Book a free consultation
Layer 1 · Foundation (DNS)

How to read an email header

Every email carries a complete log of its journey from sender to recipient, hidden in its headers. Learning to read this log is the fastest way to diagnose a deliverability problem — it tells you exactly what happened at each hop and whether authentication passed.

How to access email headers

The method depends on the email client:

  • Gmail — open the message, click the three-dot menu in the top right, select "Show original"
  • Outlook — open the message, go to File > Properties, the headers are in the "Internet headers" box
  • Apple Mail — View menu > Message > All Headers

The "Show original" view in Gmail is particularly useful because it also shows a parsed summary of authentication results at the top.

Reading the Received headers: the journey log

The most important headers for tracing a message are the Received: headers. Each mail server that handles the message adds one. They are listed in reverse chronological order — the bottom-most one is where the message started, the top one is where it arrived.

Read Received headers from bottom to top to follow the message's journey in chronological order. The topmost Received header was added by the final receiving server — the one that put the message in your inbox.

Each Received header typically shows: the IP address of the sending server, the hostname, the receiving server's hostname, and a timestamp. Gaps in the timestamps can reveal delays at specific hops.

Authentication result headers

Authentication-Results

This header, added by the receiving server, summarises the results of SPF, DKIM, and DMARC checks:

Authentication-Results: mx.google.com;
  dkim=pass header.i=@example.com header.s=default;
  spf=pass (google.com: domain of sender@example.com designates 1.2.3.4 as permitted sender) smtp.mailfrom=sender@example.com;
  dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=example.com

What to look for:

  • dkim=pass or dkim=fail — did the message carry a valid DKIM signature?
  • spf=pass or spf=fail — was the sending IP authorised by the domain's SPF record?
  • dmarc=pass or dmarc=fail — did SPF or DKIM pass with proper alignment to the From domain?

X-Spam-Status and X-Spam-Score

Many receiving systems add headers showing whether the message was flagged as spam and what score it received. A high spam score does not always mean the message went to spam (it depends on the threshold), but it tells you how suspicious the receiving system considered the message.

The From, Reply-To, and Return-Path headers

Three headers describe the "from" identity, and they are different:

  • From: — the address displayed to the recipient. This is what SPF and DKIM need to align to for DMARC to pass.
  • Reply-To: — where replies go, if different from From. Legitimate use is for mailing lists; sometimes used in phishing to redirect replies to an attacker's address.
  • Return-Path: (also called the envelope from) — where bounce messages go. This is what SPF checks, not the From header. A mismatch between Return-Path domain and From domain is normal for many ESP setups, but can affect SPF alignment for DMARC.

Using headers to diagnose common problems

Message delayed or not delivered

Look at the timestamps on each Received header. A large gap between two consecutive hops indicates a delay at that server — it accepted the message but queued it before passing it on. This is usually a temporary issue at the receiving server.

Authentication failing

If dkim=fail, the DKIM signature was not valid — either the message was modified in transit (legitimate forwarding can do this), the wrong DKIM key is being used, or the signature was malformed. If spf=fail, the sending IP is not in the SPF record for the Return-Path domain — check that your sending source is properly authorised.

Message going to spam despite good authentication

If all three authentication checks pass but mail is still in spam, the issue is reputation. The authentication headers will show pass for all three, but the X-Spam headers will show a high score or explicit spam classification. This means your domain or IP reputation is the problem, not your authentication.

Google's message analysis tool

Google provides a header analysis tool at Google Apps Toolbox — Messageheader. Paste in the full headers and it will visualise the timing between hops and flag any issues it finds. Useful for quick analysis without reading raw headers.

Free 30-minute consultation

Still stuck? Talk to a specialist.

If the guides aren't enough, book a free 30-minute call. We'll look at your setup, name the layer that's failing, and give you the fix order. No pitch, no obligation.

Book a free consultation