Are there other security-related email headers?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You've probably heard about SPF, DKIM, and DMARC. But email headers go well beyond authentication results. Several other headers quietly reveal a lot about where a message actually came from, what path it traveled, and how filters judged it along the way.
Here are the ones worth knowing:
Received headers trace the full path a message took from server to server before landing in the inbox. Every server that touched the email stamps its own Received header, so you end up with a chain. Read them bottom to top (oldest first). If you spot an unexpected hop from an unfamiliar country or hosting provider, that's a flag worth investigating.
X-Originating-IP records the IP address of the client that first submitted the message. This is useful when you want to look past the sending domain and see the actual machine or service behind the email. It's commonly added by webmail services and some ESPs. A mismatch between this IP and the expected sending infrastructure can point to account compromise or spoofing.
X-Spam-Status and X-Spam-Score are added by spam filters (SpamAssassin being the most common example) and show the filter's verdict along with a numeric score. If a legitimate email is landing in spam, these headers tell you exactly which rules fired and how much each one contributed to the score. That's far more useful than just knowing it got filtered.
DKIM-Signature is the cryptographic signature itself, not just the pass/fail result you see in Authentication-Results. It contains the signing domain (the d= tag), the algorithm used, and which headers were covered by the signature. If something looks off in a DKIM result, reading the raw signature can tell you whether the wrong domain signed it or whether critical headers were excluded from the signature scope.
None of these are headers you'd check on every email. But when something suspicious lands, or a legitimate email keeps getting filtered, pulling up the full headers and reading through these fields is usually where the answer lives. You can do that quickly with our free Email Header Analyzer, which parses all of this in one view.
If you want a foundation for reading the authentication side of headers first, the Authentication-Results header is the right place to start.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.