OOOPS, you've found our old site, please Click Here to navigate our new site

How To Interpret an Email Header

If you receive a threatening or potentially criminal email, there are a few steps you can take to try to determine the individual origin of the email.

An email header conveys some very important information. By default, most email programs are configured to show only brief headers. By viewing the full header you can obtain key information.

Instructions on viewing the full email header will vary depending on your email software.

By examining the full header, you can determine the server that the email passed through and the IP addresses of both the sender and the recipient. Once you have determined the sender's IP, you can learn how to trace the IP Address.

Brief Header

From: "Lulu Jones" <ljones@hotmail.com>
To: Nope@hotmail.com; sdf9@comcast.net
Subject: A great deal!
Date: Wed, 06 Mar 2003 09:36:17-0500

Full Header

From: "Lulu Jones" <ljones@hotmail.com>
To: Nope@hotmail.com; sdf9@comcast.net
Subject: A great deal!
Date: Wed, 06 Mar 2003 09:36:17-0500
MIME-Version: 1.0
X-Originating-IP: [63.131.101.68]
Received: from 63.131.101.68 by lw15fd.law15.hotmail.msn.com with HTTP; Wed, 06 Mar 2003 14:36:17 GMT

The order of information in a full email header may vary from system to system, but could include these items:

From:
Indicates who sent the email.
To:
Lists the recipients of the email. In the example above, there are two.
Subject:
This is what the sender has typed into the subject field.
Date:
This indicates the date and time that the message was originally sent.
MIME-Version:
MIME is an acronym for Multipurpose Internet Mail Extensions. This indicates that your email client is able to view images or videos as well as text. This may not appear in all email clients.
X-Originating-IP:
This line appears in many of the newer email clients and shows the IP address from which the email originated. This may not appear in all email clients.
Received:
This shows the routing IP by which the email was sent and the time it arrived to the mail server. Essentially this can be used to trace the path that the email took to get to your computer. The email in the example above originated from a computer with the IP address 63.131.101.68. If several routing IPs are listed here, the email probably passed through multiple recipients. Your machine's information will be listed at the top. The sender’s will be listed at the bottom. Any other machines that the email passed through will be listed in the middle.

This information was received from the Florida Department of Law Enforcement's Computer Crime Center.