Skip to main content

Find Out Where an Email Came From (Read Email Headers)

This article applies to: Security & Policy, Students


It is easy to fake what appears in the From or Reply-to line of an email message. Check the message headers to discover the message's real origin. (Message headers are the material that comes before the body of a message.)

Quick Check

Sometimes information in the headers contradicts the From line. For instance, here are the headers of a message that claims to be from PayPal:

(1)-From: “PayPal Customer Service” <service@paypal.com>
    Subject: Account Management
    Date: Tue, 12 Feb 2008 17:49:19 -0600
    X-Original-IP: 131.204.2.2
(2)-X-Original-Hostname: d1.duc.auburn.edu

(1) The From address looks fine (service@paypal.com).

(2) The X-Original-Hostname shows that the message actually came from somewhere at Auburn University (d1.ducaubum.edu).

Full Headers Check

If a quick check doesn't give you the answer, look at the message's full headers. See instructions to display full headers.

Full headers show the path that an email message traveled, and they can be quite long. For example, you normally see the following:

From: “PayPal”<service@paypal.com>
Subject: PayPal - Security Measures
Date: Tue, 25 Dec 2007 12:30:24 -0600

Turning on full headers reveals the full picture:

Return-Path: <service@paypal.com>
Received: from postoffice7.mail.cornell.edu ([unix socket])
by postoffice7.mail.cornell.edu (Cyrus v2.1.11) with LMTP; Tue, 25 Dec 2007
13:51:10 -0500
Received: from hermes30.mail.cornell.edu (hermes30.mail.cornell.edu [132.236.56.55])
by postoffice7.mail.cornell.edu (8.12.10/8.12.6) with ESMTP id lBPIp7SV004763
for <ewe2@postoffice7.mail.cornell.edu>; Tue, 25 Dec 2007 13:51:07 -0500 (EST)
Received: (from daemon@localhost)
by hermes30.mail.cornell.edu (8.13.6/8.12.6) id lBPIp64G017076
for ewe2@postoffice7.mail.cornell.edu; Tue, 25 Dec 2007 13:51:06 -0500 (EST)
Received: from localhost.localdomain (soapstone1.mail.cornell.edu [128.253.83.143])
by hermes30.mail.cornell.edu (8.13.6/8.12.6) with ESMTP id lBPIp4F8017044
for <ewe2@cornell.edu>; Tue, 25 Dec 2007 13:51:05 -0500 (EST)
Received: from unknown-host
by soapstone1 with queue (Sophos PureMessage Version 5.301) id 72862194-1
for ewe2@cornell.edu; Tue, 25 Dec 2007 18:41:18 GMT
Received: from router1_tc [10.253.83.144]
by with SMTP id ;
Tue, 25 Dec 2007 18:41:18 GMT
(envelope-from service@paypal.com)
Received: from mail01.crtc.com.tw (unknown [61.30.114.162]) by 128.253.83.144; Tue, 25
Dec 2007 13:41:18 -0500

(3)-Received: from dc2 ([12.47.15.100]) by mail01.crtc.com.tw with Microsoft
    SMTPSVC(6.0.3790.1830);
    Wed, 26 Dec 2007 02:40:44 +0800

X-PH: V4.1@hermes30
From: “PayPal”<service@paypal.com>

Subject: PayPal - Security Measures
Date: Tue, 25 Dec 2007 12:30:24 -0600
And so on…

(3) The highlighted information indicates where the email message started its journey. Check the line starting with Received just above the Subject line. In the example, the host name is mail01.crtc.com.tw. The .tw stands for Taiwan, an unlikely origin for a message from PayPal.

If the email had actually come from PayPal, the Received line would probably show that the email started its journey at paypal.com:

Received: from email-120.paypal.com (email-120.paypal.com [206.165.243.120]) by
128.253.83.155; Thu, 2 Oct 2008 13:05:54 -0400

About this Article

Last updated: 

Thursday, November 15, 2018 - 4:25pm

Was this page helpful?

Your feedback helps improve the site.

Comments?