What is an Email Header?
An email consists of three vital components: the envelope, the header(s), and the body of the message. The envelope is something that an email user will never see since it is part of the internal process by which an email is routed. The body is the part that we always see as it is the actual content of the message contained in the email. The header(s), the third component of an email, is perhaps a little more difficult to explain, though it is arguably the most interesting part of an email.
In an e-mail, the body (content text) is always preceded by header lines that identify particular routing information of the message, including the sender, recipient, date and subject. Some headers are mandatory, such as the FROM, TO and DATE headers. Others are optional, but very commonly used, such as SUBJECT and CC. Other headers include the sending time stamps and the receiving time stamps of all mail transfer agents that have received and sent the message. In other words, any time a message is transferred from one user to another (i.e. when it is sent or forwarded), the message is date/time stamped by a mail transfer agent (MTA) - a computer program or software agent that facilitates the transfer of email message from one computer to another. This date/time stamp, like FROM, TO, and SUBJECT, becomes one of the many headers that precede the body of an email.
To really understand what an email header is, you must see one. Here is an example of a full email header*:
Return-Path: <firstname.lastname@example.org> X-SpamCatcher-Score: 1 [X] Received: from [18.104.22.168] (HELO dc.edu) by fe3.dc.edu (CommuniGate Pro SMTP 4.1.8) with ESMTP-TLS id 61258719 for email@example.com; Mon, 23 Aug 2004 11:40:10 -0400 Message-ID: <4129F3CA.firstname.lastname@example.org> Date: Mon, 23 Aug 2005 11:40:36 -0400 From: Taylor Evans <email@example.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jon Smith <firstname.lastname@example.org> Subject: Business Development Meeting Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit
* email headers should always be read from bottom to top.
Fortunately, most of this information is hidden inside the email with only the most relevant or mandatory headers appearing to the user. Those headers that we most often see and recognize are bolded in the above example.
A single email header has some important characteristics, including perhaps the most important part of an email - this is the KEY:VALUE pairs contained in the header. Looking at the above, you can tell some of the KEY:VALUE pairs used. Here is a breakdown of the most commonly used and viewed headers, and their values:
- From: sender's name and email address (IP address here also, but hidden)
- To: recipient's name and email address
- Date: sent date/time of the email
- Subject: whatever text the sender entered in the Subject heading before sending
Headers Provide Routing Information
Besides the most common identifications (from, to, date, subject), email headers also provide information on the route an email takes as it is transferred from one computer to another. As mentioned earlier, mail transfer agents (MTA) facilitate email transfers. When an email is sent from one computer to another it travels through a MTA. Each time an email is sent or forwarded by the MTA, it is stamped with a date, time and recipient. This is why some emails, if they have had several destinations, may have several RECEIVED headers: there have been multiple recipients since the origination of the email. In a way it is much like the same way the post office would route a letter: every time the letter passes through a post office on its route, or if it is forwarded on, it will receive a stamp. In this case the stamp is an email header.
When viewed in their entirety, these multiple recipient headers will look like this in an email:
Received: from tom.bath.dc.uk ([22.214.171.124] ident=yalrla9a1j69szla2ydr) by steve.wrath.dc.uk with esmtp (Exim 3.36 #2)id 19OjC3-00064B-00 for email@example.com; Sat, 07 Jun 2005 20:17:35 +0100 Received: from write.example.com ([126.96.36.199]) by tom.wrath.dc.uk with esmtp id 19OjBy-0001lb-3V for firstname.lastname@example.org; Sat, 07 Jun 2005 20:17:30 +0100 Received: from master.example.com (lists.example.com [188.8.131.52]) by write.example.com (Postfix) with QMQP id F11418F2C1; Sat, 7 Jun 2005 12:34:34 -0600 (MDT)
In the example shown above, there are three Received: stamps. Reading from the bottom upwards, you can see who sent the message first, next and last, and you can see when it was done. This is because every MTA that processed the email message added a Received: line to the email's header. These Received: lines provide information on where the message originated and what stops it made (what computers) before reaching its final destination. As the example shows, these Received: lines provide the email and IP address of each sender and recipient. They also provide the date and time of each transfer. The lines also indicate if the email address was part of an email list. It is all this information that is valued by computer programmers and IT department associates when making efforts to track and stop SPAM email message. And it is this information that arguable makes headers the most important part of an email.