This is a basic tutorial on how to interpret email headers. I recently found myself dealing with co-workers who didn't understand how to read expanded email headers and due to my dealings with spoofed email and the noticeable lack of most people's comprehension of what exactly is contained in an email header, I thought I might elaborate. After visting stopspam's site, I perused through their tutorial and gained a wealth of knowledge that I thought I'd share, in my own simplified manner (All examples are unique and all definitions are my own using stopspam's definitions as a guide).

Here's a sample email header of an email I received with an expanded header. I simplified it somewhat to help break the header down easier. I'm using a valid email so we can assume the fields are valid as well.
(This is an email sent to me from AVG AntiVirus) The numbers in brackets (1) and (2) are not actually part of the email, just numbers indicating a transaction.

(2)Received: from download.grisoft.cz (download.grisoft.cz [212.67.74.214])
by mail.totalputz.com (8.12.11/8.12.11) with ESMTP id i49H4AsK011650
for <shagdevil@totalputz.com>; Sun, 9 May 2004 13:04:13 -0400
(1)Received: from biz.grisoft.cz (ms.grisoft.cz [193.85.188.248])
by download.grisoft.cz with ESMTP id ADABE1D22E0
for <shagdevil@totalputz.com>; Sun, 9 May 2004 19:04:08 +0200 (CEST)
From: AVG Anti-Virus Distribution WebCenter <confirm@grisoft.com>
To: shagdevil@totalputz.com
Subject: License code for AVG Free Edition (Grisoft No. 99c9999)
Message-Id: <20040509170408.ADABE1D22E0@download.grisoft.cz>
Date: Sun, 9 May 2004 19:04:08 +0200 (CEST)


This is the first of two transactions that occurred during the path of the email.

(1)Received: from biz.grisoft.cz (ms.grisoft.cz [193.85.188.248])
The box the email was received from - named biz.grisoft.cz (actual ID - ms.grisoft.cz - IP address 193.85.188.248).

by download.grisoft.cz with ESMTP id ADABE1D22E0
The box that received the email - (download.grisoft.cz) using Enhanced SMTP. An ID is placed on the message (ADABE1D22E0) for logging purposes.

for <shagdevil@totalputz.com>; Sun, 9 May 2004 19:04:08 +0200 (CEST)
The intended receiver's email address and the Time and Date of the transfer.(The time can vary depending on its relation to Greenwich Mean Time). May have no relation to the To: field.



This is the second (and last) of the transactions that occurred during the path of the email.

(2)Received: from download.grisoft.cz (download.grisoft.cz [212.67.74.214])
The box the email was received from - named download.grisoft.cz (actual ID - download.grisoft.cz - IP address 212.67.74.214).

by mail.totalputz.com (8.12.11/8.12.11) with ESMTP id i49H4AsK011650
The box that received the email - (mail.totalputz.com) using Enhanced SMTP. The (8.12.11/8.12.11) is just a version of the mail client the box is using. An ID is placed on the message (i49H4AsK011650) for logging purposes.

for <shagdevil@totalputz.com>; Sun, 9 May 2004 13:04:13 -0400
The intended receiver's email address and the Time and Date of the transfer.(The time can vary depending on its relation to Greenwich Mean Time). May have no relation to the To: field.




Other Information contained in the Header are as follows:

From: AVG Anti-Virus Distribution WebCenter <confirm@grisoft.com>
The email's sender was AVG Anti-Virus Distribution WebCenter (with a return path of confirm@grisoft.com)

To: shagdevil@totalputz.com
The receiver's email address.

Subject: License code for AVG Free Edition (Grisoft No. 18c4788)
The subject of the email.

Message-Id: <20040509170408.ADABE1D22E0@download.grisoft.cz>
This is the permanent ID attached by the box -download.grisoft.cz. This is not the same as the other logging ID's assigned to the email. This is an identifyng feature that stays with the header through the entire path of the email.

Date: Sun, 9 May 2004 19:04:08 +0200 (CEST)
When the email was actually created


Again, this is an oversimplified email header so I could better convey the basics of breaking down an email header and how to follow the path of a typical email. There are many other fields that you may see in a typical email header. Some examples, X-Priority, X-Sender, X-Mailer, X-UIDL, Content-Type, Bcc, Cc, Content-Transfer-Encoding: to name a few.

Here's a sample where some of those fields are used (this is a complete email. I didn't simplify this one). It was sent from Travelocity.

From - Mon Apr 12 14:53:42 2004
X-UIDL: __~!!c(U"!WO-!!*/@"!
Return-Path: <2.253141.31353834323037.b@mailb.travelpn.com>
Received: from p136.travelocity.com (p136.travelocity.com [151.193.165.14])
by mail.totalputz.com (8.12.11/8.12.11) with ESMTP id i3CFm97B007068
for <shagdevil@totalputz.com>; Mon, 12 Apr 2004 11:48:09 -0400
Received: from tcyhlp135 (172.30.66.213)
by p136.travelocity.com (PowerMTA(TM) v2.0r4) id hfat3i04e18r; Mon, 12 Apr 2004 10:48:03 -0500 (envelope-from <2.253141.31353834323037.b@mailb.travelpn.com&gt
Message-ID: <25026338.1081784883144.JavaMail.bulky@172.30.66.214>
Date: Mon, 12 Apr 2004 10:48:03 -0500 (CDT)
From: Travelocity Member Services <Travelocity@email.travelocity.com>
Reply-To: Travelocity Member Services <2.253141.31353834323037@mailb.travelpn.com>
To: shagdevil@totalputz.com
Subject: Travelocity Fare Watcher Alert

Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Mailer-Version: 3.5.5 build 731
X-Mailer: Accucast
X-UIDL: __~!!c(U"!WO-!!*/@"!

Reply-To: Travelocity Member Services <2.253141.31353834323037@mailb.travelpn.com>
Designates an address to respond to.

X-UIDL: __~!!c(U"!WO-!!*/@"!
Post Office Protocol's (POP) unique ID for retrieving mail.

Mime-Version: 1.0
The sender's version of MIME.

Content-Type: text/plain; charset=ISO-8859-1
Indicates to other MIME using mail programs what various materials may be contained in the email.

Content-Transfer-Encoding: 7bit
Used for including subject matter that does not constitute standard text and also helps other MIME using mail programs translate the material in the email.

X-Mailer-Version: 3.5.5 build 731
X-Mailer: Accucast
The ID of the mail software used by the sender.


**note - If any of this information is incorrect, please let me know so I can promptly correct it.
**note - Reference(s) used: www.stopspam.org