What is a “Received” header and how do you read it?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

A Received header is a timestamp added by every mail server that handles your email on its way from sender to recipient. Each server adds one at the top of the stack, so reading them from bottom to top shows the exact path the message took.

You read Received headers to trace where an email really came from, diagnose delivery delays, or verify authentication. They're your audit trail when something looks suspicious or when an email takes an hour to arrive.

Here's what a Received header looks like (slightly simplified for readability):

Received: from mail-sor-f41.google.com (mail-sor-f41.google.com [209.85.220.41])
 by mx.example.com with ESMTPS id abc123
 for <you@example.com>;
 Mon, 15 Jan 2024 14:32:01 -0800 (PST)

Breaking it down:

  • from: the server that sent this message to the next hop (mail-sor-f41.google.com)
  • by: the server that received it and wrote this header (mx.example.com)
  • with: the protocol used (ESMTPS means encrypted SMTP)
  • for: the recipient address
  • Timestamp: when this server received it

To trace an email's journey, start at the bottom Received header (the first server that touched it) and read up. Each header is the next hop. The top one is your inbox provider receiving it.

Why you'd read them:

  • Verify sender authenticity: Check if the first Received header matches the claimed sending domain. If someone says they're from yourbank.com but the first hop is shadyserver.ru, that's a red flag.
  • Diagnose delays: Compare timestamps between hops. A 3-hour gap between two servers? That's where the holdup happened.
  • Check authentication: Look for "pass" results in the Authentication-Results header (often right after the last Received header). That tells you if SPF, DKIM, and DMARC passed.
  • Spot forwarding: If you see more hops than expected, the email was forwarded through other servers before reaching you.

How to view them: In Gmail, open the email, click the three dots, choose "Show original". In Outlook, open the message, go to File → Properties → Internet headers. In Apple Mail, View → Message → All Headers.

One common mistake: reading Received headers top-to-bottom instead of bottom-to-top. The newest header is always added at the top, so the email's origin is at the bottom of the stack.

But if you're staring at a suspicious email and the Received headers don't make sense (or seem forged), our Email Header Analyzer parses them for you and flags anything weird.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get help reading your email headers

I read this on the Email Almanac about reading Received headers: "A Received header is added by every mail server that handles an email. Reading them from bottom to top shows the exact path the message took. You can use them to verify sender authenticity, diagnose delays, check authentication results, and spot forwarding." Help me analyze Received headers for MY situation. I need: 1. What to look for in my headers: which parts matter for my use case 2. How to spot red flags: forged headers, suspicious delays, mismatched domains 3. Tools or shortcuts: faster ways to read headers without parsing manually 4. When to escalate: when headers indicate a real security or delivery issue --- My details (the more you share, the more specific the help): - Why I'm reading headers: [verifying a suspicious email / diagnosing delivery delays / checking authentication / learning how email works] - Email client: Gmail, Outlook, Apple Mail, other - What I found confusing: [too many hops? timestamps don't make sense? authentication results unclear?] - Specific question: describe what you're trying to figure out

Edit the yellow boxes, then send to the AI of your choice.