How to read email headers and identify Spam

 In Developer, Email Deliverability

Nobody likes or wants SPAM. And yet our inboxes are full of it.

email header to identify spam

It is not only plain intrusive, it also puts our online identity at risk. Phishing attacks have only been on the rise ever since they came into existence.

It’s not easy to detect phishing emails

While some of the emails we receive are obvious spam, most of them are not very easy to recognise just by seeing the content or the sender.

But there’s a way..

Here comes the advance debugging of email which is commonly known as analysing the email headers. Let’s understand what email headers are and how they can help in detecting fraudulent emails.

Generally only the basic information is displayed on the normal email header. Some examples of normal email header in different mail clients:


email header gmail


email header thunderbird

As you notice, most email readers only show the From: and To: headers, which can be easily forged. The complete message headers will look something like this:

Received: by with SMTP id z54csp461727qtz;
       Sun, 8 Jan 2017 04:33:03 -0800 (PST)
X-Received: by with SMTP id g17mr82034336qke.122.1483878783846;
       Sun, 08 Jan 2017 04:33:03 -0800 (PST)
Return-Path: <>
Received: from ( [])
       by with ESMTPS id 94si44473076qtb.140.2017.
       for <>
       (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
       Sun, 08 Jan 2017 04:33:03 -0800 (PST)
Received-SPF: pass ( domain of designates as permitted sender) client-ip=;
      spf=pass ( domain of designates as permitted sender)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=pepipost;;h=Message-ID:To:From:Subject:Content-Type:List-Unsubscribe:Date;
Received: by id he8oo0229vgh; Sun, 8 Jan 2017 18:03:04 +0530 (envelope-from <>)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=pepipost;;h=Message-ID:To:From:Subject:Content-Type:List-Unsubscribe:Date;bh=ChnX1bsU13QtrayAVkclQsY4c0s=;b=Ziuit9vOzeeAanLi0/
Message-ID: <>
From: "Confirmation - Thrifty-Deals" <>
Subject: Confirm your newsletter subscription
Content-Type: text/plain
List-Unsubscribe: <>
X-InjTime: 1483878784
X-FNCID: 22228-14838138016706353-0
X-TransMail: 1
Date: Sun, 8 Jan 2017 18:03:04 +0530
We have received your request to receive the Thrifty-Deals newsletter. Please click below now to complete the process:
Thank you!
Season Publishing House
Newport News, VA 23606

The complete email header would provide much more information on the origin of a message and is a useful tool for tracking and stopping SPAM and virus-laden email.

Whenever you open an email to read, you’ll also find options like View Source, View Message Header or Show Original. Here is the guide for you to view the complete email headers on different email clients or webmail provider.

Understanding the different elements of email headers


The header lines begin with Received: and provides a trace of the email from its origin to your mail server. It will show the origin along with the list of servers which processed this email before reaching your mailbox. The ‘Received:’ parameter of your email gives you many valuable clues to identify the legitimacy of the source.

How to analyse the Received parameter in the mail headers

Each mail server which handles an email message adds a Received: header set to the front of the message; the first set is therefore added by your mail server.

The first Received header shows that the email was actually originated from a server with IP address

Received: by with SMTP id z54csp461727qtz;
       Sun, 8 Jan 2017 04:33:03 -0800 (PST)

In the above example, the header shows the email is actually received From: “Confirmation – Thrifty-Deals” <> but the Received: parameter is showing from [].

Received: from ( [])
       by with ESMTPS id 94si44473076qtb.140.2017.
       for <>
       (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
       Sun, 08 Jan 2017 04:33:03 -0800 (PST)

Now, this seems suspicious. Unless belongs to the same owner who owns or the owner of has given rights to to send emails on their behalf.

Let’s check the SPF record of This you can easily do on or simply type ~ dig TXT on your header - spf

As per the SPF record, has granted rights to for sending emails on their behalf.

So, now let’s try to valid the actual sending IP address [] belongs to or not. If that validates, then we are safe to say that email is not spam.

So, let’s check the SPF record of

email header spf2

Also, the SPF of

email header spf3

Cool, in both of the above we got same reference of IP address, which is 103.52.181.x here. So, this shows that has allowed 102.52.181.x to send emails on their behalf.

So, the conclusion of this analysis is that

  • the user has received an email from via 103.52.181.x IP address which is owned by
  • seasonsms’s SPF shows that they have allowed to send emails on their behalf.

Hence, this is a legitimate email and not a forged one.

Received-SPF and DKIM-Signature

In the above example there are two more important parameters, Received-SPF and DKIM-Signature. Not every sender adds these, but most of the good/ big senders have now made it a practice to add SPF and DKIM. These parameters help in identifying the authenticity of the email.

The header parameter in Received-SPF is showing as pass. This means the domain has allowed the IP address to send emails on their behalf.

This conforms to the analysis which we did earlier.

Received-SPF: pass ( domain of designates as permitted sender) client-ip=;

The next header parameter Authentication-Results: is showing dkim=pass. This means the long public key mentioned in the parameter DKIM-Signature: matches with its associated private key stored on the actual sending server server.

      spf=pass ( domain of designates as permitted sender)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=pepipost;;

Received-SPF: pass ( domain of designates as permitted sender) client-ip=;

In the above case the email was sent using a third party SMTP service Pepipost. But, in case the email was sent using their own in-house infrastructure, then the owner of the sender domain and sending IP address should be ideally same (unless on a shared infrastructure).

A number of tools are available for verifying the ownership of a domain/IP address. The authoritative reference for IP addresses is the American Registry of Internet Numbers. Using ARIN’s “Search WHOIS” tool, you can find the identification of the IP address owner.

If nothing works out and you still doubt on the legitimacy of an email then simply send a message to “abuse@organization” with a copy of complete email header (Here is the above example: it will be Most of the webmasters validate and reply to queries received on abuse.


This is another important parameters parameter in the email header.


In case the user wants to unsubscribe from an email then simply send an email to this long email address, and user will get unsubscribed.

The List-Unsubscribe header is an optional piece of text. It works in conjunction with options that the email client provides for unsubscribing and spam complaints.

email header list unsub

Example: In case of Gmail you will see an option to unsubscribe from this sender. When a user clicks on this link, the email client sends an email to the email address defined in the List-Unsubscribe header parameter.

All email headers prefixed with “X-” are actually not the standard headers. It is added by the sending server for some of their internal tracking and reporting purpose. Hence, these can be simply ignored for any analysis. Example of these headers in the above example are: X-Abuse-Reports-To, X-InjTime, X-FNCID, X-TransMail, X-SG-EID.

Historically, designers and implementers of application protocols have often distinguished between standardized and unstandardized parameters by prefixing the names of unstandardized parameters with the string “X-” or similar constructs. In practice, that convention causes more problems than it solves. Hence it is later depreciated by the IETF community.


We at Pepipost take spam seriously. We are working hard to rebuild and reconstruct the email ecosystem. Let’s together make it spam free. Start analysing your emails and mark unwanted suspicious emails as Spam and stay safe from Phishing.

Found This Blog Interesting Please Rate This Blog 1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Recommended Posts

Leave a Comment

We are always looking for fresh talent to contribute to our blog. If you have a knack for writing and a passion for email marketing, we would love to have your post on our Guest Blog .

Submit a Guest Post
Pepi thinking

Start typing and press Enter to searchi

Fill out your information below, and we will send you a PepiAlert, that will describe your domain’s email deliverability situation. Please note that your email address must match the domain, or the domain must be owned by the company matching the email address. We have the right to refuse the request, if we can’t verify the information.

*All fields are required