I’m trying to figure out an email problem and the ISP support said I needed
to send them the “full email headers” of the message. Huh? What’s that and how
do I get it? I use Gmail.
There’s a more to email than meets the eye.
In fact, there’s a LOT more.
Bundled with every message is typically a list of information, including the mail server that it originated from, the servers that it traveled across along its way, as well as a
bunch of other optional information relating to who sent it, anti-spam
information, mailing list unsubscribe information, and much, much more.
It’s a bunch of geekery that you really don’t want to see every time.
But if you do, it’s easy to get at it, particularly in Gmail.
Become a Patron of Ask Leo! and go ad-free!
Headers in Gmail
Here’s an email message displayed in Gmail:
Hopefully, that’s a very familiar looking message – a copy of my newsletter 
Next to the date towards the top right are a couple of icons. Click the
downward-pointing triangle:
Click Show original.
This will open the full original email message in a new tab or window in the
text format in which it’s actually encoded:
The “email headers” include everything until the first blank line.
Everything after that is the email message itself.
Sending email headers
Even though you might send rich text and even pictures, email is always sent
in plain text. Anything that’s not plain text in your message will be encoded
into something that can be represented in plain text.
The headers themselves are always plain text.
If your ISP or someone helping you diagnose an email problem has asked for
the headers, start by composing a new message – it’ll be helpful if you can
select plain text format or compose that new message as plain text.
From the window in which Gmail is displaying the original message, select
all the text from the top to the first blank line, right-click it and click Copy.
Then, switch to the message that you’re composing, right-click in the body, and
click Paste.
Send that message to whomever was requesting it.
What is all this junk?
Go ahead and page up and down and have a look around in the original
message. You’ll see a lot of stuff in there.
A lot of “geekery,” as I said earlier.
The headers are a series of lines of information about the message being
sent. If the first column is not blank, then the line begins with a token
followed by “:”. For example, you’ll see many lines that begin with “Received:”.
Each mail server along the path from sender to recipient adds a Received:
line to the header so that the email messages path can be identified.
You’ll also see some familiar lines line To:, From: and Subject:,
which are themselves nothing more than header lines.
There are too many to cover them all here. Many are obvious, many are
not.
Header information can be faked
Finally, I want to point out that we often think of using header information
to trace where an email comes from. While technically possible to a point, it’s
often the case that a specific sender can NOT be identified if
they’re trying to be sneaky.
And to the technically-inclined, it’s not hard to be sneaky.
Information in the header can be faked or spoofed, and it sometimes takes a
close, knowledgeable eye to be able to identify when this happens.
That’s probably why you’re sending it to someone who understands it.
Leo, correct me if I’m wrong, one thing the sender can’t spoof is the header’s actual “From” information. While they can make an email address like “trust_me@irs.gov” appear in the “From” field in an effort to make you think it’s an email from the US Government, the header will always show the real “From” field that sent it. Granted, if it’s a “sneaky” sender, they won’t be sending it from their actual email server, rather it will come from “hijacked_account@botnet_server.com”…correct?
11-May-2012
I CANNOT send a letter or an eMail with the latest update of Mozilla Thunderbird??
It simply does Not have a “Send”
Any suggestions??
{email address removed}
11-May-2012
Re: No send in T_Bird — Cole, Open “write” window,
right click 2nd band at top. Should see “menu bar”
and “composition toolbar” with check before each.
If Missing check, select item to add check. Should bring back send. Customize while there. Best wishes,
Ron_H Thanks go to Leo!
Thanks for the reply Leo…and that’s why people visit your site and sign up for your email list…you can explain things very well. You’ve cleared up some confusion I was having.
An example of what I was looking at is a spam message from “Post Express” (it had a virus attached to it) and it comes across as trying to be from the United States Postal Service and wants me to open the attachment.
The “Received:” info in the header says:
“Received: from abcdefg.com ([123.123.123.123])”
(I’ve changed the IP and domain to protect the innocent)
Then the “From” line says:
“From: “Post Express” postmail@abcdefg.com“
This begs the question, why would the USPS use a mail server named “abcdefg.com”. The answer is simply that they wouldn’t. Since many would be suspicious they’ve put “Post Express” in there knowing that anyone using MS Outlook and possibly some other mail clients will ONLY see those words and it will help with the spoofing.
So, this confirms what you stated…the “From:” information can be anything (and who knows if “postmail” exists on that server) but it came from abcdefg.com, which is not the USPS.
Thanks for the reply Leo.