For certain scenarios, we may ask you to send us the full message headers of an email for troubleshooting purposes. You can read further about how to see and download message headers here.
But what is a message header, and why are we asking for it?
An email has three parts. An envelope, a body, and a header.
The envelope is a part of the message to be used only by servers during the message's transit, and won't arrive to the final user. However, this particular part is quite complex and is not relevant for this topic.
The header fields contain information about the message, such as the sender, the recipient, and the subject. If a message body is included (which is technically optional), it is separated from the header fields by an empty line.
In this example, we can see three header lines, and the message's body.
The full message headers will contain all of these message's header lines that had been printed during the message's transit through several email servers. They provide useful information about what happened to the message in the past, and are meant to be read from the bottom to the top, to follow their chronological order.
Not only the sender's server will print header lines. Every time an email server (MTA) sends or receives a message, it will print a new header line with it's own sending/receiving timestamps. This is most useful when investigating delays, or when emails went missing at some point during the delivery.
This part looks like this (sanitized version for illustration purposes only):
Received: from xxxx.hornetsecurity.com ([x.x.30.2]) by xxxx.hornetsecurity.com with LMTP id QDWuE/o2nWCGCgAA0BVMZw (envelope-from <xxxx@hornetsecurity.com>) for <user@domain.com>; Thu, 13 May 2021 16:26:02 +0200 Received: from xxxx.hornetsecurity.com ([127.0.0.1]) by xxxx.hornetsecurity.com with LMTP id yOZqE/o2nWB8SgAAg7zoWw (envelope-from <xxxx@hornetsecurity.com>) for <user@domain.com>; Thu, 13 May 2021 16:26:02 +0200 Received: from xxxx.antispameurope.com (unknown [x.x.30.2]) by xxxx.hornetsecurity.com (Postfix) with ESMTP id 4A98617XXXX for <user@domain.com>; Thu, 13 May 2021 16:26:02 +0200 (CEST) Received: from xxxx.antispameurope.com (xx.x.65.63) by xxxx.hornetsecurity.com; Thu, 13 May 2021 16:26:02 +0200 Received: from xxxx.hornetsecurity.com (cp.hornetsecurity.com [xx.xxx.132.160]) by xxxx.antispameurope.com (ASE-secure-MTA) with ESMTP id 2024613XXXX for <user@domain.com>; Thu, 13 May 2021 16:24:45 +0200 (CEST) Received: from xxxx.outbound.protection.outlook.com ([X.X.12.58]) by xxxxxx.antispameurope.com; Thu, 13 May 2021 09:39:19 +0200 |
When investigating an issue, we may ask you to retrieve the message header's from the recipient's mailbox (when that's possible), because as these lines are printed during the transit, the final recipient's version of the message will be the only one containing all of the header lines that had been printed on the message. That's why this version is called "full" message headers.
Quite often you may see header lines starting with a "X-". These are custom, optional lines that email providers can decide to include to provide further information.
As they're not standard and can be designed freely, they're normally more difficult to understand for 3rd parties, and may not always be useful for everyone.
An example of these lines within a message header, printed by different servers/email providers:
X-OriginatorOrg: hornetsecurity.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: XXXX.eurprd08.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 6xxxx844-xx12-4a17-d357-08d91xxxx X-MS-Exchange-CrossTenant-originalarrivaltime: 13 May 2021 07:39:14.0722 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 47a5xxxx-3e3a-4e87-xxxx-2444d6bxxxx X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 7N+8/bE0YuGEQHZ4QfQXvK6tOlyAOaGrDl676+seUPpeDMqOM8BnWWRrELA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: XXXX08MB5115 X-cloud-security-sender:user@hornetsecurity.com X-cloud-security-recipient:test@domain.com X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: user@hornetsecurity.com X-cloud-security-Mailarchivtype:outbound X-cloud-security-Virusscan:CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-xxxx-xxx.antispameurope.com with 4FC87124XXXX X-cloud-security-connect: xxxx.outbound.protection.outlook.com[XX.XX.12.58], TLS=1, IP=XXX.XX.12.58 X-cloud-security-Digest:xxxx0f161c14xxxx66e5b691981xxxx X-cloud-security:scantime:2.002 X-antispameurope-sender:user@hornetsecurity.com X-antispameurope-recipient:test@domain.ccom X-antispameurope-MSGID:XXXX4d758bd5a0301e58325f633d1c4-01dbb84d035b7c51XXX X-antispameurope-body-digest:71aff352e1f66 X-antispameurope-filter:QUAR ID=16XXX08XX85 X-antispameurope-SPFRESULT: PASS X-antispameurope-orig-ip:XX.XXX.132.8 X-antispameurope-orig-host:mxXXX.hornetsecurity.com X-antispameurope-orig:xxxxd86a3a85284e76732081041xxxx X-antispameurope-disclaimer: This E-Mail was scanned by www.antispameurope.com E-Mailservice on mx-xxxx-xx with XDF1A6XXXX X-antispameurope-date:1620891562 X-antispameurope:INCOMING: X-antispameurope-Connect:mxxx.hornetsecurity.com[xx.xxx.132.8],TLS=1;EMIG=0 X-antispameurope-WC:3:456:4:272291:1:200:0:1:0:1:0:0:2:3:1:5:4:56:162:56:0:0:0:0:0:41:0:0:0:2:0:0:0:0::0:1:0:0:0:0:0 X-antispameurope-orig-Spamstatus: SPAM X-antispameurope-orig-REASON: compliance-Rule-QUAR-ID=1606885 x-hornetsecurity-delivered: SPAM:support:api:all X-antispameurope-orig-MSGID: xxxxxx58bd5a0301e58xxxx33d1c4-01dbb84d035b7c51857003ecxxxx Message-Id: <xxxxxxxxx@xxxx-xxx.antispameurope.com> X-antispameurope-sender:control@hornetsecurity.com X-antispameurope-recipient:test@domain.com X-antispameurope-MSGID:xxxx1d4684712b40486c264bd29d1005-01dbb84d035b7c51857003ecb2cexxxx X-antispameurope-body-digest:834c96871aff352e1f665c1c1a61xxxx X-antispameurope-Mailarchiv: E-Mail archived by www.antispameurope.com for: test@domain.com X-antispameurope-Mailarchivtype:inbound X-antispameurope-Virusscan:CLEAN X-antispameurope-filter:QUAR ID=16068XX X-antispameurope-SPFRESULT: NONE X-antispameurope-disclaimer: This E-Mail was scanned by www.antispameurope.com E-Mailservice on mx-xxxxx-xxx with 6D8B7394171C X-antispameurope-date:1620915990XX X-antispameurope:INCOMING: X-antispameurope-Connect:xxxxx.antispameurope.com[XX.XXX.65.63],TLS=1;EMIG=0 X-antispameurope-WC:3:456:4:273672:1:200:0:1:0:1:0:0:2:3:1:5:4:56:162:56:0:0:0:0:0:41:0:0:0:2:0:0:0:0::0:1:0:0:0:0:0 X-antispameurope-Spamstatus:CLEAN X-antispameurope-REASON:Statusmail:Statusmail |
These are some of the most relevant, good to know ones, printed on our side:
"X-antispameurope-sender"
This will refer to the real sender of the message at connection level, A.K.A the envelope-from.
This is necessary to know for example, when creating Content Compliance Rules that needs to trigger based on the sender but most important, it's one of the key field when evaluating the message's authenticity.
Using the "from" field (A.K.A header-from) on these type of rules will not work, if the header-from and the envelope-from aren't the same. This is common for automated emails, emails sent from distribution lists, web forms, delegated accounts, alias accounts, and for messages lacking envelope.from.
"X-antispameurope-recipient"
This line specifies the address we've delivered the message to.
Normally will be the same as the "TO" field of the message header, but sometimes it's not, like when there's a rule in place to forward all or certain messages to a different recipient. Or messages sent to distribution groups, where the message has been sent "TO" info@, for example, we actually deliver just one email to the recipient server NOT one copy of the message to each of it's members. The recipient server is responsible for distributing the message to the group or list members. However, these final recipients are are sometimes specified under "FOR" fields.
"x-hornetsecurity-delivered"
We will only print this line if a message has been blocked by our filters, and released afterwards from a Quarantine Report or from the Control Panel's Email Live Tracking. Depending on who did the action, the value could be "user:api:all", "admin:api:all", or "support:api:all" depending on who released the message.
"X-antispameurope-orig-ip"
This is the IP we've received the email from, and the IP we'll use to perform SPF checks, for example. Nowadays, specially in cloud platforms, the server who creates the message isn't the same one who sends it to the internet, due to infrastructure complexity.
For example, if a message is sent from a local Exchange directly to the recipient domain's MX records, the Exchange public IP will be considered as the original or source IP. If the exchange uses a relay instead of sending the message directly to the internet, the first server who receives the message in the recipient side of the transmission, will consider the relay's IP as the original or source IP, and will know nothing about the existence of the Exchange.
X-antispameurope-orig-host
The public hostname of the server who delivered to message to us.
"X-antispameurope-orig-MSGID"
This will specify the the message ID which is the unique and public identifier for a message,
"X-antispameurope-MSGID"
This is an additional ID we assign to each message. This is useful for us when investigating what happened to a message within our platform. It's a good example of a header line that may only be useful for the provider/server who printed it, us in this case.
"X-antispameurope-SPFRESULT:"
"X-antispameurope-orig-Spamstatus:"
This line shows our original classification of the message when it reaches our filters, and it's printed before considering admin or user level policies. For example an email showing "SPAM" here, could had been delivered to the recipient because the sender was on a allow list, or because the user or an admin decided to release the message afterwards.
Further readings:
RFC 5322 3.6. Field Definitions
RFC 5321 Section C: The SMTP Procedures: An Overview