Kavi Mailing List Manager Help

Chapter 75. Examine Mail Headers


The Examine Mail Headers tool quickly extracts pertinant information from the full header of an email message for troubleshooting. Use this tool when email seems slow or you want to identify the originating sender (or at least, the IP address where the email originated). Full headers include the message header, which is ordinarily visible when viewing an email and the envelope header, which is ordinarily hidden.

The message header includes familiar fields such as 'To', 'CC', 'From', 'Subject' and 'Date'. The envelope header contains information that is often more useful in troubleshooting, since this information isn't set by the sender, but is added by each MTA (host) in the chain of hosts that handle the email during its journey from originating MUA to destination MTA. The 'Return-Path' is used to identify the orginating sender, since it includes the IP address from which the email originated. The 'Delivery Path' includes a series of timestamps that reveal how long it took to transfer the email message from one MTA to the next. If email delivery is actually slow, this is where you identify the weak link in the chain. For more information, see Analyzing Email.

You need the full header to troubleshoot email. For instructions on extracting the full header, see Accessing the Full Header for Email Troubleshooting.

For detailed information on troubleshooting email, see Introduction to Troubleshooting Email.

Use the Examine Mail Headers tool to:

Instantly extract information from mail headers for troubleshooting purposes.

Back to top

How to Use Examine Mail Headers

Email Header

Copy and paste the full header into this text box (omit the body or message section of the email), then click Submit.


Information extracted from the email's full header is displayed for you to examine. When you are done, click Analyze Another if you would like to examine headers from a different email message.


Mail Header Results

The 'Return-Path' field from the envelope header contains the most reliable information about the email address of the originating sender (i.e., the fully qualified domain name and IP address of the originator's email account). Since the 'Return-Path' is added by the first receiving MTA in the host-to-host delivery chain, it cannot be completely forged so it is rarely altered.

In contrast, the 'From' and 'Reply-To' fields can be set to any value. Mailing lists commonly specify values for the 'From' and 'Reply-To' fields as part of the automated bounce handling process (so that when a mailing list message bounces, the bounced message is sent to a special bounce-handling mailbox to prevent it from being sent to the list mailbox and forwarded to subscribers). Unfortunately, spammers reset these fields to help obscure their identity. Some spam filters check to see if the values in the 'From' and 'Reply-To' fields match the value in the 'Return-Path'. If they don't match, they are deleted, which is why mailing list email sometimes disappear in route. Since this approach to spam detection is so error prone, its use is deprecated.

The Examine Email Headers tool doesn't display the 'Reply-To' field, but you can find it by viewing the source in your MUA if you wish.


This displays the contents of the message header's 'From' field, which is set by the sender's computer, so it doesn't necessarily reveal the identity of the sender. Mailing list messages generally add an alias in the 'From' field to protect the sender's private email address.


This displays the contents of the message header's 'To' field. This is the email address to which the message was sent. If it does not match the recipient's email address, then it may have been sent to an alias or mailing list to which the recipient is subscribed, or the recipient may have been CC'd or BCC'd on the email.


The contents of the message header's 'CC' field. This field is available to users sending email from Kavi® Groups document sharing or calendar event tools. The contents of this field can explain why an individual who is not a member of the organization mysteriously received an organization email: someone who knows the recipient added their email address to the CC field when the message was sent.


The message header's 'Date' field. This indicates the date the email was sent (unless the senders email client is on a computer that has the wrong date).


The contents of the message header's 'Subject' field. If this email is from a list, the name of the list may appear at the beginning of the subject line. If the subject line was blank before being forwarded, it may explain why the email never made it to the intended recipient: it was eaten by a spam filter.

Delivery Path and Times

Sample data:

Wed, 10 Nov 2004 08:19:42 -0000

00:00 00:00 localhost -> server1.example.org

00:00 00:14 server1.example.org -> server2.example.com

Wed, 10 Nov 2004 08:05:12 -0000

This is the simplest possible example: an email sent directly from the originating host (generally a user's computer or, if this is an automated email, the computer hosting the website) to a host at the originator's ISP (probably a mail server), to a host at the receiver's ISP (another mail server). If this email had passed through other hosts, the central lines would be repeated for every leg of the host-to-host journey that the email passed through during the delivery process.

  • The first line in the delivery path indicates the date and time that the email originated according to the originating host's time clock. The time is based on a twenty-four hour clock (i.e., ANSI or military time), normalized to Universal Time.

  • The last line in the delivery path indicates the date and time that the email arrived at the receiving host, according to the receiving host's time clock.

  • Each of the lines between the first and last represents one leg of the host-to-host journey through which the email passed.

    The date and time values display elapsed time, rather than real time, so the first time value is set to zero (i.e., '00:00') as it would be on a stopwatch before you began timing an event. The second time value indicates the time it took to complete the transfer (the point at which you would click the stopwatch).

    The second line of the example represents the transfer from the originating host to the originator's mail server. In this case, the email originated through a mailing list and was sent to a local mail host at the organization, so it appears as though no time elapsed during the first host-to-host transfer. In reality, it may have taken less than a second. The third line shows the transfer of the email from the organization's mail server to the destination host, a mail server at a member company. Again, the initial timestamp is set to '00:00', but this time the second timestamp is set to '00:14', indicating it took 14 minutes to complete the transfer to the destination host.

  • Following the set of time values, each middle line displays the hostname or IP address of the sending host and receiving host for that leg of the transfer process. When an IP address is displayed instead of a hostname, it may indicate a mail server was unable to resolve the hostname that was provided to it and substituted the actual IP address of the sending mail server—possibly because the domain name was forged to hide the true IP of the email's originator.

Back to top