With this guide, you’ll learn how to analyze email headers.
What are email headers?
Full email headers (or email message source, Internet headers, etc) are raw and unedited records of an email message we all are accustomed to, but which were not yet encoded by the server.
Why do we need them?
Headers contain information about the place, time and way the message is sent and transmitted to the recipient’s side. You can use it to find out why and where the important message was delayed or rejected, or how unwanted message found its way to your inbox.
How do they look like?
This is how an ordinary message looks in email client:
And this is how its full headers look like:
You can check this guide on how to get email headers in different interfaces.
So, what should they tell me?
In order to understand headers it’s necessary to comprehend the way mail travels from the sender to the recipient. Headers are being attached to the message several times, each time it passes through certain mail host. Headers are being attached to the top of the message, which means that it’s necessary to check them starting from the end in order to trace its flow through the mail system.
We will use a diagram to illustrate each part of the system and corresponding headers.
User A (sender) and user B (recipient) are named as Alice and Bob for your convenience:
Once Alice composes and sends the message, her mailing program attaches the first portion of headers. These are located at the bottom part of the full headers output. Here is an explanation of what happens at this stage:
Stage 2 - Alice's message comes to Google mail system and travels through it.
Corresponding headers are attached by each MTA (Mail Transfer Agent):
Stage 3 - Alice’s message is being sent from Google mail servers to Bob’s mail servers. So, mail is delivered to Bob’s mail account. It’s up to him how and when to connect to it and check for new mail:
All of these headers are added by Bob’s mail server, premium8.web-hosting.com:
What if I see header fields that aren’t explained above?
From time to time you may see additional header fields in an email. This doesn’t mean anything is wrong. Email service providers can add custom header fields to mails that pass through their servers.
Why are they necessary? These fields add extra details in addition to routing information, as such, they enhance the quality of mail processing and improve mail tracking.
Recently we have added X-NCJF-Result and X-NCJF-Version custom fields. They might sound weird for the uninitiated. However, these headers with encrypted technical data help our customer support give updates shortly and Namecheap uses them for internal spam filtering policies. No personal details are hidden inside these new custom fields, and these details are used solely by our company and not transmitted to third parties.
Email service providers often use custom fields, although their titles and purpose can vary. Nevertheless, if any line of your email header seems to be extremely suspicious and you do not understand its meaning, feel free to contact us for assistance.
How can I use mail headers to fight spam?
If Bob has Spam protection software enabled on his mail server, than a spam report is attached to mail headers (you can check this guide to learn how to enable spam protection - SpamAssassin in your cPanel. For Private Email users it is enabled by default).
So, Alice sends a message including few words that draws spam protection software attention:
We are interested in this particular part. Let’s analyze it step by step:
In our example, spam threshold was set to 2, so the message was considered to be spam.
You can set spam threshold in SpamAssassin settings if you have web hosting account with us. If you are a Private Mail subscription owner, please contact our support team, so we can adjust spam filtering settings for your account.
As an alternative, you can blacklist the sender or send a complaint to the registrar of his domain name or to the owner of the IP address.
My message is not delivered. Why?
If a message is not delivered, in most cases bounce-back message should be expected. Bounce-back is an email delivery report, sent by a certain mail server, which was not able to deliver the message further due to a specific error. Just like in regular mail, when a letter is being returned to a sender if a post stamp is not applied.
For example, Alice tries to send a message to bob@nctest.info, but makes a typo in the address and the message is being sent to bib@nctest.info instead. Her mail provider contacts Bob’s mail provider to check whether they have somebody with bib@nctest.info address. If there is no such address, it reports that this user is not available - you will see No mailbox by that name or No such user here errors. Alice’s mail provider sends a bounce-back message to her to let her know that it was not possible to send the message and attaches the reply of Bob’s mail provider for her reference.
A message is being rejected with such code on two conditions:
1. A typo is detected in the address > it should be checked.
2. A mail server is being looked up in the wrong place > MX record for destination address should be checked.
If the bounce-back error received is Mailbox full or Quota exceeded it means that destination mail server (Bob’s one) refuses to receive the message, because webspace, dedicated to storing mail for this address is over the limit. In order to fix this error, Bob should either delete some of the messages he has stored on the server or purchase additional space.
If the bounce-back message says Host unknown, Domain Lookup Failed, it means relatively the same as No such user here, but the typo occurs in the domain part of the address: bob@nctist.info instead of bob@nctest.info. In case the domain name is entered in the correct way, something might be wrong with the way how domain name resolved in the DNS system. It can either get expired or something might go wrong on the side of its name server. Support on the destination side should be contacted in such a case.
Another group of bounce-back error messages is spam-related messages, IP Blacklisted / Listed in Spam report list or sending failed due to Poor MTA reputation. The error indicates that the IP address of the mail server has been compromised by spammers, hackers, or virus propagators.
If you have private email subscription or shared/reseller hosting account with us, please submit a ticket to a corresponding department and attach the bounce-back message to it. Corresponding actions will be taken by us to resolve the issue. If you have User-Responsible VPS or Dedicated server with us you will need to delist your IP addresses with the corresponding organizations on your own.
So email headers are very important part of the mail system and they are essential for the mail issues diagnostics. They help to quickly identify the servers that report the error in the chain and thus fix the issues effectively.