How to Read Email Headers (and Trace Where an Email Came From)
Reading an Email Header, Line by Line
Every email carries a hidden block of header metadata that records exactly how it reached you. Learning to read it lets you trace where a message really came from, confirm whether it is genuine, and spot a spoofed or phishing email that an ordinary glance would miss. The fastest way to do this is to paste the raw text into our Email Header Analyzer, which lays out the hops and authentication results for you, but it is worth knowing how to read them by hand.
1. Open the Raw Message in Your Email Client
You first need the full, unparsed header text. In Gmail, open the message, click the three-dot More menu, and choose Show original. In Outlook desktop, open the message and use File then Properties to find the Internet headers box; Outlook on the web shows them under View message details. In Apple Mail, select the message and choose View then Message then All Headers, or Raw Source for the complete message. Copy the whole block of headers, not just the visible From and Subject lines.
2. Find the Received Chain and Read It From the Bottom Up
The most important part of a header is the stack of Received lines. Each mail server that handles the message prepends its own Received line at the top, so the lines are in reverse chronological order: the bottom Received is the origin where the message started, and the top Received is the last hop before your inbox. Read the chain from the bottom up and you follow the email in the order it actually travelled, server by server. This trace-field behavior is defined in RFC 5322.
3. Locate the Originating Server and IP
The bottom-most Received line shows where the message first entered the mail system. The sending IP usually appears in brackets, like [203.0.113.7], or just after the word from, often next to a reverse-DNS hostname you can geolocate with our IP Lookup. One important caveat: major providers such as Gmail and Outlook frequently strip or mask the original sender IP for privacy, so a reliable origin IP is most often recoverable from self-hosted or smaller mail servers rather than from large webmail platforms.
4. Check the Authentication-Results Line
Look for the Authentication-Results header, which the receiving server stamps with the outcome of each security check: typically spf=pass, dkim=pass and dmarc=pass or fail. These three results tell you whether the message was really authorized by the domain it claims to come from. Our Email Auth checker explains each one, and the full meaning of SPF, DKIM and DMARC is worth understanding, because the visible From address alone can be forged.
5. Compare Timestamps to Spot Delays
Each Received line includes a timestamp for when that server handled the message. Comparing timestamps between consecutive hops shows where time was lost: a large gap between two adjacent Received entries points to the server that introduced the delay, such as a greylisting pause or a backed-up queue. Because you are reading bottom to top in chronological order, the slow hop is easy to isolate.
Frequently Asked Questions
How do I read email headers?
Read the Received lines from the bottom up: each mail server that handles the message adds its own Received line at the top, so the oldest hop (the origin) sits at the bottom and the newest hop (closest to your inbox) sits at the top. View the raw or original message in your email client, trace the Received chain to follow the route, and check the Authentication-Results line for SPF, DKIM and DMARC. The From and Subject lines show the claimed sender, while the Received chain and authentication results show whether that claim holds up.
How do I view the raw email headers in Gmail, Outlook and Apple Mail?
In Gmail, open the message, click the three-dot More menu and choose Show original. In Outlook desktop, open the message and use File then Properties to see the Internet headers box; Outlook on the web shows them under View message details. In Apple Mail, select the message and choose View then Message then All Headers, or Raw Source for the complete message.
How do I find the IP address in an email header?
Look in the Received lines for the originating server, which is the bottom-most Received entry where the message first entered the mail system. The sending IP usually appears in brackets or just after the word from, often next to a reverse-DNS hostname. Note that major providers such as Gmail and Outlook frequently strip or mask the original sender IP for privacy, so a reliable origin IP is most often recoverable from self-hosted or smaller mail servers.
How can I tell where an email actually came from?
Trace the Received chain from the bottom up to find the first server that accepted the message, since that hop is closest to the true origin, then cross-check it against the Authentication-Results header to see whether SPF, DKIM and DMARC passed for the claimed domain. Because the visible From address can be forged, the authentication results and the originating hop are more trustworthy than the displayed sender name.
How do I spot email delivery delays in the headers?
Each Received line includes a timestamp for when that server handled the message, so comparing timestamps between consecutive hops shows where time was lost. A large gap between two adjacent Received entries points to the server that introduced the delay, such as a greylisting pause or a backed-up queue. Reading the chain from bottom to top follows the message in order from origin to delivery.