What Is an Email Header? A Beginner's Guide with Real Examples
Every email has a hidden section that most people never see: the headers. They contain technical information about where the email came from, which servers handled it, whether it passed security checks, and whether the sender is who they claim to be.
You do not need to understand headers for everyday email. But the moment you need to verify a suspicious email, diagnose why your messages are going to spam, or prove an email is forged — headers tell you everything.
How to view email headers
| Email client | How to access |
|---|---|
| Gmail (web) | Open email → three dots (top right) → "Show original" |
| Outlook (web) | Open email → three dots → "View" → "View message source" |
| Apple Mail | View menu → Message → All Headers |
| Thunderbird | View menu → Headers → All |
| Cleanbox | Message detail → Headers tab |
The 5 headers that matter most
1. From
From: Amazon <shipment-tracking@amazon.com>What it is: The sender's name and email address as displayed in your inbox.
Why it matters: This is the easiest header to fake. Anyone can set the From header to any name and address. Never trust this header alone to verify a sender.
2. Received
Received: from mail-sor-f41.google.com (mail-sor-f41.google.com [209.85.220.41])
by mx.recipient.com with ESMTPS
for <you@example.com>;
Mon, 19 Feb 2025 10:15:03 +0000What it is: A record of each server that handled the email. Every server adds one at the top.
Why it matters: Read from bottom to top to trace the email's path. If an email claims to be from PayPal but the first Received header shows it originated from a random server in a different country, it is forged.
3. Authentication-Results
Authentication-Results: mx.recipient.com;
spf=pass smtp.mailfrom=amazon.com;
dkim=pass header.d=amazon.com;
dmarc=passWhat it is: The receiving server's verdict on email authentication.
Why it matters: This tells you if SPF, DKIM, and DMARC passed. All three should show "pass" for legitimate email from major senders. If any show "fail," the email may be forged. See What is SPF, DKIM, and DMARC? for what these mean.
4. Return-Path
Return-Path: <bounce-123@amazonses.com>What it is: Where bounce notifications are sent. This is the "real" sender at the SMTP level.
Why it matters: If the From header says paypal.com but the Return-Path says random-scammer.xyz, the email is almost certainly phishing.
5. Subject
Subject: Your Amazon order has shippedWhat it is: The subject line (yes, it is technically a header too).
Why it matters: The subject line in the header is the raw, un-decoded version. Sometimes phishing emails use character encoding tricks that look normal in your inbox but appear suspicious in the raw header.
Real example: spotting a fake PayPal email
You receive an email that looks like a PayPal notification. Here is how to check:
- Check From:
PayPal <service@paypal-security-center.com>— The domain ispaypal-security-center.com, NOTpaypal.com. First red flag. - Check Return-Path:
<bounce@cheap-hosting.xyz>— Completely unrelated domain. Second red flag. - Check Authentication-Results:
spf=fail,dkim=none,dmarc=fail— All authentication failed. Third red flag. - Check Received: Originated from a server with no reverse DNS, IP on blacklists. Confirmed fake.
A real PayPal email would show From: service@paypal.com, Return-Path: @paypal.com, and all authentication passing.
Real example: why is my email going to spam?
You send email from your custom domain and it lands in the recipient's spam folder. Check the headers of a test email:
- Check Authentication-Results: If SPF or DKIM shows "fail," your DNS is misconfigured. See the authentication guide.
- Check for X-Spam headers: Many servers add headers like
X-Spam-Score: 8.5orX-Spam-Status: Yes. This tells you the score and which rules triggered. - Check Received path: If there are unexpected hops through relay servers, SPF may be failing because the relay IP is not in your SPF record.
Headers you can ignore
Most headers are technical noise. You can safely ignore:
MIME-Version,Content-Type,Content-Transfer-Encoding— Email formatting, not security-relevantX-Google-DKIM-Signature— Google's internal DKIM, not related to the senderX-Gm-Message-State— Gmail internal trackingARC-*headers — Authentication chain for forwarded email, advanced topic
For the complete technical reference (all headers, all fields), see Understanding Email Headers: A Complete Guide.
