How do you trace message hops with headers?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You open a suspicious email, or maybe a message that never arrived, and someone tells you to "check the headers." You pull them up and get a wall of text with server names, timestamps, and protocols you've never heard of. Where do you even start?
The Received headers are what you want. Every time a mail server hands off a message to the next one, it stamps a Received header onto the email. Read those headers and you can reconstruct the exact path the message traveled, hop by hop.
How to find your full headers
Different clients hide them in different places. In Gmail, open the email, click the three dots in the top right, and choose "Show original." In Outlook, open the message, go to File, then Properties, and look in the "Internet headers" box. In Apple Mail, open the message and go to View, then Message, then All Headers.
Read them bottom to top
This trips up almost everyone the first time. The bottom-most Received header is the oldest, written by the originating server. The top one is the most recent, written by the final receiving server. Read upward to follow the message's journey in chronological order.
So each Received header looks something like this:
Received: from mail.sender.com (mail.sender.com [203.0.113.45]) by mx.recipient.com with ESMTPS id abc123 for <crew@deepcurrent.io> ; Tue, 17 Jun 2025 14:32:11 +0000
Breaking that down: from is the server that sent this hop. by is the server that received it. with tells you the protocol (ESMTPS means encrypted SMTP, which is a good sign). The timestamp tells you when that handoff happened.
What you're actually looking for
Now once you know how to read one hop, you're looking at the chain as a whole. A typical path looks like this: originating mail server, then possibly a gateway or relay, then out across the internet, then the recipient's MX server, then the final mailbox. Each step should make sense.
Here's what raises a flag:
- Big time gaps between hops. If one hop takes 30 seconds and the next takes 4 hours, something queued up or got stuck at that server. That's where your delay lives.
- Unexpected servers in the chain. A server you don't recognize slipping in between your ESP and the recipient can mean misconfigured relaying or a third-party security gateway intercepting the message.
- Mismatched hostnames and IP addresses. The server claiming to be mail.yourcompany.com but showing an IP that doesn't match is a red flag for SPF failures and can seriously hurt your deliverability.
- Authentication results appearing mid-chain. Look for an Authentication-Results header near the top. It tells you whether SPF, DKIM, and DMARC passed or failed, and at which server the check ran.
A real troubleshooting example
Say a transactional email from lighthouse@harborpost.net is arriving 6 hours late. You pull the headers and read upward. The first two hops look clean and happen within seconds of each other. Then there's a 6-hour gap before the next hop. That gap tells you the message sat in a queue at that second server. You now know exactly where to investigate, whether that's a rate-limiting issue, a temporary block, or a server that went offline and retried later.
Without the headers, you'd be guessing. With them, you're looking at evidence.
If you want a faster way to parse all of this, our free Email Header Analyzer pulls apart the full header block and flags the unusual bits for you. Worth a look if the raw text feels overwhelming.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.