How to Determine the Origin of an Email Message

How to Determine the Origin of an Email Message

Summary

When email fails to be received or sent and delivered (often resulting in a bounced error being returned to the sender) it may be necessary to check the email headers of a message to determine what issue caused the email to fail. 

What is an Email Header?

Email headers are included in every email and provide detailed information about the journey an email has taken.  Details will include basic information like the recipient, time and sender, but also include exhaustive information on every server the message passed through on its way from the sender to the recipient.  Email headers often contain extra details about why an email may have failed to be delivered successfully or why it was rated as spam.

How do I find an Email Header?

The process for finding an email header will vary from email client to email client. Here are some common ways to find headers.  If you are using an email client not described below, we recommend doing a quick internet search for "how do I view headers in [name of your email client]" to find exact steps. 

  1. EarthLink WebMail - Open the message, click the More Actions dropdown and select View Headers.
  2. Outlook 365 - 
    1. Windows - Double click the message to open it in it's own window, click File, click Properties, the headers are displayed in the Internet Headers box at the bottom of the window.
    2. Mac - Right click, or Control Click, the message in your inbox and then select View Source.
  3. Thunderbird - Select the message, click the More button on the top right and select View Source.
  4. Mac Mail - Select the message, click on the View menu, go down to Message, and choose All Headers. 

How do I use headers to determine why my email was returned to me and not delivered?

This is a very specific scenario often referred to as a "bounced email" and happens when the recipient's email provider rejects your email for some reason.  Occasionally, this can also happen if your own email provider was unable to deliver your email for reasons outside of their control. Bounces are unique as you often do not need to look at the full headers from the original email.  Bounces almost always contained a shortened preview of the relevant reason your message could not be delivered.  This is usually found right in the body of the message and will look similar to the following, though the specific reason given may vary.  
  1. Remote server returned '550 5.5.1 Recipient rejected - ELNK001_403 - https://postmaster-earthlink.vadesecure.com/inbound_error_codes/#_403'
The first part, 550 5.5.1, is a technical reason for why the email was rejected and is based on a set of RFC rules for handling email that all mail providers follow. However, most mail providers are kind enough to provide a more direct reason, in this case Recipient Rejected, to explain why the email was returned.  Here are some common reasons for email being bounced back to a sender. 
  1. Recipient Rejected, Address Rejected, Inactive Mailbox, or Recipient does not exist - These all mean the email address no longer exists or is not active and cannot receive email at this time.  This is not an issue EarthLink can resolve as the error is coming from the recipient's provider. 
  2. Recipient's Mailbox is Full - The recipient does not have enough storage space left to accept your email. The recipient will need to delete some email off the server to make more room for new emails. 
  3. Message size exceeded, File size too large - The email you are sending is bigger than the recipient's mail provider will allow.  This often happens if you have attached photos or video.  Create a new email and send fewer or smaller attachments.  Maximum file size may vary by email provider, but it is a good rule to keep total attachment sizes under 20MB.
  4. Email server is temporarily unavailable - The server may be experiencing issues or is under maintenance, try and resend your email at a later time. 
  5. Blocked Email Address - Your email may be blocked by the recipient or blocked by the recipient's mail provider.  
  6. Rejected by spam filters -  Something about the email sent triggered a spam rating by the recipient's mail provider.  Review your email content, make sure it is not including links to questionable sites, soliciting money or is forwarding chain emails.  





To determine the origin of the email message, use the extended email headers to locate the IP address of the sender's mail server. Keep in mind that the header is always in the reverse when read from top to bottom. The first mail server listed is the last one the mail went through on its way to you. The further down you read the further you back track where the message has come from. 

Note that if you see multiple Received: from sections in the message header, use the last one in the sequence.

EarthLink abuse can only investigate spam or junk mail that originated from our network. If you are unsure where the spam message originated, please use the following document to determine the ISP or company from where the message originated.

How Can I Determine the Origin of an Email Message

Sample extended email message header

  1. Return-Path: mailbox@mindspring.com
  2. Received: from mailmule0.mindspring.com (mailmule0.mindspring.com [204.180.128.191]) by mailgrunt1.mindspring.com (8.7.4/8.7.3) with ESMTP id TAA09377 for ; Mon, 24 Feb 1997 19:30:43 -0500 (EST)
  3. Received: from LOCALNAME (user-37kb512.dialup.mindspring.com [207.69.148.34]) by mailmule0.mindspring.com (8.8.4/8.8.4) with SMTP id TAA00875; Mon, 24 Feb 1997 19:30:34 -0500 (EST) Date: Mon, 24 Feb 1997 19:30:34 -0500 (EST)
  4. Message-Id: 1.5.4.16.19970224193529.22e79a46@pop.mindspring.com
  5. X-Sender: mailbox@pop.mindspring.com X-Mailer: Windows Eudora Light Version 1.5.4 (16)
  6. Organization: MindSpring Enterprises Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"
  7. To: MindSpring Technical Support Desk From: mailbox@mindspring.com Subject: Reading Mail Headers Cc: mailbox@mindspring.com
Determine IP address of Sender's Mail Server

From the examples given above, the third example contains the IP address of the sender's email server.

Received: from LOCALNAME (user-37kb512.dialup.mindspring.com [207.69.148.34])

The IP address of the sender's mail server is 207.69.148.34.

Using Whois Site to Determine Owner of IP Address

You will now need to go to a Web site that will identify who owns the IP address. One such site is

http://whois.arin.net/ui

There are other sites that provides information on IP addresses. Use the site that you are most comfortable with.

You will see a field to enter the IP address. Either copy and paste or manually enter the IP address and press the Submit button. A search for 207.69.148.34 IP address yields the following information:

Search results for: 207.69.148.34

OrgName: EarthLink, Inc.
OrgID: ERMS
Address: 1439 PEACHTREE ST NE
City: ATLANTA
StateProv: GA
PostalCode: 30309
Country: US

 Where to Report the Junk or spam Mail Message

If the message is not from an EarthLink customer, you will need to notify the domain's support department of the email. This will require a small amount of detective work. You will need to find the support email address of the ISP responsible for the IP address. First, use whois to get IP information on the original IP address that sent the spam email. Then try finding the Web site of the company or ISP based on the whois information. Search for the Web site or ISP's contact information - most companies will use either support@domain or abuse@domain formats. You will need to forward the original email including the full or extended headers. You should also include a note stating that you received this from one of their customers and need to take the appropriate action.


    • Related Articles

    • Understanding Email Headers

      This is an advanced article about Email Headers. This article is not designed to provide all information about headers, but should help you better understand how Email Headers are used and what the various sections mean. What is an Email Header? ...
    • Email Inactivity Policy

      EarthLink Email Stale Mail Policy If you do not sign into EarthLink WebMail, MyAccount, MyEarthLink or EarthLink Portal for 90 days, we will stop delivering new messages until you access your mailbox again. A stale mail mailbox will continue to hold ...
    • How to Find Email Headers

      This article will help you find how to pull up email headers in common email programs. MAC OS X: How to view email headers in mail Message Header: The part of an email that precedes the body or text of the message. A message’s full header includes ...
    • How To Forward an Email as an Attachment

      This article will show you how to forward an email as an attached file. This can be helpful when the recipient needs to have the original email fully intact. Simply clicking forward on an email only forwards the part of the email you can see. Header ...
    • MyEarthLink Email Application

      EarthLink customers with EarthLink Domain Email addresses can use the myEarthLink app to check their email, manage contacts, weather and access news headlines. MyEarthLink's email features are available only to customers with an @earthlink.net, ...