Sunday, November 24, 2013

Analyzing Email Header

    Analyzing Email Header

In this article, I am going to introduce my followers that how to analyze the Email headers fields and understand the different- different portion information of Email header.
Before we start analyzing the email header field, we should know how to access or extract the email header in different - different emails clients.
1. How to access Email header in Gmail:
Login to your Gmail account & click on any email (which header you want to analyze).
Click on triangular button under the red circle and click on Show original.

When you will click on show original, Email header will be open in a new window, copy that email header in any text or word file to analyze it.

2. How to access Email header in
Login to Yahoomail
Click on More under the red box and then click on View full header to open the email header.


3. How to access the Email header in Hotmail
Login to your hotmail account
Click on any email, which header you want to access
Click on the red circle place and click on View message source

                                                Image- 1.3

4. Access the Email Header in Microsoft Outlook
Login in MS Outlook and double click on any email, which header you want to access
Click on triangular under the red circle box
See the Email header under the Internet header.


5. Access the Email header in Microsoft Outlook Express
Login in MS Outlook Express and click on email, which header you want to access
Right-click on it and select Properties and go to Details to see the header.

Analyzing the Email Header:
Here I am going to show you the original Email header and will explain the each part of message header.

MIME-Version: 1.0
Received: by with HTTP; Sat, 23 Nov 2013 01:16:32 -0800 (PST)
Date: Sat, 23 Nov 2013 14:46:32 +0530
Message-ID: <>
Subject: docs
From: Arun Chaudhary <>
To: Arun Chaudhary <>
X-Mailer: Mail Client
Content-Type: multipart/mixed; boundary=001a1133840e386fef04ebd49605

Content-Type: multipart/alternative; boundary=001a1133840e386fea04ebd49603

Content-Type: text/plain; charset=UTF-8

Understand the different - different part of an Email Header:
·         MIME ver :                   Version of MIME  
·         Received :                    Sender IP address and protocol
·         Date:                              The date the message was sent
·         Delivered To:              Receiver email ID
·         Message-ID:                                The ID of the message
·         Subject:                         The message subject
·         From:                             The message sender email ID
·         To:                                   The message recipient email ID
·         X-Mailer:                      The mail client (mail program) used to send the message
·         Content Type:            The content of Email, like: HTMP, plain text

The From:  line, which contains the sender of the message could be faked easily, so you should not rely on this information.
The lines in green contain the routing information, from the senders computer to the recipients mailserver.
                Let's have a closer look at these lines:
Received: from senderhostname [xxxx.xxxx.xxxx.xxxx] (helo=[ senderhostname])
by mailserver.senderdomain.tld with esmtpa (Exim x.xx)
(envelope-from <sender@senderdomain.tld) id yyyy.yyyy.yyyy.yyyy
for recipient@recipientdomain.tld; Tue, 01 Apr 2013 10:36:08 -0100
 The message was sent from the senders computer with the IP address xxxx.xxxx.xxxx.xxxx to the mailserver of the sender. In many cases the sender IP xxxx.xxxx.xxxx.xxxx is a dynamic IP address, e.g. DSL. The IP address gives many information's about the sender, the location of the sender and the provider.
Received: from mailserver.senderdomain.tld ([bbb.bbb.bbb.bbb] helo=mailserver.senderdomain.tld)
by mailexchanger.recipientdomain.tld with esmtp
id xxxxxx-xxxxxx-xx 
  The message was transferred from the senders mailserver with the IP address bbb.bbb.bbb.bbb to the recipients mailexchanger. The mailexchanger is the mailserver, which accepts incoming messages for a domain.

Received: from mailexchanger.recipientdomain.tld([ccc.ccc.ccc.ccc])
by mailserver.recipientdomain.tld running ExIM with esmtp
id xxxxxx-xxxxxx-xxx; Wed, 2 Apr 2013 11:39:23 +0200 
 The message was finally received by the recipients mailserver from the the recipients mailexchanger ccc.ccc.ccc.ccc.
 This is only a sample, which should show the principles. The message routing can contain much more steps, depending on the used mailprovider. It should always be possible to see the sender computer IP address and the sender mailserver bbb.bbb.bbb.bbb if the message was sent from a mail client and a client computer. If the message was sent from a webmail client, then the real IP address of the sender is not included - in this case (if any) will be the IP address of the webmail.
Some might try to fake the routing information, but your mailserver should give you a warning that something is not correct during the transfer from the sender mailserver bbb.bbb.bbb.bbb to the recipient mailexchanger ccc.ccc.ccc.ccc.

Note: Please leave your comments , if you like this articles and send your any query to me, I will get back you with possible solution.


                                      Arun Chaudhary
Post a Comment