Email headers contain the complete story of a message’s journey: who sent it, which servers it passed through, whether authentication succeeded, and why it landed in spam. Knowing how to read them means knowing how to diagnose.

How to Access Headers

  • Gmail: open the email → ⋮ → “Show original”
  • Outlook: open the email → File → Properties → “Internet headers”
  • Apple Mail: View → Message → All Headers
  • Thunderbird: View → Message Source

Or paste them directly into Sender Audit’s Header Analyzer for a visual analysis.

Essential Headers

From:

The address displayed in the recipient’s mail client. This is the domain that DMARC protects.

From: Simon Bressier <simon@example.com>

Warning: the From: header is easily forged. That’s exactly what SPF, DKIM, and DMARC fight against.

Return-Path: (Envelope From)

The address used for bounces (non-delivery messages). This is the domain that SPF checks.

Return-Path: <bounces+12345@esp-domain.com>

If the Return-Path is a different domain than the From:, SPF alignment for DMARC will fail. This is very common with ESPs. That’s why DKIM is essential as a complement.

Received:

Every server that handles the email adds a Received: header. They’re read bottom to top: the first Received: (at the bottom) is the originating server.

Received: from mx2.dest.com (mx2.dest.com [203.0.113.50])
    by mx1.dest.com with ESMTPS id abc123
    for <user@dest.com>; Sat, 26 Apr 2026 10:30:00 +0000

Received: from smtp.esp.com (smtp.esp.com [198.51.100.42])
    by mx2.dest.com with ESMTPS id def456
    for <user@dest.com>; Sat, 26 Apr 2026 10:29:58 +0000

Each Received: contains:

  • from: the sending server
  • by: the receiving server
  • with: the protocol used (ESMTP, ESMTPS = with TLS)
  • for: the recipient
  • date: the timestamp

If you see ESMTP without the S, the email traveled without TLS on that hop.

Authentication-Results:

Added by the receiving server, this is the authentication verdict:

Authentication-Results: mx.google.com;
    dkim=pass header.i=@example.com header.s=selector1 header.b=xjAWgYt1;
    spf=pass (google.com: domain of bounce@esp.com designates 198.51.100.42 as permitted sender) smtp.mailfrom=bounce@esp.com;
    dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=example.com
ResultMeaning
dkim=passThe DKIM signature is valid
spf=passThe IP is authorized by the SPF record
dmarc=passDMARC alignment is verified
dis=NONEDisposition: no action (no quarantine/reject)

DKIM-Signature:

The cryptographic signature itself. For a detailed analysis of each field, see Anatomy of a DKIM Signature.

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
    d=example.com; s=selector1;
    h=from:to:subject:date;
    bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
    b=xjAWgYt1qLwxzeO4C58+...

Advanced Headers

ARC-* (Authenticated Received Chain)

When an email is forwarded (forwarding, mailing list), SPF often breaks because the forwarder’s IP isn’t in the original sender’s SPF. DKIM can also break if the message is modified (footer added, for example).

ARC (RFC 8617) solves this by creating a chain of trust. Each intermediate server adds:

  • ARC-Seal:: the intermediate server’s signature
  • ARC-Message-Signature:: message signature at the time of transit
  • ARC-Authentication-Results:: authentication results at that point

The final server can walk back the ARC chain to verify that authentication results were good initially, even if SPF/DKIM broke along the way.

ARC-Seal: i=1; a=rsa-sha256; d=forwarder.com; s=arc-key; cv=none; b=...
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=forwarder.com; ...
ARC-Authentication-Results: i=1; mx.forwarder.com;
    dkim=pass header.d=example.com;
    spf=pass smtp.mailfrom=example.com;
    dmarc=pass header.from=example.com

The cv= tag (chain validation) indicates:

  • none: first link (no prior chain)
  • pass: the previous chain is valid
  • fail: the chain is broken

X-Spam-Status: and X-Spam-Score:

Added by anti-spam filters (SpamAssassin, Rspamd):

X-Spam-Status: No, score=-2.1 required=5.0
X-Spam-Score: -2.1

A negative score is good. A high score (above the required threshold) triggers spam marking.

List-Unsubscribe:

Required by Google/Yahoo 2024 requirements for bulk senders:

List-Unsubscribe: <https://example.com/unsub?id=123>, <mailto:unsub@example.com>
List-Unsubscribe-Post: List-Unsubscribe=One-Click

Its absence can impact deliverability.

Quick Diagnosis with Headers

SymptomWhere to Look
Email in spamAuthentication-Results, X-Spam-Score
DMARC failAuthentication-Results (check From: vs Return-Path / d= alignment)
DKIM failDKIM-Signature (does d= match? Is the DNS key published?)
SPF failReceived (which IP sent?) + SPF record for Return-Path
Email modified in transitReceived (look for suspicious relays) + DKIM body hash fail

Further Reading