This is an advanced article about Email Headers. This article is not designed to provide all information about headers, but should help you better understand how Email Headers are used and what the various sections mean.
Email headers are included with all emails and provide details outlining how a message was delivered. Called “metadata”, headers include details about the sender, timestamps, servers, spam ratings and various other points of data collected as email moves from the sender to the recipient. Headers can be extremely valuable when troubleshooting problems where an email was sent but failed to arrive or was rejected for some technical reason.
Email Headers are generally hidden in most email programs, though you often see a shortened version of the headers when you see the Sender, Recipient, Time Stamp and Subject lines at the top of an email. This information is all pulled from the headers of the message.
Headers can be long, but very useful. Here is an example of a header sent from a Gmail address to an EarthLink address. Please note, Headers will show the actual sending and receiving email addresses, but for privacy purposes those have been changed to "redacted" for this article.
Received: from noehlo.host ([10.149.109.244])
by mdl-prod6.sys.elnk.net (EarthLink SMTP Server) with SMTP id 1UUecu2Xpc12Mc0; Thu, 4 Sep 2025 13:56:46 -0400 (EDT)
Received: from nmtai103.earthlink-vadesecure.net ([51.81.61.70])
by mx-a-prod7 (EarthLink SMTP Server) with SMTP id 1UUecu6BW6c12Oo0
Authentication-Results: earthlink-vadesecure.net;
iprev=pass policy.iprev=209.85.208.172;
dkim=none (message not signed);
dmarc=pass action=none header.from=gmail.com;
arc=none;
Received-DKIM: pass
Received-SPF: pass
X-VadeSecure-Originating-IP: 209.85.208.172
X-VadeSecure-Malware: Clean
X-VadeSecure-Verdict: clean
X-VadeSecure-Status: clean
X-VadeSecure-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggdeiieeiucetufdote
ggodetrfdotffvucfrrhhofhhilhgvmecugfettffvjffnkffpmfdpggftfghnshhusghstghrihg
svgenuceurghilhhouhhtmecufedtudenucenucfjughrpegghfffkffuvfgtsegrtderredttdej
necuhfhrohhmpeflrghmvghsuceuuhhrnhhsuceoihhsohhmvghtihhmvghsghgvthgvmhgrihhls
ehgmhgrihhlrdgtohhmqeenucggtffrrghtthgvrhhnpeeffeevffdtffeftefhgfehudeiheefke
euvdelffdukeejleelleegheetgfehleenucfkphepvddtledrkeehrddvtdekrddujedvnecuveh
luhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepvddtledrkeehrddvtdekrddujedv
pdhhvghlohepmhgrihhlqdhljhduqdhfudejvddrghhoohhglhgvrdgtohhmpdhmrghilhhfrhhom
hepihhsohhmvghtihhmvghsghgvthgvmhgrihhlsehgmhgrihhlrdgtohhmpdhgvghtqdfurghfvg
gfnhhsuhgsshgtrhhisggvpdhgvghokffrpehushdpshhpfhepphgrshhspdgukhhimhepphgrshh
spdgumhgrrhgtpehprghsshdpshhpfhgphhgvlhhopehnohhnvgdprhgvvhfkrfepmhgrihhlqdhl
jhduqdhfudejvddrghhoohhglhgvrdgtohhmrddpnhgspghrtghpthhtohepuddprhgtphhtthhop
ehighgvthhmhihmrghilhesvggrrhhthhhlihhnkhdrnhgvth
X-VadeSecure-Score: 0
X-VadeSecure-SID: 5a481ece-1862260366c36fa2
Received: from mail-lj1-f172.google.com ([209.85.208.172])
by vsel1nmtai03p.internal.vadesecure.com with ngmta
id 5a481ece-18622604b519e53b; Thu, 04 Sep 2025 17:56:46 +0000
Received: by mail-lj1-f172.google.com with SMTP id 38308e7fff4ca-336af63565dso11184931fa.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1757008605; x=1757613405; darn=earthlink.net;
h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
:date:message-id:reply-to;
bh=zTP9IqGAg7iGjOlSqNLFyWZKhqQc/WA7A7dVWMjXJso=;
b=NN7fkMviI+IZhRrnUIKiDhrIJwqfvKzRQI9B79oPgf3NarkOeWZiUdPCpNPTOf1quI
EG1wPF6C36WGORk2twuBLudLoEVL+MV57Af9dqkF474+8tDmBr3tIAgYdnNzOUycIiB3
aEZrjsyJPii/89SBz/xFarpsAM+gStCAHMqCCK7UfgZOQzBx4/ssF7QV92TTkXjxuPmA
otCWS4vJbXJiE+qLLqc0Zya67M9EXKzC6lHc4cCyW7l4fXdDCT79HDcjTe4mbiMSBpn6
fqU99z2MxDoIehFw78sC+Ty+vg39PWWg3aP/hUqLl++1SOpkmJ/16ZcFhgYJY7YIhR9o
ZA3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1757008605; x=1757613405;
h=to:subject:message-id:date:from:mime-version:x-gm-message-state
:from:to:cc:subject:date:message-id:reply-to;
bh=zTP9IqGAg7iGjOlSqNLFyWZKhqQc/WA7A7dVWMjXJso=;
b=bLXScOJvkg03rFrh6ZnPAeRcwdUlZUeyMm0gcGyJUE5CE8Gh5zQaslHnioMwtyJAo0
mK2Eg2AQiJHCW6CdwY/YNAbkm1spI6VoA3eLKujHgjF6O/14J/I55AGpe2QcWiFl2b0C
2bQN/TnUqx8PhBVxDUk5k+sK+CONtbdxK5jk4SR3B8N4Z1XxzLo+xBBRteY10IMuRNuH
I7icWcgxnjWy1KKfdqqtTJum5Xsd+fAMa/ku+/Hy37fBQWke5dIpSclZkq4tKHS5nLxu
cWoCW3zVDylrx8En9pHvvbRcbPkF88T+ivp7N3+8lnAVEGPshmNGuR2K0Nd9gjlSDK9X
gbIg==
X-Gm-Message-State: AOJu0YzapzY0GFUAwTMgaXbLcVYClwkmJe+56ABFTe1H4s1iTmGnqTbu
JucVfkadjuLgnnxerZuZFlDwZCbO+MMgDpd9NqW33t1L3c2K2WZigSo+lMRNPws8ocLX/xbFILu
DwfHNnhOlkvr8WhBlhvepmcX0KrWUnYSfrA==
X-Gm-Gg: ASbGncsFR4DN2S+RPJnVEkUrJKm7FJ7L3frIZtrdkIrQSZ/dZmISKsBcTwLP/FeTuHV
SJqwQWofXwAI23JqqJ3OYc9+bE1ZdUPKmsbVi5rdG4gGtQCXm7baQYOwRaEcmOJNNDF8v5WNz5Q
zbE4b1UdIW/39LmHW49QnF0EtbWlvBTsoDIldUncxdz1pXoqCG6kyOseKpNnY+hjflJSSUSqJle
eOSfUupyT4jqe0Z
X-Google-Smtp-Source: AGHT+IGlQYWkFStNW0O/JGF+meSqvzaEcu1rASsaL1HUtiBp/h7ao1zdg34kbuTJJmSnsKNnHYplAaAHCde4oVb61Y8=
X-Received: by 2002:a2e:9844:0:b0:32b:3104:f89c with SMTP id
38308e7fff4ca-336cad33a53mr49223831fa.29.1757008605203; Thu, 04 Sep 2025
10:56:45 -0700 (PDT)
MIME-Version: 1.0
Date: Thu, 4 Sep 2025 13:56:33 -0400
X-Gm-Features: Ac12FXyYkACEB02VzxPcnRCE4Gyv6ZILZkXDNCEbnWw5q_UmvmP_Gil5Qs9hUUk
Subject: What Headers look like
Content-Type: multipart/alternative; boundary="000000000000c7d123063dfd71e7"
X-ELNK-Received-Info: spv=0;
X-ELNK-AV: 0
X-ELNK-Info: sbv=1; sbrc=-0; sbf=cb0; sbw=000;
What are the various parts of an Email Header?
There are a lot of lines in a header and every email provider may have their own variation of what is included in Headers. This article will not describe every single line, but will outline common and useful sections that can be used to troubleshoot email related issues.
Received From Lines
• Return-Path: This is the sending email or the email they want replies to be sent back to.
• Received From: There may be various Received From lines in an email, in this example these Received From lines are internal EarthLink servers that handled the email after it was accepted by our system.
• Authentication-Results: This simply notes that EarthLink’s antispam solution confirmed the recipient of this email is a legit EarthLink customer.
DNS, SPF, DKIM, DMARC Lines
The next lines are logs pertaining to various DNS based services that are used to confirm the sender used a legitimate domain and email server to send the email message.
• SPF – Sender Policy Framework is a list of IP addresses or server names the sender’s domain (Gmail in this example) says are allowed to send email for their domain. Pass indicates the email did come from an IP or server on their list.
• DKIM – DomainKeys Identified Mail is an optional process where a domain signs an email with an cryptographic key that can be used to verify the email has not been altered. This is not required. None means this message was not signed with DKIM.
• DMARC – Domain-based Message Authentication Reporting and Conformance is a set of guidelines the sending domain provides for how to handle an email that claims to be from their domain. For example, the senders domain could say in their DMARC record that if an email claiming to be sent from their domain comes from an IP NOT on their SPF record, then it should be treated as spam. In this case, DMARC passed and said this was a legitimate email from Gmail.
• The Received DKIM and Received SPF are just additional lines showing that DKIM and SPF checks either passed or failed. If one or the other Failed, the receiving server, EarthLink, would look at the domain’s DMARC record for how to handle that email.
Spam Check Lines
VadeSecure is a partner that EarthLink work with to detect spam or suspect malicious email. These logs include VadeSecure’s findings and final score. This information is often kept cryptic as we do not want spammers to use these results to tweak their spam settings in an attempt to get past our spam detection checks.
• X-VadeSecure-Originating-IP: 209.85.208.172 – This is the IP of the sending server.
• X-VadeSecure-Malware: Clean – This means no malware was found in the email.
• X-VadeSecure-Verdict: clean – This means VadeSecure’s final verdict is this email is clean from any known spam or malware.
• X-VadeSecure-Status: clean – As spam ratings can change when more information is gathered, this field simply shows the current status of the message as still being clean.
• X-VadeSecure-Cause: This long encrypted section provides details to EarthLink’s email abuse team and VadeSecure on why an email was rated the way it was. This information cannot be decrypted without special tools. You may be asked to provide this detail in email escalations related to spam.
• X-VadeSecure-Score: 0 – This is the final overall score for the email. VadeSecure scores an email from 0 meaning clean to higher numbers which could indicate a risk of spam. However, spam ratings usually are 300 or higher.
• X-VadeSecure-SID: 5a481ece-1862260366c36fa2 – This is simply a session ID number that can be used by escalations to find this specific email log. This is frequently asked for in escalation scenarios.
Received From Lines
The received section provides details on the various servers the email passed through before arriving at EarthLink. You read these logs from the bottom up with the lowest log being the original connection between the sender and their email provider. You can see where Google received the email and then passed it on to Vadesecure who then passed it to EarthLink (seen in the earlier received from lines near the top of the Headers.)
- Received: from noehlo.host ([10.149.109.244])
- by mdl-prod6.sys.elnk.net (EarthLink SMTP Server) with SMTP id 1UUecu2Xpc12Mc0; Thu, 4 Sep 2025 13:56:46 -0400 (EDT)
- Received: from nmtai103.earthlink-vadesecure.net ([51.81.61.70])
- by mx-a-prod7 (EarthLink SMTP Server) with SMTP id 1UUecu6BW6c12Oo0
- for <[redacted]@earthlink.net>; Thu, 4 Sep 2025 13:56:46 -0400 (EDT)
Note: Received from lines can pass through many servers and may be displayed all in one section rather than broken into two sections as seen in this example. Received from lines are helpful in escalations when trying to determine what servers and IP addresses touched the email on its journey to an EarthLink customer. This detail is usually more helpful when an email is rejected by the recipient and bounced back to the sender.
Unique Log Lines
X-Google, X-GM lines are specific lines unique to Google email and contain information on Google sending process, servers, etc.
From, To, Subject Lines
The last section details who the email was sent from (note this can be edited by the sender to show almost any email address), the date and time it was sent, Subject is the subject the recipient will see and To is the address it was sent to.
Special note about To: - The To: field only shows the email address that was in the To: when the sender sent the email. If there are addresses in the CC: field, they will be shown on a CC: line. BCC: copied address will not be show at all.
This article was designed to help you understand the various fields found in email headers, but not to go into detail on how to use headers to troubleshoot specific issues. There are many scenarios in how headers can be helpful that are better suited for additional training content. However, an example of one of the most common issues you will run into is provided below for reference.
Most of the time an email will be returned to the sender with an error in the subject line such as “Undeliverable”, “Bounce”, “Bad Address” or similar errors. These bounces usually contain a shortened version of the headers and a very specific error code often asked for in escalations.
Bad Address Example –
If the sender misspelled the recipient’s address, they will get a delivery failure bounce back with details similar to the below in the message body. Please take special note of any line that has an error similar to 550 5.1.1 or other set of 400-500 numbers followed by 2 to 3 numbers separated by periods as these correspond to exact reason codes. They often contain a simple sentence explaining what the error code means such as “The email account that you tried to reach does not exist” seen in the example below.
Delivery has failed to these recipients or distribution lists:
Server "172.253.122.27:25" returned an error:
* [[redacted]@gmail.com]: 550 5.1.1 The email account that you tried to reach does not exist. Please try In this example, the sender needs to confirm the email address and try again using the correct spelling.