Are there other security-related email headers?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You've probably heard about SPF, DKIM, and DMARC. But email headers go well beyond authentication results. Several other headers quietly reveal a lot about where a message actually came from, what path it traveled, and how filters judged it along the way.

Here are the ones worth knowing:

Received headers trace the full path a message took from server to server before landing in the inbox. Every server that touched the email stamps its own Received header, so you end up with a chain. Read them bottom to top (oldest first). If you spot an unexpected hop from an unfamiliar country or hosting provider, that's a flag worth investigating.

X-Originating-IP records the IP address of the client that first submitted the message. This is useful when you want to look past the sending domain and see the actual machine or service behind the email. It's commonly added by webmail services and some ESPs. A mismatch between this IP and the expected sending infrastructure can point to account compromise or spoofing.

X-Spam-Status and X-Spam-Score are added by spam filters (SpamAssassin being the most common example) and show the filter's verdict along with a numeric score. If a legitimate email is landing in spam, these headers tell you exactly which rules fired and how much each one contributed to the score. That's far more useful than just knowing it got filtered.

DKIM-Signature is the cryptographic signature itself, not just the pass/fail result you see in Authentication-Results. It contains the signing domain (the d= tag), the algorithm used, and which headers were covered by the signature. If something looks off in a DKIM result, reading the raw signature can tell you whether the wrong domain signed it or whether critical headers were excluded from the signature scope.

None of these are headers you'd check on every email. But when something suspicious lands, or a legitimate email keeps getting filtered, pulling up the full headers and reading through these fields is usually where the answer lives. You can do that quickly with our free Email Header Analyzer, which parses all of this in one view.

If you want a foundation for reading the authentication side of headers first, the Authentication-Results header is the right place to start.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Paste your headers and let's read them together

I'm looking at the raw headers of a suspicious or filtered email. Based on my situation, help me figure out which headers to focus on and what each one might be telling me. Here's what I know about the email: 1. Is it a legitimate email that's being filtered as spam, or a suspicious inbound message? 2. Which headers are you seeing (Received, X-Originating-IP, X-Spam-Status, DKIM-Signature, other)? 3. What does the Received chain look like, how many hops, and do any look unexpected? 4. What does the X-Spam-Score say, and which rules fired? Give me a ranked list of what to investigate first, what each finding means, and what action (if any) makes sense.

Edit the yellow boxes, then send to the AI of your choice.