Email Header Search


What is an Email Header?

Every email message consists of two parts, the body and the header. The header can be thought of as the envelope of the message, containing the address of the sender, the recipient, the subject and other information. The body contains the actual text and the attachments. Some header information usually displayed by your email program includes:

From: The sender’s name and email address
To: The recipient’s name and email address
Date: The date when the message was sent
Subject: The subject line

How do I get my email program to reveal the full, unmodified email header?

It depends on your email software. Here are instructions for some of the more popular programs:

Zimbra
Outlook 97
Outlook 98 and 2000
Outlook Express 4, 5 and 6
Outlook Express for Macintosh
Microsoft Exchange
Microsoft Entourage (Office X for Mac)
Mac OS X
Netscape
Eudora
Lotus Notes (v.4.x and v.5.x)
Lotus Notes (v.6.x)
StarOffice
Novell Groupwise
Hotmail
Yahoo Mail
Excite web-mail
Netscape Webmail
Lycos Mail (mailcity.com)
Outlook Web Access

How to Interpret Email Headers

Tracing the edges of your email, hiding from untrained eyes, are the fingerprints of Simple Mail Transfer Protocol … the headers. Email headers contain quite a bit of information about a message that is not apparent at first glance. We can’t guarantee that you’ll be in there with the experts, but if you would like to learn a little more about where your email has been, and who really sent it, allow us to show you the basics of what your email headers may contain.

Basic Mail Headers

The following is a simple message header, the address label of an email message. It only contains the most basic information of an email message: who the message is from, to whom the message was sent, possibly a subject line indicating what the message is about, and the time-stamp of when the message was written.

Date: Mon, 24 Feb 1997 19:30:34 -0500 (EST) To: Etomicmail Technical Support Desk support@etomicmail.com From: mailbox@etomicmail.com Subject: Reading Mail Headers Cc: mailbox@etomicmail.com

Date: Mon, 24 Feb 1997 19:30:34 -0500(EST)

Like most basic email headers, this one is pretty self-explanatory. It just indicates when the message was written. But what you may not know is that the information in the Date: line is supplied by the time on the sender’s computer, which may or may not be set correctly. Also, the Date: line does not normally indicate when the message was sent, but only when it was written. In this example, the email message from which this header was taken was written on Monday, February 24th 1997, at approximately 7:30pm Eastern

Standard Time (EST)
The format of this line will vary depending on which email client the sender uses to compose the message.

To: Etomicmail Technical Support Desk<support@etomicmail.com>
The To: line is used to indicate the primary person or persons the mail message is intended for. Usually a name will precede the actual address, though this is certainly not required. The To: line may also contain more than one address, each separated by commas. In this case, the mail will be delivered to each address listed in this line, as well as the Cc: line and the otherwise invisible Bcc: line (see Cc: and Bcc:) There really is no functional difference between an address contained in the Cc: or To: lines of an email message.

From: mailbox@etomicmail.com
The From: line indicates who the message is from. Pretty simple.

Subject: Reading Mail Headers
The Subject: line is used to provide a short description of what the message is about.

CC: mailbox@etomicmail.com
The CC: or Carbon Copy, line of an email message is used to list all of the people who were sent a copy of the mail message. This line may contain one or more addresses, each separated by a comma. Or, it may not contain anything at all. In this example, the Cc: line contains the same address as the From: — I just wanted to send a copy of the mail to myself for my own records.

(Bcc:)
If this message had been Bcc’ d to another address, you would not know it from the headers of the received message. This is because Bcc stands for Blind Carbon Copy — the mail server actually removes this header line right before it delivers it. So if you ever get a message delivered to your mailbox, but do not see your address anywhere in either the To: or the Cc: lines, it was probably sent to you via a Blind Carbon Copy. This is a common way of sending mail to large numbers of recipients without showing everyone who the message was actually sent to or to keep the headers from scrolling on for pages and pages on your screen.

Extended Mail headers

Sample “extended” email header:
Return-Path: mailbox@etomicmail.com Received: from mailmule0.etomicmail.com
(mailmule0.etomicmail.com [204.180.128.191]) by mailgrunt1.etomicmail.com
(8.7.4/8.7.3) with ESMTP id TAA09377 for <mailbox@etomicmail.com>; Mon, 24
Feb 1997 19:30:43 -0500 (EST) Received: from LOCALNAME (user-37kb512.dialup.etomicmail.com [207.69.148.34]) by mailmule0.etomicmail.com (8.8.4/8.8.4) with SMTP id TAA00875; Mon, 24 Feb 1997 19:30:34 -0500 (EST) Date: Mon, 24 Feb 1997 19:30:34 -0500 (EST) Message-Id: 1.5.4.16.19970224193529.22e79a46@pop.etomicmail.com X-Sender:
mailbox@pop.etomicmail.com X-Mailer: Windows Eudora Light Version 1.5.4 (16)
Organization: Etomicmail Enterprises Mime-Version: 1.0 Content-Type: text/plain; charset=”us-ascii” To: Etomicmail Technical Support Desk <support@etomicmail.com> From: mailbox@etomicmail.com
Subject: Reading Mail
Headers Cc: mailbox@etomicmail.com

Return-Path: mailbox@etomicmail.com
 Your email client will automatically refer to this header line to determine which address to use when replying, or by the mail server when bouncing back undeliverable mail messages or mailer-daemon error messages. Some mail clients will use variations which might include: Return-Errors-To: or Reply-To:

Received: frommailmule0.etomicmail.com (mailmule0.etomicmail.com
[204.180.128.191]) bymailgrunt1.etomicmail.com (8.7.4/8.7.3) with ESMTP id TAA09377 for mailbox@etomicmail.com; Mon, 24 Feb 1997 19:30:43 -0500 (EST)
A section is added to this field by each host service that relays the message. Received: lines are read from bottom to top, the higher received lines being the most recent to have been added. While not terribly interesting to the casual user, the information in the Received: field can be quite useful for tracing mail routing problems. The names of the sending and receiving hosts and time-of-receipt may be specified.

The example above shows four pieces of useful information (reading from back to front, in order of decreasing reliability):

  1. The host that added the Received line – mailgrunt1.etomicmail.com
  2. The host/IP address of the incoming SMTP connection – mailmule0.etomicmail.com
  3. The reverse-DNS lookup of that IP address – 204.180.128.191
  4. The name the sender used in the SMTP HELO command when they connected – mailmule0.etomicmail.com

In short, mailmule0.etomicmail.com passed the mail on to mailgrunt1.etomicmail.com for final delivery to <mailbox@etomicmail.com> at approximately 5:30 pm EST on Monday, February 24th.

Received: from LOCALNAME (user-37kb512.dialup.etomicmail.com [207.69.148.34]) by mailmule0.etomicmail.com (8.8.4/8.8.4) with SMTP id TAA00875; Mon, 24 Feb 1997 19:30:34 -0500 (EST)
This is actually the first Received: line. It indicates that the mail message originated from an Etomicmail dial-up PPP account with IP address 207.69.148.34. The mail server that eventually accepted the message was mailmule0.etomicmail.com , which was using SendMail version 8.8.4, a UNIX mail delivery agent. The mail server also stamped the header with the actual time it received the message. Note that the time indicated is a few seconds before the header line above it.

Organization: Etomicmail Enterprises
This line is used to identify the organization (or lack thereof!) of the sender. Typically the default configuration for your mail settings is going to be “Etomicmail Enterprises” but you can easily change this to something more personal to your family or specific to your business.

Message-Id: 1.5.4.16.19970224193529.22e79a46@pop.etomicmail.com
Every mail message is assigned a unique Message-Id which helps your email client, as well as mail server, to keep track of the status of a message, and thought it looks like an email address, it really isn’t. Generally this information is of no use to you and only matters to the mail server. For example, if you have Eudora configured to leave a copy of your email on the mail server, the next time you check your mail, your email client will first compare the message id’s to determine if it has already seen a message, and if it should download another copy of it or just skip it. Message-Id’s are also logged in special mail logs which can be called on by your system administrators (in this case “postmasters”) when trying to troubleshoot technical issues like mail loops or forged mail messages.

X-Sender: mailbox@pop.etomicmail.com
Some email clients will include a X-Sender header to add another layer of authentication to a mail message. In the example, Eudora uses information supplied in its configurations settings. X- headers may be thought of as “X-tra” information and are more or less X-traneous comments. They do not impact the normal delivery process of the mail.

X-Mailer: Windows Eudora Light Version 1.5.4 (16)
Some email clients will add this header line to indicate the make and version of the software used to send the message. In this case, the mailer used was the 16 bit version 1.5.4 of Eudora Light for Windows, the email client Etomicmail currently ships with its software. If I had sent the mail from Netscape’s Mozilla mail program, the X-Mailer might have looked something like this:

X-Mailer: Mozilla 3.01 (Win95; I)
Not all email clients include an X-Mailer header.

Mime-Version: 1.0
MIME-compatible email clients look for this line when first determining what to do with attachment files– if MIME attachments are included, email clients first be sure they understand compatible MIME types. For those of you obsessed with acronyms, MIME stands for Multipurpose Internet Mail Extensions. It is an Internet standard for transferring non-textual data through email. MIME is what makes it possible to exchange graphic documents and multimedia files across systems.

Content-Type: text/plain;charset=”us-ascii”
This line tells the receiving email client exactly what MIME type or types are included in the mail message. As long as the MIME-type referenced is compatible with the mail program it should have no problems automatically decoding the attachments. In the example above, [text/plain; charset=”us-ascii”] just tells us that the message contains a regular ASCII text message.

up arrow back to top

EMAIL CLIENT SOFTWARE

Here are instructions for viewing the full, unmodified headers on some of the more popular email clients:

Zimbra Hosted email.

1. Go to the folder with the email you wish to view (usually the Inbox).
2. Don’t open the email.
3. Right-click the email.
4. Select Show Original.
A new window will open up. It will show the email with it’s header.
5. Select everything from the top down to before the first line of the body of the email.
6. Copy the email and send it to us.

up arrow back to top

Outlook 97

Microsoft Outlook 97 may require an update called the Internet Mail Enhancement Patch (http://support.microsoft.com/kb/171630/EN-US) in order to display the email headers at all.

up arrow back to top

Outlook 98 and 2000

1. Open the message in a separate window (double click)
2. Under the View menu, select Options
3. Copy the text in the Internet Headers window.
4. Paste into the new email
5. Close the options window
6. If the spam header shows “text/html”:

  • Right click on the body of the spam, and choose ‘View Source’.
  • This automatically opens the HTML code up in Notepad.

7. Copy the entire message body.
8. Paste into new email.

up arrow back to top

Outlook Express 4, 5 and 6

New versions of Outlook Express 6 are reported to work correctly using forward-as-attachment. Please try this method first – is much easier and faster. You can submit multiple spam messages at once. If that does not work, try the 2nd method described below instead:

Start by opening the message in it’s own window (or when viewing the message in the preview pane). Then with the mouse:

1. Click the “File” menu
2. Click “Properties”
3. Click the “Details” tab
4. Click “Message Source”
5. Highlight, copy and paste everything from this window

With viruses, worms and Trojans being spread via email, many users now work with the preview screen in Outlook Express turned off. Viewing the contents of email in the preview screen is no different than opening the message. If the email has malicious content, it may execute in the preview screen. The following are instructions (using the keyboard) to obtain the full message source if you have the preview panel turned off:

1. Highlight the message in the folder
2. Press alt & enter – this will open a message information window
3. Press Ctrl & Tab – this changes to the “Details” tab
4. Press Alt & m – the opens the message source
5. Press Ctrl & a – to select all the text
6. Press Ctrl & C – to copy the selected text to the clipboard
7. Press Alt & F4 – to close the message source window
8. Press the Esc key – to close the information window
9. Press Ctrl & N — to create a new email.
10. Press Ctrl & V to paste the clipboard contents into a new email.

up arrow back to top

Outlook Express for Macintosh

1. Select the email, then from the View menu, choose Source. A new window will appear containing the email with full headers.
2. Press Command & A to select all.
3. Press Command & C to copy.
4. Create a new email
5. Press Command & V to paste the email in.

up arrow back to top

Microsoft Exchange

To get the complete headers and message source using Microsoft Exchange:
1. Click the “File” menu
2. Click “Properties”
3. Click the “Details” tab
4. Click “Message Source”
5. Highlight, copy and paste everything from the “Message Source” window

up arrow back to top

Microsoft Entourage (Office X for Mac)

To access the full message source with Microsoft Entourage:

  1. After clicking on the message, select “Source” from the View menu
  2. A new window will open showing the full message source with complete headers.
  3. Copy and paste into the webworm

up arrow back to top

Mac OS X

To get the full message source:
1. Select a spam message
2. Select menu item View > Show > Raw Source.
3. Click on the resulting text
4. Click Edit > Select All > then Edit > Copy
5. Paste into new email.

up arrow back to top

Netscape

Preferred method:
1. Click on the “View” menu, then “Page Source,” then copy the contents of the window.

Old versions:
1.Click on the “View” menu, then “Headers,” then “All.” Note: This method will not work correctly with HTML spam.

Netscape Communicator also makes it very easy to report multiple messages using the email interface:
1. Create a new email.
2. Drag each spam to the attachments window at the top of the message window.
3. Send the mail.

up arrow back to top

Eudora

Using the cut and paste to a new email is the only option available to Eudora users. To display the full message source for cut and paste:

Eudora for the Mac:
1. Open the spam and click the BLAH BLAH BLAH button on the upper left hand corner of the message. This shows the extended headers.
2. Select the whole message including headers and paste into a new email.

Eudora for the PC:
There are 2 slightly different methods depending on whether the mail contains HTML or not. In any case, to prepare for HTML email, you should turn off the use of Microsoft’s HTML viewer. To do so, click Tools, then Options, then Viewing Mail. Uncheck the box labeled “Use Microsoft’s viewer.”

How to know if it’s HTML mail – Once you have opened the email, look near the bottom of the headers (see below for revealing headers) for a line like the following: Content-Type: text/html … you can frequently spot HTML email because it has font effects, pictures, etc but this is not always true so you have to take a quick look at the headers.

Why do I care if it’s HTML mail? – All kinds of interesting things can be “hidden” in HTML mail that won’t show up when you see the mail interpreted by your email program/browser. Actual URLs do not necessarily show up in interpreted HTML messages. For example: you might see CLICK HERE but the underlying HTML contains a URL that indicates the spammer’s web site. The hidden URLs are required to properly diagnose and identify the recipient.

Eudora for the PC – non-HTML mail:
1. Open the email by double clicking on the subject line. Click the ‘blah blah blah’ button to reveal the headers.
2. Place your cursor anywhere in the body of the email and select the entire message (Edit/Select All or Ctrl-A)
3. Copy the entire email (right click and click copy OR Ctl/C OR Edit/Copy)
4. Paste (right click/paste or Ctl/V) the entire message into a new email.

Eudora for the PC – HTML mail:
1. Open the email and click blah blah blah.
2. Highlight the headers only. Copy and paste the headers into a new email.
3. Hit enter twice after the pasted headers to force a blank line after the headers.
4. Back in Eudora window, place your cursor anywhere in the body of the message and right click and click “view source.” A new window will open.
5. In the new window, select all (as above) and copy the contents of the new window.
6. Paste the window contents into a new email.

up arrow back to top

Lotus Notes (v.4.x and v.5.x)

Open the email, click on “Actions”, then on “Tools”, then on “Delivery Information.”
Next, you have to pick out the internet-style mail header information from the window that appears when you select Delivery Information.

Lotus Notes v.4.x

Look for the first line that begins with “Received”. There should be a blank line just above it. Then, scroll down to the next blank line. The stuff in between the two blank lines is the header information you need.

Lotus Notes v.5.x

Look for the separator line that reads:
——– Additional Header ——.
Select everything from there down to the next separator line, usually
——– Routing Information ——.
The stuff in between the two separator lines are the headers you need.

Lotus Notes v.5.x (quick method)
1. Open your Inbox
2. Highlight the message that you wish to get header information for.
3. Choose File > Export
4. Type in a filename, leave the type as “Structured Text” and click Export
5. From the dialog box that comes up, choose “Selected Documents” and click OK
6. Now you can open that message you saved in Wordpad and cut and paste it into a new email to send.

Alternate method for those that don’t have Delivery Information
Right-click on the email and select Document Properties. On the Fields tab, copy all the text from the value of the $AdditionalHeaders field. An example of the data provided for the $AdditionalHeaders field:
Field Name: $AdditionalHeaders
Data Type: TextList
Data Length: 1228 bytes
Seq Nun: 1
Dup Item ID: 0
Field Flags:

If these methods both fail
You are probably in a Notes deployment that is using a customized client template. Contact your Notes template designers for instructions on obtaining this information under their design.

General Notes Notes
These will not capture the Notes Server routings and hand offs, only the MTA hand offs, and so will not be any good for reporting spam from other Notes users. If you are getting spam from other Notes users, contact your own system administrator to resolve the problem.

up arrow back to top

Lotus Notes (v.6.x)

The latest version of Lotus Notes, version 6.x has greatly simplified the method for getting the full headers:
1. Open the e-mail document.
2. From the menu, select View > Show > Page Source.

up arrow back to top

StarOffice

1. Right click on the container name in the explorer panel (either a top-level mail box or a specific mail folder).
2. Select the Properties item from the pop-up menu.
3. In the properties notebook, select the Headers tab.
4. Click the “All” button on the right.
5. Press “OK” and you’re done, the complete header is available in the header panel and can be selected/pasted into a new email.

up arrow back to top

Novell Groupwise

1. Open the message
2. In the message window, select: File > Attachments > View
3. Select the Mime.822 attachment

up arrow back to top

Hotmail

To see the full, unmangled headers in Hotmail, first, configure your options:

  1. Click on “Options.”
  2. In the “Additional Options” column, click on “Mail Display Options” and find the item “Message Headers.”
  3. Choose “Advanced” and click the “OK” button.

Then, to report spam:

  1. When viewing a message, use the “View E-mail Message Source” to display the message in raw mode before copying into new email. (This link is right below the headers.)

up arrow back to top

Yahoo Mail

Since Yahoo! does not provide a raw email source feature, it is easiest to report spam received in your Yahoo! account by simply forwarding (as an attachment) the offending email.

If you insist on using the web form, follow these steps:

First you must turn on “Full Headers.” From your Yahoo! mail account, click on “Mail Preference.” Scroll down the page to “Message Headers” and click on the “all” radio button. Save your preferences at the bottom of the page.

Next, view the message you want to report. If the message is in plain text, copying from this page and pasting it in the parsing box will work.

If the message to be reported is HTML, a two-step process must be used:

View the message and copy the complete headers. Paste these into a new email, then add a blank line.

Go back to the Yahoo! window and select to “Forward” the message as “inline text” (drop down menu). Scroll down the message to the start of the message body. (The first line of the HTML body will usually begin <HTML). Copy the body of the message and paste into the new email. Make sure a blank line remains between the header and body.

Click on the “Process Spam” button.

up arrow back to top

Excite web-mail

To view the full header information with Excite Webmail:

  1. Sign in to your email account.
  2. Click on Preferences on the Email home page
  3. Click on Email Preferences
  4. Check the box to display headers
  5. Click on Save
  6. You can then see the headers in all messages in your folders.

up arrow back to top

Netscape Webmail

While viewing the message, click on the yellow triangle to the right of the brief message headers. This will display the full headers along with the message body, which can be cut and pasted into a new email. To close the full headers and return to brief headers, click the yellow triangle again.

up arrow back to top

Lycos Mail (mailcity.com)

When viewing an individual message, click on the tool bar menu item above the message “All Headers.” Highlight and copy the complete message from the viewing window and paste into a new email.

up arrow back to top

Outlook Web Access

(as accessed through https://login.microsoftonline.com/)

  1. Left click on the letter you want to open and click Properties
  2. When that opens, click on the Details tab, then on Message source
  3. This will open the email so the full headers will be available for viewing

up arrow back to top

Leave a Comment

Your email address will not be published. Required fields are marked *