--- title: "Email Header Analysis: Let’s Know an Email’s Anatomy | AutoSPF" description: "You receive much more than a message and attachments in an email; we are talking about bits of information retrieved during an email header analysis." image: "https://autospf.com/og/blog/email-header-analysis-lets-know-an-emails-anatomy.png" canonical: "https://autospf.com/blog/email-header-analysis-lets-know-an-emails-anatomy/" --- Quick Answer You receive much more than a message and attachments in an email; we are talking about bits of information retrieved during an email header analysis. An email header is metadata that is automatically attached to every email to help determine the allocation of a message in the inbox. Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fautospf.com%2Fblog%2Femail-header-analysis-lets-know-an-emails-anatomy%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Email%20Header%20Analysis%3A%20Let%E2%80%99s%20Know%20an%20Email%E2%80%99s%20Anatomy&url=https%3A%2F%2Fautospf.com%2Fblog%2Femail-header-analysis-lets-know-an-emails-anatomy%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fautospf.com%2Fblog%2Femail-header-analysis-lets-know-an-emails-anatomy%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fautospf.com%2Fblog%2Femail-header-analysis-lets-know-an-emails-anatomy%2F&title=Email%20Header%20Analysis%3A%20Let%E2%80%99s%20Know%20an%20Email%E2%80%99s%20Anatomy "Share on Reddit") [ ](mailto:?subject=Email%20Header%20Analysis%3A%20Let%E2%80%99s%20Know%20an%20Email%E2%80%99s%20Anatomy&body=Check out this article: https%3A%2F%2Fautospf.com%2Fblog%2Femail-header-analysis-lets-know-an-emails-anatomy%2F "Share via Email") ![email scams](https://media.mailhop.org/autospf/images/2023/12/what-is-phishing-2310.jpg) You receive much more than a message and attachments in an email; we are talking about bits of information retrieved during an [email header analysis](https://mxtoolbox.com/EmailHeaders.aspx). An email header is metadata that is automatically attached to every email to help determine the allocation of a message in the inbox. _The general details in the email header include sender information, subject line, date and time of the email, and your email address_. However, if you open up the email header box, you will come across more hidden details that help users and cybersecurity personnel and tools to analyze if a mail is safe or potentially fraudulent. With [disadvantaged teenagers](https://www.independent.co.uk/news/uk/politics/university-college-london-teenagers-data-more-schools-b2403055.html) becoming more likely to become targets of [email scams](https://www.mirror.co.uk/tech/gmail-yahoo-courier-scam-email-31704735), the need to learn a diligent email header analysis to differentiate between genuine and scam-y emails is paramount. ## What Does an Email Header Include? Before we learn the process of email header analysis, let’s see what information the fundamental components of an email header impart- ### Authentication Check It shows the status of [SPF](/blog/what-is-spf-email-a-guide-to-sender-validation-technology/), DKIM, and DMARC- the three pillars of [email authentication](/spf-too-many-dns-lookups/spf-lookup/) for protection against [email spoofing](https://cybernews.com/secure-email-providers/email-spoofing/) and phishing. When a message passes authentication checks conducted by all three protocols, the email provider validates the sender’s IP address. ### Return Path It indicates the [bounce-back address](https://en.wikipedia.org/wiki/Bounce%5Faddress#:~:text=A%20bounce%20address%20is%20an,%2C%20Errors%2Dto%2C%20etc.) for undelivered emails and enables the identification of the true sender. Please note that the return path can also be the same as the sender’s address. Generally, companies receiving a high number of bounces keep a separate email for the return path address so that they have data to analyze and base their strategies on. ![email authentication](https://media.mailhop.org/autospf/images/2023/12/spf-record-syntax-6734.jpg) ### Received From You come across the SMTP stream or the path traveled by an email right from its inception till it reaches its destination, which is the desired recipient’s inbox. The email header analysis of messages traversing through multiple intermediaries or SMTP hop is likely to reflect several touchpoints. This chunk of information supports tracing the [email’s route](https://www.cloudflare.com/learning/email-security/what-is-email-routing/#:~:text=Email%20routing%20is%20the%20process,the%20recipient's%20address%20or%20department.) and identifying potential issues. ### From, To, Cc, Bcc - ‘From’ indicates the sender’s information, such as the email address. - ‘To’ reflects the primary and secondary recipient’s email addresses, also called [CC and BCC](https://www.spikenow.com/blog/tips-tricks/the-difference-between-bcc-and-cc-in-email/). These details are important for confirming the legitimacy of the sender. ### Subject Indicates the email’s subject, providing context to the recipient. ### Date Displays the date and time of the email’s origination. ### Message ID _It’s a unique identifier for the email, which aids in tracking and preventing duplicate messages._ ### Transport Layer Security (TLS) [Transport Layer Security (TLS)](https://www.internetsociety.org/deploy360/tls/basics/) encrypts message content for [email security](/) by blocking eavesdropping attempts between mail servers. This keeps emails private while moving between email service providers. _Gmail offers TLS in the header by default_. The absence of TLS is indicated by a red unlocked icon next to the sender’s address. ### Authenticated Received Chain (ARC) In the email header, the ARC adds a digital signature that verifies the authenticity of previous server authentication results. This helps prevent [manipulation of email content](https://thehackernews.com/2017/08/change-email-content.html) and enhances the accuracy of spam and phishing detection systems. Essentially, ARC provides a trusted chain of custody for an email, allowing recipient servers to validate the legitimacy of the email’s path from sender to recipient. ### Content-Type This part entails the media type in email content and sets multipart or alternatives, which reflect the fallback version. ### MIME-Version MIME stands for [Multipurpose Internet Mail Extensions](https://www.techtarget.com/whatis/definition/MIME-Multi-Purpose-Internet-Mail-Extensions), which supports email attachments like images, videos, MP3 files, etc. ## Locating Email Header in Gmail, Yahoo, Apple Mail, Microsoft Outlook, and Thunderbird Locating the email header varies across different email clients, as each has its own interface and settings. Here are instructions for finding email headers in some commonly used email clients. ### Gmail - Open the email. - Click on the three dots in the upper-right corner. - Choose “Show original” from the drop-down menu. This opens a new tab with the full email header information. ### Yahoo - Open the email. - Look for the “More” dropdown option above the email and select “View Full Header.” This opens a new window with the complete email header. ### Apple Mail - Open the email in Apple Mail. - Click on ‘’View” in the menu bar and select “Message” > “All Headers.” This will display the full header information. ### Microsoft Outlook - Double-click the email to open it. In the ribbon at the top. - Go to the “File” tab, click on “Properties,” and look for “Internet Headers.” This displays the email header. ### Thunderbird - Open the message. - Right-click on the email, choose “View Source,” and a new window displaying the email header information will open. Please note the steps may vary a little depending on the specific version of the email client you are using. _Upon facing trouble, check the official help documentation for your specific email client._ ## Why Email Header Analysis is Important? Email header analysis emerges as a crucial tool in the realm of cybersecurity, providing insights into the origins and paths of emails. ![Email header analysis](https://media.mailhop.org/autospf/images/2023/12/how-to-create-spf-record-3.jpg) It helps in the implementation, management, and reporting of SPF, [DKIM](/10-reasons-for-regular-spf-record-checks-in-cybersecurity/dkim-record-check/), and [DMARC](/10-reasons-for-regular-spf-record-checks-in-cybersecurity/dmarc-record-check/), which ensures only messages sent from authorized senders land in the inboxes of recipients. Moreover, the practice of examining the “Received” headers helps detect discrepancies or anomalies that may indicate [spoofing attempts](https://www.helpnetsecurity.com/2023/07/14/microsoft-spoofing-attempts/). ## To Conclude Investing in cybersecurity tools and [training your employees](https://www.nationwide.com/business/solutions-center/cybersecurity/train-employees) is substantial to achieve the highest standards of security on the web. It’s important for companies to encourage collaboration between IT teams, security experts, and end-users to share insights and knowledge about [emerging threats](https://www.vadesecure.com/en/blog/2024-email-security-predictions). Moreover, these actionable detailed insights help you see if and why is your email delivery impacted, prompting you to shed off bad practices and embrace good ones. After all, prevention is better than cure! ## Topics [ email security ](/tags/email-security/) ![Brad Slavin](https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead for AutoSPF's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Ready to get started? Try AutoSPF free — no credit card required. [ Book a Demo ](/book-a-demo/) ## Related Articles [ Intermediate 6m 10 Reasons Why DIY-ing SPF isn’t a Good Choice for Companies Apr 4, 2024 ](/blog/10-reasons-diy-ing-spf-isnt-good-choice-for-companies/)[ Intermediate 5m The 12.4 billion shield for your email communications: Why DMARC software is the unsung hero in the war against phishing actors! Nov 19, 2025 ](/blog/12-4-billion-dmarc-software-shield-protecting-email-from-phishing-actors/)[ Intermediate 3m 3 points to consider before setting your SPF record to -all (HardFail) May 22, 2025 ](/blog/3-points-to-consider-before-setting-your-spf-record-hardfail/)[ Intermediate 3m 5 key contributors to the development of the Sender Policy Framework Nov 12, 2024 ](/blog/5-key-contributors-to-sender-policy-framework-development/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"AutoSPF","url":"https://autospf.com","description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","publisher":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json {"@context":"https://schema.org","@type":"BlogPosting","headline":"Email Header Analysis: Let’s Know an Email’s Anatomy","description":"You receive much more than a message and attachments in an email; we are talking about bits of information retrieved during an email header analysis.","url":"https://autospf.com/blog/email-header-analysis-lets-know-an-emails-anatomy/","datePublished":"2023-12-20T14:50:37.000Z","dateModified":"2026-04-18T02:36:41.000Z","dateCreated":"2023-12-20T14:50:37.000Z","author":{"@type":"Person","@id":"https://autospf.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://autospf.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind AutoSPF, DMARC Report, Phish Protection, and Mailhop. He founded DuoCircle in 2014 to solve the SPF 10-DNS-lookup problem at scale and has led the company's growth to 2,000+ customers. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement) rather than hands-on DNS engineering.","image":"https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://autospf.com/blog/email-header-analysis-lets-know-an-emails-anatomy/"},"articleSection":"intermediate","keywords":"email security","wordCount":1008,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/autospf/images/2023/12/what-is-phishing-2310.jpg","caption":"email scams","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}} ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://autospf.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://autospf.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://autospf.com/intermediate/"},{"@type":"ListItem","position":4,"name":"Email Header Analysis: Let’s Know an Email’s Anatomy","item":"https://autospf.com/blog/email-header-analysis-lets-know-an-emails-anatomy/"}]} ```