How do you trace message hops with headers?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You open a suspicious email, or maybe a message that never arrived, and someone tells you to "check the headers." You pull them up and get a wall of text with server names, timestamps, and protocols you've never heard of. Where do you even start?

The Received headers are what you want. Every time a mail server hands off a message to the next one, it stamps a Received header onto the email. Read those headers and you can reconstruct the exact path the message traveled, hop by hop.

How to find your full headers

Different clients hide them in different places. In Gmail, open the email, click the three dots in the top right, and choose "Show original." In Outlook, open the message, go to File, then Properties, and look in the "Internet headers" box. In Apple Mail, open the message and go to View, then Message, then All Headers.

Read them bottom to top

This trips up almost everyone the first time. The bottom-most Received header is the oldest, written by the originating server. The top one is the most recent, written by the final receiving server. Read upward to follow the message's journey in chronological order.

So each Received header looks something like this:

Received: from mail.sender.com (mail.sender.com [203.0.113.45])
 by mx.recipient.com with ESMTPS id abc123
 for <crew@deepcurrent.io>
 ; Tue, 17 Jun 2025 14:32:11 +0000

Breaking that down: from is the server that sent this hop. by is the server that received it. with tells you the protocol (ESMTPS means encrypted SMTP, which is a good sign). The timestamp tells you when that handoff happened.

What you're actually looking for

Now once you know how to read one hop, you're looking at the chain as a whole. A typical path looks like this: originating mail server, then possibly a gateway or relay, then out across the internet, then the recipient's MX server, then the final mailbox. Each step should make sense.

Here's what raises a flag:

  • Big time gaps between hops. If one hop takes 30 seconds and the next takes 4 hours, something queued up or got stuck at that server. That's where your delay lives.
  • Unexpected servers in the chain. A server you don't recognize slipping in between your ESP and the recipient can mean misconfigured relaying or a third-party security gateway intercepting the message.
  • Mismatched hostnames and IP addresses. The server claiming to be mail.yourcompany.com but showing an IP that doesn't match is a red flag for SPF failures and can seriously hurt your deliverability.
  • Authentication results appearing mid-chain. Look for an Authentication-Results header near the top. It tells you whether SPF, DKIM, and DMARC passed or failed, and at which server the check ran.

A real troubleshooting example

Say a transactional email from lighthouse@harborpost.net is arriving 6 hours late. You pull the headers and read upward. The first two hops look clean and happen within seconds of each other. Then there's a 6-hour gap before the next hop. That gap tells you the message sat in a queue at that second server. You now know exactly where to investigate, whether that's a rate-limiting issue, a temporary block, or a server that went offline and retried later.

Without the headers, you'd be guessing. With them, you're looking at evidence.

If you want a faster way to parse all of this, our free Email Header Analyzer pulls apart the full header block and flags the unusual bits for you. Worth a look if the raw text feels overwhelming.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Paste your situation above and get a step-by-step walkthrough of your header chain

I need to trace where an email went wrong using its headers. Here's some context about my situation: - Email client I'm using: Gmail / Outlook / Apple Mail / other - What I'm trying to diagnose: [delay / no delivery / spam filtering / authentication failure] - Number of hops I can see in the headers: number or "not sure" - Anything unusual I noticed: [unexpected server names / big time gaps / authentication failures / nothing obvious] Based on this, can you walk me through reading the Received headers step by step and tell me which part of the chain is most likely causing my problem?

Edit the yellow boxes, then send to the AI of your choice.