Skip to main content

Find Out Where an Email Came From (Read Email Headers)

This article applies to: Security & Policy, Students

It is easy to fake what appears in the From or Reply-to line of an email message. Check the message headers to discover the message's real origin. Message headers are the material that comes before the body of a message.

Quick Check

Sometimes information in the headers contradicts the From line. For instance, here are the headers of a message that claims to be from PayPal:

(1)-From: “PayPal Customer Service” <>
    Subject: Account Management
    Date: Tue, 12 Feb 2008 17:49:19 -0600

(1) The From address looks fine (

(2) The X-Original-Hostname shows that the message actually came from somewhere at Auburn University (

Full Headers Check

If a quick check doesn't give you the answer, look at the message's full headers. See instructions to display full headers.

Full headers show the path that an email message traveled, and they can be quite long. For example, you normally see the following:

From: “PayPal”<>
Subject: PayPal - Security Measures
Date: Tue, 25 Dec 2007 12:30:24 -0600

Turning on full headers reveals the full picture:

Return-Path: <>
Received: from ([unix socket])
by (Cyrus v2.1.11) with LMTP; Tue, 25 Dec 2007
13:51:10 -0500
Received: from ( [])
by (8.12.10/8.12.6) with ESMTP id lBPIp7SV004763
for <>; Tue, 25 Dec 2007 13:51:07 -0500 (EST)
Received: (from daemon@localhost)
by (8.13.6/8.12.6) id lBPIp64G017076
for; Tue, 25 Dec 2007 13:51:06 -0500 (EST)
Received: from localhost.localdomain ( [])
by (8.13.6/8.12.6) with ESMTP id lBPIp4F8017044
for <>; Tue, 25 Dec 2007 13:51:05 -0500 (EST)
Received: from unknown-host
by soapstone1 with queue (Sophos PureMessage Version 5.301) id 72862194-1
for; Tue, 25 Dec 2007 18:41:18 GMT
Received: from router1_tc []
by with SMTP id ;
Tue, 25 Dec 2007 18:41:18 GMT
Received: from (unknown []) by;
Tue, 25 Dec 2007 13:41:18 -0500
(3)-Received: from dc2 ([]) by with Microsoft SMTPSVC (6.0.3790.1830);
Wed, 26 Dec 2007 02:40:44 +0800
X-PH: V4.1@hermes30
From: “PayPal”<>

Subject: PayPal - Security Measures
Date: Tue, 25 Dec 2007 12:30:24 -0600

(3) The highlighted information indicates where the email message started its journey. Check the line starting with Received above the Subject line. In the example, the hostname is The .tw stands for Taiwan, an unlikely origin for a message from PayPal.

If the email had actually come from PayPal, the Received line would probably show that the email started its journey at

Received: from ( []) by;Thu, 2 Oct 2008 13:05:54 -0400

About this Article

Last updated: 

Friday, March 25, 2022 - 3:34pm

Was this page helpful?

Your feedback helps improve the site.