2/8/24, 5:28 PM What is an Email Header and How to Read Them?

- LetsDefend

HomeLearnPracticeChallengePricing

Phishing Email Analysis

All Lessons Structure Files
Introduction to Phishing

Information Gathering

What is an Email Header and How to Read

Them?

Email Header Analysis

Static Analysis

Dynamic Analysis

Additional Techniques

https://app.letsdefend.io/training/lesson_detail/what-is-an-email-header-and-how-to-read-them 1/8
2/8/24, 5:28 PM What is an Email Header and How to Read Them? - LetsDefend

HomeLearnPracticeChallengePricing
What is an Email Header and How to Read Them?

In this section, we will explain what the header information in an email is, what can be done
with this information and how to access this information. It is important to follow this
section carefully as we will explain how to perform the header analysis in the next section.

What is an Email Header?

"Header" is basically a section of the mail that contains information such as sender, recipient
and date. In addition, there are fields such as "Return-Path", "Reply-To", and "Received".
Below you can see the header details of a sample email.

What does the Email Header do?

Enables Shipper and Recipient Identification

Thanks to the "From" and "To" fields in the header, it is determined from whom an email will
go to whom. If we look at the email above that you downloaded in "eml" format, we see that

https://app.letsdefend.io/training/lesson_detail/what-is-an-email-header-and-how-to-read-them 2/8
2/8/24, 5:28 PM What is an Email Header and How to Read Them? - LetsDefend

it was sent from the address "ogunal@letsdefend.io"to "info@letsdefend.io"

HomeLearnPracticeChallengePricing

Spam Blocker

It is possible to detect spam emails using Header analysis and other various methods. This
protects people from receiving SPAM emails.

Allows Tracking an Email’s Route

It is important to check the route it follows to see if an email came from the right address. If
we look at the sample email above, we see that it came from the "ogunal@letsdefend.io"
address, but did it actually come from the "letsdefend.io" domain or from a different fake
server that mimics the same name? We can use the header information to answer this
question.

Important Fields

From

The "From" field in the internet header indicates the name and email address of the sender.

To

This field in the mail header contains the email's receiver's details.

It includes their name and their email address. Fields like CC (carbon copy) and BCC (blind
carbon copy) also fall under this category as they all include details of your recipients.

If you want to find out more about carbon copy and blind carbon copy, check out how to
use CC and BCC.

Date

This is the timestamp that shows when the email was sent.

https://app.letsdefend.io/training/lesson_detail/what-is-an-email-header-and-how-to-read-them 3/8
2/8/24, 5:28 PM What is an Email Header and How to Read Them? - LetsDefend

In Gmail, it usually follows the format of "day dd month yyyy hh:mmss

HomeLearnPracticeChallengePricing

So if an email had been sent on the 16th of November, 2021, at 4:57:23 PM, it would show
as Wed, 16 Nov 2021 16:57:23.

Subject

The subject mentions the topic of the email. It summarizes the content of the entire
message body.

Return-Path

This mail header field is also known as Reply-To. If you reply to an email, it will go to the
address mentioned in the Return-Path field.

Domain Key and DKIM Signatures

The Domain Key and Domain Key Identified Mail (DKIM) are email signatures that help email
service providers identify and authenticate your emails, similar to SPF signatures.

Message-ID

The Message ID header field is a unique combination of letters and numbers that identifies
each mail. No two emails will have the same Message ID.

MIME-Version

Multipurpose Internet Mail Extensions (MIME) is an internet standard of encoding. It

converts non-text content like images, videos, and other attachments into text so they can
be attached to an email and sent through SMTP (Simple Mail Transfer Protocol).

Received

The received field lists each mail server that went through an email before arriving in the
recipient's inbox. It's listed in reverse chronological order — where the mail server on the
top is the last server the email message went through, and the bottom is where the email
originated.

X-Spam Status

The X-Spam Status shows you the spam score of an email message.
First, it'll highlight if a message is classified as spam.
Then, the spam score of the email is shown, as well as the threshold for the spam for the
email.
An email can meet either the spam threshold of an inbox or exceed it. If it's too spammy and

https://app.letsdefend.io/training/lesson_detail/what-is-an-email-header-and-how-to-read-them 4/8
2/8/24, 5:28 PM What is an Email Header and How to Read Them? - LetsDefend

exceeds the threshold, it will automatically be classified as spam and sent to the spam
folder. HomeLearnPracticeChallengePricing

Field Definitions: gmass.co

How to Access Your Email Header?

Gmail

1- Open the relevant e-mail

2- Click on the 3 points at the top right "..."
3- Click on the "Download message" button.

4- Downloaded ".Open the file with the extension "eml" with any notebook application

Outlook

1- Open the relevant e-mail

2- File - > Info -> Properties - > Internet headers

https://app.letsdefend.io/training/lesson_detail/what-is-an-email-header-and-how-to-read-them 5/8
2/8/24, 5:28 PM What is an Email Header and How to Read Them? - LetsDefend

HomeLearnPracticeChallengePricing

Course Files

Challenge Mail

https://app.letsdefend.io/training/lesson_detail/what-is-an-email-header-and-how-to-read-them 6/8
2/8/24, 5:28 PM What is an Email Header and How to Read Them? - LetsDefend

Password: infected

HomeLearnPracticeChallengePricing

Questions Progress

Correct

Download the email above, if we want to answer this email, what would the recipient’s address be?

info@letsdefend.io Completed

Hint

Correct

What year was the email sent?

2022 Completed

Hint

Correct

What is the Message-ID value? (without > < )

74bda5edf824cea8aad36e707.675c34a61f.20220321204512.a02caa Completed

Hint

https://app.letsdefend.io/training/lesson_detail/what-is-an-email-header-and-how-to-read-them 7/8
2/8/24, 5:28 PM What is an Email Header and How to Read Them? - LetsDefend

HomeLearnPracticeChallengePricing

Back Next

LetsDefend

Social

Resources

Support

Community

Plans

Roles

https://app.letsdefend.io/training/lesson_detail/what-is-an-email-header-and-how-to-read-them 8/8