What is a “Received” header and how do you read it?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
A Received header is a timestamp added by every mail server that handles your email on its way from sender to recipient. Each server adds one at the top of the stack, so reading them from bottom to top shows the exact path the message took.
You read Received headers to trace where an email really came from, diagnose delivery delays, or verify authentication. They're your audit trail when something looks suspicious or when an email takes an hour to arrive.
Here's what a Received header looks like (slightly simplified for readability):
Received: from mail-sor-f41.google.com (mail-sor-f41.google.com [209.85.220.41]) by mx.example.com with ESMTPS id abc123 for <you@example.com>; Mon, 15 Jan 2024 14:32:01 -0800 (PST)
Breaking it down:
- from: the server that sent this message to the next hop (mail-sor-f41.google.com)
- by: the server that received it and wrote this header (mx.example.com)
- with: the protocol used (ESMTPS means encrypted SMTP)
- for: the recipient address
- Timestamp: when this server received it
To trace an email's journey, start at the bottom Received header (the first server that touched it) and read up. Each header is the next hop. The top one is your inbox provider receiving it.
Why you'd read them:
- Verify sender authenticity: Check if the first Received header matches the claimed sending domain. If someone says they're from yourbank.com but the first hop is shadyserver.ru, that's a red flag.
- Diagnose delays: Compare timestamps between hops. A 3-hour gap between two servers? That's where the holdup happened.
- Check authentication: Look for "pass" results in the Authentication-Results header (often right after the last Received header). That tells you if SPF, DKIM, and DMARC passed.
- Spot forwarding: If you see more hops than expected, the email was forwarded through other servers before reaching you.
How to view them: In Gmail, open the email, click the three dots, choose "Show original". In Outlook, open the message, go to File → Properties → Internet headers. In Apple Mail, View → Message → All Headers.
One common mistake: reading Received headers top-to-bottom instead of bottom-to-top. The newest header is always added at the top, so the email's origin is at the bottom of the stack.
But if you're staring at a suspicious email and the Received headers don't make sense (or seem forged), our Email Header Analyzer parses them for you and flags anything weird.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.