Email Fundamentals: How to Read Email Message Headers

The headers of an email message contain very useful information for Exchange Server administrators. Header information includes such things as which email servers were involved in the transmission of the message, and whether the email message was scanned for spam or viruses.

This is useful both for internal and external email messages. In one recent real world example we used message headers to diagnose which hop along the email route was causing large delays for emails into the organization.

To view the message headers in Outlook 2010 click on the arrow next to Tags in the ribbon menu.

To view the message headers in Outlook 2007 click on the arrow next to Options in the ribbon menu.

The message options will appear with the header information towards the bottom.

I usually find it easier to copy the header text into Notepad for viewing.

So let’s take a look at some of the header information that is useful to us. First there is the basic information about the email message itself.

Then there are the email servers that the message passed through on it’s way to the destination. To follow these in order start at the bottom and read upwards.

These lines are generally in the following format:

Received: from servername (IP address) by servername (IP address) with MTA-name; timestamp

When a message passes over several hops this can get a bit confusing to read. So I like to break out each entry and tidy them up into a readable format. I usually get something more like this:

1. ironport1-mx.cbr1.mail-filtering.com.au (203.88.115.241) -> HO-EX2010-CAHT1.exchangeserverpro.net (10.1.1.14); Mon, 19 Sep 2011 19:41:57 +1000

2. ju001lcs02.dfw.the-server.net.au ([175.107.191.11]) -> ironport1-mta.cbr1.mail-filtering.com.au with ESMTP; 19 Sep 2011 19:41:43 +1000

3. [209.85.213.177] (helo=mail-yx0-f177.google.com) -> ju001lcs02.dfw.the-server.com.au; Mon, 19 Sep 2011 19:41:42 +1000

4. yxi11; Mon, 19 Sep 2011 02:41:38 -0700 (PDT)

5. 10.68.5.133; Mon, 19 Sep 2011 02:41:38 -0700 (PDT)

6. 10.68.43.230; Mon, 19 Sep 2011 02:41:38 -0700 (PDT)

To me that is just more readable. You can take it a step further by converting timestamps into the same time zone, which makes it a little easier to identify any major delays as the message was transmitted between servers.

As you can see by learning to view and understand message headers you gain a much deeper understand of how email messages are flowing between senders and recipients, which will help you a lot during troubleshooting situations.