What Is an Email Header? The Anatomy of Every Email

Q: What is an email header?

An email header is the structured block of metadata at the top of every message, defined by the Internet Message Format standard RFC 5322. It contains fields such as From, To, Subject, Date, Message-ID and one or more Received lines that trace the delivery path. The header is separate from the body and carries the routing and identity information that mail servers and clients use to handle, display and authenticate the message.

Q: What information is in an email header?

A header contains identity fields like From, To, Subject and Date, a unique Message-ID assigned when the message is created, and Received lines added by each server that relays it. It also includes Return-Path (the envelope return address used for bounces) and often Reply-To (where replies should go if different from the sender). Authentication fields such as DKIM-Signature and Authentication-Results may also appear.

Q: What is the Received header?

The Received header is a trace field that each mail server adds when it handles a message, recording which server it came from, which server received it, and a timestamp. Because every relay prepends its own Received line to the top, the lines stack in reverse chronological order: the bottom Received is the origin and the top Received is the last hop before your inbox. Reading the chain reconstructs the full path the email took.

Q: What is the difference between the envelope and the email header?

The envelope is the information mail servers exchange during delivery, including the envelope sender (which becomes the Return-Path) and the envelope recipient, and it is what actually controls routing. The header is the From, To, Subject and other fields stored inside the message and shown to the reader. They can differ, which is why the From address you see can be set independently of the real sending address.

Q: Can email headers be faked or spoofed?

Yes. Sender-supplied fields such as From and Reply-To can be forged, which is why a spoofed email can appear to come from someone it did not. Received lines added by trusted receiving servers are harder to fake than sender-set fields, but lines claimed by untrusted upstream servers can also be fabricated. This is exactly why SPF, DKIM and DMARC exist: they give receivers verifiable signals to detect when the claimed sender does not match the authenticated origin.

~/sheets/what-is-an-email-header.md

The Metadata Behind Every Message
An email header is the structured block of metadata at the top of every email, defined by the Internet Message Format standard RFC 5322. It is separate from the body you read, and it carries the routing and identity information that mail servers and clients use to deliver, display and authenticate a message. Most email apps hide it, but you can view and parse it any time with our Email Header Analyzer, and learn to read it line by line.
The Identity Fields: From, To, Subject, Date, Message-ID
The most familiar header fields describe the message itself: From (the claimed sender), To (the recipients), Subject, and Date. Every message also gets a unique Message-ID when it is created, a globally unique string used to reference the message in replies and threading. These fields are what your email client shows you, but as identity claims they are only as trustworthy as the authentication behind them.
Received Lines: the Delivery Trace
The Received headers are a trace of the journey. Each mail server that handles the message adds its own Received line recording where it came from, where it arrived, and when. Because every relay prepends its line to the top, the chain reads in reverse order: the bottom Received is the origin and the top is the last hop before your inbox. This is the part of the header you read to trace where an email came from and to find the originating server with our IP Lookup.
Return-Path and Reply-To
Two fields often confuse people. Return-Path records the envelope return address, where bounce and delivery-failure notices are sent; it comes from the envelope sender rather than the visible From. Reply-To tells your client where to direct replies when that should differ from the From address. Both are legitimate, but both are also commonly abused in phishing, where a reply quietly goes somewhere other than the apparent sender.
Envelope vs Header, and Why Headers Can Be Forged
There are really two layers. The envelope is what mail servers exchange during delivery (the envelope sender, which becomes the Return-Path, and the envelope recipient), and it is what actually controls routing. The header is the From, To and Subject stored inside the message and shown to you. These can differ, which is the root of email spoofing: the From you see is sender-set and can be forged. That is exactly why SPF, DKIM and DMARC exist, and you can check any message against them with our Email Auth checker or by reading the raw headers.
Frequently Asked Questions
What is an email header?
An email header is the structured block of metadata at the top of every message, defined by the Internet Message Format standard RFC 5322. It contains fields such as From, To, Subject, Date, Message-ID and one or more Received lines that trace the delivery path. The header is separate from the body and carries the routing and identity information that mail servers and clients use to handle, display and authenticate the message.
What information is in an email header?
A header contains identity fields like From, To, Subject and Date, a unique Message-ID assigned when the message is created, and Received lines added by each server that relays it. It also includes Return-Path (the envelope return address used for bounces) and often Reply-To (where replies should go if different from the sender). Authentication fields such as DKIM-Signature and Authentication-Results may also appear.
What is the Received header?
The Received header is a trace field that each mail server adds when it handles a message, recording which server it came from, which server received it, and a timestamp. Because every relay prepends its own Received line to the top, the lines stack in reverse chronological order: the bottom Received is the origin and the top Received is the last hop before your inbox. Reading the chain reconstructs the full path the email took.
What is the difference between the envelope and the email header?
The envelope is the information mail servers exchange during delivery, including the envelope sender (which becomes the Return-Path) and the envelope recipient, and it is what actually controls routing. The header is the From, To, Subject and other fields stored inside the message and shown to the reader. They can differ, which is why the From address you see can be set independently of the real sending address.
Can email headers be faked or spoofed?
Yes. Sender-supplied fields such as From and Reply-To can be forged, which is why a spoofed email can appear to come from someone it did not. Received lines added by trusted receiving servers are harder to fake than sender-set fields, but lines claimed by untrusted upstream servers can also be fabricated. This is exactly why SPF, DKIM and DMARC exist: they give receivers verifiable signals to detect when the claimed sender does not match the authenticated origin.
Last updated: April 2026