What key information can I find in email headers (e.g., Received, Authentication-Results, Message-ID)?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You open an email that went to spam, or a delivery failed, and someone tells you to "check the headers." But what are you actually looking for once you're staring at that wall of text? Each field in an email header is a record of what happened, where, and what was decided along the way. Here's what the most useful ones actually tell you.

If you haven't pulled up headers before, start with the guide to viewing headers in Gmail, Outlook, and other clients. Once you've got them open, here's what each field means.

Received
Every server that touched the email adds its own Received line. You read them bottom to top, so the oldest hop is at the bottom and the most recent is at the top. Each one records IP addresses, hostnames, timestamps, and the protocol used. If delivery was slow or something got rerouted unexpectedly, the timestamps between hops tell the story.

Authentication-Results
This is the receiving server's verdict on your authentication. It shows pass, fail, or none for SPF, DKIM, and DMARC, along with the specific domain or selector that was checked. A single line here can explain why an email landed in spam. If you're seeing dmarc=fail or spf=none, that's your starting point for fixing things.

DKIM-Signature
This is the actual DKIM signature attached before sending. It includes the selector, the signing domain, and the list of headers that were signed. The receiving server uses this to verify that the message wasn't altered in transit. If it's missing or fails, spam filters take notice.

Return-Path
This is the envelope sender, which is where bounces get delivered. It's often different from the visible From address. If your bounce handling domain doesn't match what you expect here, you may be losing bounce data entirely.

Message-ID
A globally unique identifier assigned by the originating server. Format looks like <randomstring@yourdomain.com>. It's the reference ID you'd use when searching logs or tracing a specific message through an ESP's system.

X-Spam-Status and X-Spam-Score
Many servers append their own spam filtering results here. You'll see a score and sometimes a list of the specific rules that fired. This varies by mail server software, so not every inbox will include it, but when it's there it's very useful for understanding exactly why a message was flagged.

X-Originating-IP
Some providers record the original sender IP here, separate from the server that relayed the message. This matters for webmail users, where the sending server IP and the person's actual IP are different things entirely.

Feedback-ID
ESPs add this field to connect individual messages back to campaigns and senders inside feedback loop reports. If you're troubleshooting complaint rates, this is what ties a bounced or complained-about message to a specific send.

Reading headers gets easier with practice. If you want a shortcut, paste the full header block into our free Email Header Analyzer and it'll flag anything worth investigating. Or if something's actively broken, the SOS hotline is free.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Diagnose my headers

I'm reading headers from an email sent by your sending domain that landed in spam / bounced / failed authentication. Here's what I can see: - Authentication-Results: paste your auth results line - Received hops: number of hops or paste Received lines - Return-Path: paste value - Any X-Spam lines: paste if present Based on these fields, can you identify what likely went wrong and which header is pointing to the cause?

Edit the yellow boxes, then send to the AI of your choice.