What is an email header?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Every email you've ever sent or received has two parts: the content you see, and a block of metadata you almost never see. That hidden block is the email header. It lives at the very top of every message, before the body, and it records everything about how that email was born, where it traveled, and whether it passed the trust checks along the way.

Headers divide into two main types:

  • Standard headers are defined by email standards (RFCs) and expected in every message. The most familiar ones are From, To, Subject, Date, and Message-ID. MIME-Version is also here, telling receiving servers what format the message body uses.
  • Extended headers are added by servers as the message travels. Each server that touches the email appends a Received header, so you end up with a chain. Authentication verdicts land here too, in fields like Authentication-Results. Custom fields from ESPs and spam filters show up as X-headers (anything prefixed with X-).

Your email client hides most of this. You see From, To, Subject, and Date. That's it. But the full header is still there, and it contains far more: the complete path the message traveled, spam scores, authentication verdicts for SPF, DKIM, and DMARC, server timestamps, and processing notes from every hop.

When an email lands in spam or goes missing entirely, the headers tell you why. Did SPF fail? Which server flagged it? Where did a 6-hour delay happen? That's all in there, if you know where to look.

To view full headers, the steps differ by client. In Gmail, open the message, click the three-dot menu, and choose "Show original." In Outlook, open the message, go to File, then Properties, and look in the "Internet headers" box. In Apple Mail, go to View and then Message and then All Headers. Most clients have a similar path buried in menus.

But once you have the raw headers, reading them takes a little practice. The Received chain runs bottom-to-top (oldest hop at the bottom, most recent at the top). The Authentication-Results field near the top will usually say something like spf=pass, dkim=fail, or dmarc=none, which tells you exactly where a trust check broke down.

If you want to skip the manual parsing, our free Email Header Analyzer reads the raw block and surfaces what matters. Paste your headers in and it flags auth failures, suspicious hops, and delays. Takes about 10 seconds.

For a deeper look at what each field means, check out the guide on interpreting raw headers.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Paste your headers and describe what went wrong

I'm trying to debug a delivery issue for emails sent from your domain to recipient domain. Based on the raw headers below, can you tell me: (1) which server first flagged the message, (2) whether SPF, DKIM, or DMARC failed and at which hop, (3) where any delays occurred in the Received chain, and (4) what the spam filter verdict was? Here are the full headers: paste headers here

Edit the yellow boxes, then send to the AI of your choice.