How to read the mail header


With the help of the so-called e-mail header, you can determine some information about a received e-mail, which is otherwise not visible. This way you can, for example, determine the actual sender of an e-mail and unmask fraudulent e-mails. Because with so-called phishing mails and fake sender addresses scammers lure you into the trap again and again.

You can determine the following information in the mail header:

  • The e-mail address of the sender
  • the IP address of the sender (and therefore the actual sender!)
  • the recipients of the mail
  • the date of shipment
  • the subject of the email

Reading e-mail headers – this is how it works

You should first display the mail header in its entirety. In your mail program on the desktop PC, this is probably via "View" or "options possible. Sometimes the mail header is also called source code. The exact name of the function that allows you to view the mail header depends on the mail client you use.

What you see then probably looks something like this:

Screenshot of an e-mail header

We do not want to go into too much detail here. Everything that is important for you, we have highlighted in color. In the following we explain the individual, color-marked areas and show you, which information you can derive from this.

Email header on smartphone

On smartphones it is unfortunately often not possible to read out the email header. If and how it works on your smartphone depends on your operating system as well as your used e-mail program. You can try to access your email with a web browser and see the desktop page there. Some mail providers also offer their own app, which you can install and thus access the header. If this is possible with your smartphone resp. your mail program does not work, open your mail program on a desktop PC.

E-mail address of the sender

Under the specification "Return-Path" find the sender of the e-mail, or. its e-mail address. If there is a cryptic e-mail address here, it is already an indication of a phishing mail. This Address does not have to be correct, it is easy to manipulate, because it is not checked for correctness by the mail server. That’s why you can have a legitimate-looking address here, and it can still be phishing.


You can find the e-mail address and the mail server of the recipient under "Delivered-To" or also "Envelope-To and under the first "Received-Entry.

The Received entries are to be read from bottom to top, that’s why the last entry is named "Received" the one used by the mail server of the Recipients when we receive the mail we will put in the header. The mail server responds with HELO. In our case this is the entry "".

IP address of the sender (the actual sender!)

The IP address, that is actual physical address of the sender, can be found below, within one of the next "Received from"-Details. This is the Received record, which documents the transfer of the mail from the sender server to the recipient server. It says "Received from (this is the sender’s server) by (this is the recipient’s server)".

The sender server is clearly identified by the so-called IP address. This is not falsifiable, is in a square bracket and in this case is This is preceded by the name of the mail server. But it does not have to be correct.

However, you can take the trouble to check if the IP address and the name of the server are the same. So you can also find out where the e-mail really comes from via the IP address.

This is how you do it:

  1. Call (if you have a Windows computer) the command line via Start → Run. Enter "cmd and click OK.
  2. A command window opens. There you type in "nslookup", then a space and then the IP address, which is given as the sender address. There are also web-based tools that do a nslookup query. You can find such services via search engines. The query spits out whether it is the mail server that is also specified in the mail header.
    The output looks something like this:

Not every phishing email is crafted to use fake sender addresses or mail server names. But if you have any doubts about the authenticity of the email, you can clear any last doubts about it – or get it confirmed.

We have summarized the characteristics by which you can recognize phishing e-mails in a separate article here. You can also find current phishing warnings here.

read mail header on smartphone?

Important: With most smartphones it is not possible to view the mail header. If in doubt, open your mail program for this on a desktop PC.

Like this post? Please share to your friends:
Leave a Reply

;-) :| :x :twisted: :smile: :shock: :sad: :roll: :razz: :oops: :o :mrgreen: :lol: :idea: :grin: :evil: :cry: :cool: :arrow: :???: :?: :!: