Other headers include the sending time stamps and the receiving time stamps of all mail transfer agents that have received and sent the message. In other words, any time a message is transferred from one node to another the message is date/time stamped by a mail transfer agent (MTA). This date/time stamp, like From, To, and Subject, becomes one of the many headers that precede the body of an email.
The email address, and the name of the author(s). This is determined in your Email Send record by the choices you make in the FROM section shown below.
The local time and date when the message was written. Like the From field, this is filled in automatically when sending, and would reflect the actual time of sending if using an Email Send scheduled to go out at a later time. The recipient's client may then display the time in the format and time zone local to them.
The email address(es), and optionally name(s) of the message's recipient(s). Indicates primary recipients (not CC or BCC recipients).
A brief summary of the topic of the message. Certain abbreviations are commonly used in the subject, including "RE:" and "FW:" but these are not part of any email protocol, they are simply convention.
Information about how the message is to be displayed, usually a MIME type. This is handled automatically for email messages sent via the ClickDimensions solution.
Also an automatically generated field; used to prevent multiple delivery and for reference in In-Reply-To headers.
X-headers are email headers that are added into the email in addition to the standard headers, such as the To, From, and Subject, according to the specific needs of the sender. Mailbox providers also add X-headers to email for things such as SPF, DKIM and DMARC authentication results, spam filter information, and more. X-headers have traditionally started with an X to denote that the value is experimental or an extension of the standard header. This means any header Key that starts with an “X-“ probably relates to processing by proprietary systems and adheres to little standardization.
Since the headers of an email message, just like the entire message, are lines of text, they can be read in almost any text file editor, such as Notepad on Windows, or TextEdit on macOS. However, while all the headers in an email message are human-readable, they are concise and not always clear. There are a variety of free tools that can be found on the web that will help analyze these headers. They make any research of email delivery of messages far easier and should be used as a starting point for header analysis before examining individual headers line-by-line.
Commonly Used Analysis Tools
- G Suite Toolbox Messageheader
Probably the best all-round tool. It will quickly and accurately point out issues with SPF, DKIM and DMARC. Although it will not show all the hops in an email messages transmission, it will highlight longer processing times and delays.
- Microsoft Message Header Analyzer
Designed to help Exchange environment admins, it will be very helpful if the email message that is being analyzed was accessed via Outlook 2007, 2013, or 2016, or newer versions. So if the recipient has an Office 365/Exchange email account, very often seen in corporate environments, you can easily see two Microsoft proprietary scores, the Spam and Bulk Confidence Levels.
- Spam Confidence Level
When an email message goes through Exchange/Office365 spam filtering it is assigned a spam score. That score is mapped to an individual Spam Confidence Level (SCL) rating and recorded in an X-header.
- Bulk Complaint Level
The BCL proprietary score from Microsoft uses both Microsoft-internal and third-party sources to identify bulk mail and determine the appropriate BCL.
- Spam Confidence Level
- MXToolbox Email Header Analyzer
Although not as accurate in analysis as the previous two, this can still be useful for calculating processing times or actual delays when an email message has been sent.
Getting the headers from the message itself
Headers as a copiable text, or the entire email message file containing the headers, can be exported from most email and webmail client user interfaces.
You can gather the headers from an email message in recent versions of Outlook, by opening the email message in its own window. Double-click on the message in the list of messages between the Folder Pane and the Reading Pane.
Then select File > Properties, and the bottom of the Properties window will have a section marked Internet Headers.
The simplest way to grab them as copiable text is to place the cursor in header text, use the keyboard shortcut Ctrl-A, and then Ctrl-C, to place all the headers are in the clipboard.
Navigate to the vertical ellipsis on the right of the toolbar as you view the email message in question. Hovering over with the mouse will show More tooltip.
Click the vertical ellipsis, and select the Show original option.
You’ll then have access to a new tab that will show a breakdown of the header information including whether Gmail saw a PASS or FAIL for SPF, DKIM and DMARC authentication, and the complete text of the email message’s headers available as selectable text.
Drag the email message from the list of messages (see below) . . .
. . . to the desktop, and it will drop as a .eml file. Although this has the .eml file extension, and will open usually by default in a client program such as Apple Mail, or Microsoft Outlook as an email message, it can also be opened in any text editing program.
Alternatively, click View > Message > All Headers, and you’ll have access to all the headers as selectable text.
The email client software on mobile devices are usually designed to not only provide very basic headers information (such as From and Subject) they will usually have no way to extract the full headers. You’ll need to access the same mailbox on a Mac or PC.
SMTP defines the transit information of a message, which is also saved in the header using the following two fields:
When an SMTP server accepts a message it inserts this trace record at the top of the header (last to first).
When the delivery SMTP server makes the final delivery of a message, it inserts this field in the header (frequently at the top).
Other fields that are added on top of the header by the receiving server may be called trace fields. See example below.
Besides the most common identifications (From, To, Date, Subject) mentioned earlier, email headers also provide information on the route an email takes as it is transferred from one computer to another. Mail Transfer Agents (MTAs) perform the task of actually moving email messages from place to place.
When an email is sent from one computer to another it travels through an MTA. Each time an email is sent or forwarded by the MTA, it is stamped with a date, time, and recipient. Some emails, if they have had several destinations, may have several Received headers as there have been multiple recipients since the origination of the email. In a way it is much like the same way the post office would route a letter: every time the letter passes through a post office on its route, or if it is forwarded on, it will receive a stamp. In this case the stamp is an email header entry. If the sender has employed DKIM then the information in the headers can be relied upon to be accurate.
The Header analysis tools mentioned earlier are very good for visualizing all the steps recorded in the Received headers, and will usually clearly show delays, or longer processing times for each hop on the journey. It is possible to follow the headers manually as the dates and times are written out in a human-readable format although great care must be taken with email that crosses time-zones (which can happen very often), as the date time stamp should be recorded with the relevant time-zone data.
The email body of a message contains text that is the actual content. It is distinct from the headers, and you will not find the same information that you can analyze in the Body; you will not want to copy Body information into any of the analysis tools mentioned above.
The message body also may include signatures or automatically-generated text that is inserted by the sender's email system. The body is a free-form field that lets you insert as much text as you want within file size limits (see below), and add supporting links, images, or attachments (though attachments are usually displayed separately).
When you send an email message, you're not limited in terms of how much text you can use. However, email servers do have limits on how big a message they will accept in terms of the file size of the complete text file. Common maximum sizes for email bodies, including attachments, are 18-50 MB.
The body is not typically altered as the email message after initial creation, while the message is being transmitted from source to destination, and so is unlikely to be useful for troubleshooting the sorts of issues for which you’ll analyze email headers for—email delay or delivery issues. Like any text file the body can be changed though.
Not actually a header, or part of the header, the pre-header can be edited in an Email Send, but as this is part of the Body of the email it can be safely ignored along with the rest of the Body of the email message when analyzing transit and transmission of the message.