Cleanbox
Features Helpdesk Blog Pricing Contact
Sign in Start free trial
Blog
technical email headers security

Understanding Email Headers: A Complete Guide

15 min read Oct 7, 2025

Email headers are the metadata attached to every email. Most people never see them. But when you need to diagnose a delivery problem, verify a sender's identity, or prove an email is forged — headers tell the full story.

How to view email headers

  • Gmail: Open email → three dots → "Show original"
  • Outlook (web): Open email → three dots → "View" → "View message source"
  • Apple Mail: View → Message → All Headers
  • Cleanbox: Message detail → "Headers" tab (shows raw headers and parsed spam report)

Key headers explained

From

From: John Smith <john@example.com>

The display name and address shown to the recipient. This is trivially easy to forge — anyone can put any address in the From header. Never trust this alone.

Return-Path (Envelope From)

Return-Path: <bounces+12345@mail.example.com>

The actual envelope sender — where bounces are delivered. This is set during the SMTP transaction, not in the email content. In legitimate email, this usually matches or is related to the From domain. In spam, they often differ.

Received

Received: from mail-sor-f41.google.com (mail-sor-f41.google.com [209.85.220.41])
        by mx1.cleanbox.to (Postfix) with ESMTPS id ABC123
        for <alias@cleanbox.me>; Mon, 25 Aug 2026 09:15:03 +0000 (UTC)

The most important header for tracing. Each server that handles the email adds a Received header at the top. Read them bottom to top to follow the email's path from sender to recipient.

Each Received header tells you:

  • from — The server that sent the email to this hop
  • by — The server that received it
  • with — The protocol used (ESMTP, ESMTPS for encrypted)
  • for — The recipient address
  • timestamp — When the hop occurred

Authentication-Results

Authentication-Results: mx1.cleanbox.to;
    spf=pass (sender SPF authorized) smtp.mailfrom=example.com;
    dkim=pass header.d=example.com;
    dmarc=pass (policy=reject) header.from=example.com

The receiving server's verdict on email authentication. This tells you whether SPF, DKIM, and DMARC passed or failed. A legitimate email from a properly configured sender should show pass for all three.

DKIM-Signature

DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1;
    h=from:to:subject:date:message-id; bh=...; b=...

The DKIM cryptographic signature. Key fields:

  • d= — The signing domain (should match or be related to the From domain)
  • s= — The selector (used to look up the public key in DNS)
  • h= — Which headers are included in the signature

Message-ID

Message-ID: <abc123@mail.example.com>

A unique identifier for the email. The domain part usually matches the sending server. If a Message-ID contains a raw IP address instead of a domain, it is a red flag (Cleanbox flags this as the "Bare IP" spam symbol).

X-Spam-Status / X-Spam-Score

X-Spam-Status: Yes, score=8.5 required=6.0

Added by spam filters. Shows the spam score and whether the email exceeded the threshold. In Cleanbox, the full spam report (every triggered symbol with its score) is available on the message detail page.

List-Unsubscribe

List-Unsubscribe: <https://example.com/unsubscribe/abc123>
List-Unsubscribe-Post: List-Unsubscribe=One-Click

The machine-readable unsubscribe mechanism. The presence of List-Unsubscribe-Post indicates RFC 8058 one-click support. Cleanbox uses these headers to enable one-click unsubscribe on the contact page.

Using headers to spot phishing

When you suspect an email is phishing, check:

  1. Authentication-Results: Do SPF, DKIM, and DMARC all pass? If any fail, the sender may not be who they claim.
  2. From vs Return-Path: Do they match? A LinkedIn notification with a Return-Path from random-domain.xyz is suspicious.
  3. Received chain: Does the email originate from a server associated with the claimed sender? A "PayPal" email that originated from a server in Russia is forged.
  4. DKIM domain: Does d= in the DKIM-Signature match the From domain? If not, the signature may be from a different entity.

For a practical checklist, see Is This Email a Scam? A Quick Checklist.

Using headers to diagnose delivery issues

If email is not arriving or is being marked as spam:

  1. Check Received timestamps: Large gaps between hops indicate queueing delays (server overload or greylisting)
  2. Check Authentication-Results: SPF or DKIM failures cause many deliverability problems
  3. Check X-Spam headers: If present, they show exactly which rules triggered and why the email was flagged
  4. Check for X-Cleanbox-Validation: If you use Relay with a verification token, confirm the header is present

Related articles

Cleanbox vs Traditional Email Security: Why Spam Gateways Are Overkill for SMBs

16 min read

Email Security Threats in 2026: A Comprehensive Overview

20 min read

The Best Free Email Tools for Privacy in 2026

10 min read

Ready to take control of your inbox?

Start protecting your email with Cleanbox — free plan available, no credit card required.

Get started free