Skip to main content

Cornell University

Find Out Where an Email Came From (Read Email Headers)

How to interpret email headers so you can find out where an email came from

This article applies to: Security & Policy , Students

On This Page

It is easy to fake what appears in the From or Reply-to line of an email message. Check the message headers to discover the message's real origin. Message headers are the material that comes before the body of a message.

Quick Check

Sometimes information in the headers contradicts the From line. For instance, here are the headers of a message that claims to be from PayPal:

(1)-From: “PayPal Customer Service”     Subject: Account Management     Date: Tue, 12 Feb 2008 17:49:19 -0600     X-Original-IP: (2)-X-Original-Hostname:

(1) The From address looks fine (

(2) The X-Original-Hostname shows that the message actually came from somewhere at Auburn University (

Full Headers Check

If a quick check doesn't give you the answer, look at the message's full headers. See instructions to display full headers.

Full headers show the path that an email message traveled, and they can be quite long. For example, you normally see the following:

From: “PayPal” Subject: PayPal - Security Measures Date: Tue, 25 Dec 2007 12:30:24 -0600

Turning on full headers reveals the full picture:

Return-Path: Received: from ([unix socket]) by (Cyrus v2.1.11) with LMTP; Tue, 25 Dec 2007 13:51:10 -0500 Received: from ( []) by (8.12.10/8.12.6) with ESMTP id lBPIp7SV004763 for ; Tue, 25 Dec 2007 13:51:07 -0500 (EST) Received: (from daemon@localhost) by (8.13.6/8.12.6) id lBPIp64G017076 for; Tue, 25 Dec 2007 13:51:06 -0500 (EST) Received: from localhost.localdomain ( []) by (8.13.6/8.12.6) with ESMTP id lBPIp4F8017044 for ; Tue, 25 Dec 2007 13:51:05 -0500 (EST) Received: from unknown-host by soapstone1 with queue (Sophos PureMessage Version 5.301) id 72862194-1 for; Tue, 25 Dec 2007 18:41:18 GMT Received: from router1_tc [] by with SMTP id ; Tue, 25 Dec 2007 18:41:18 GMT (envelope-from Received: from (unknown []) by; Tue, 25 Dec 2007 13:41:18 -0500 (3)-Received: from dc2 ([]) by with Microsoft SMTPSVC (6.0.3790.1830); Wed, 26 Dec 2007 02:40:44 +0800 X-PH: V4.1@hermes30 From: “PayPal” Subject: PayPal - Security Measures Date: Tue, 25 Dec 2007 12:30:24 -0600 ...

(3) The highlighted information indicates where the email message started its journey. Check the line starting with Received above the Subject line. In the example, the hostname is The .tw stands for Taiwan, an unlikely origin for a message from PayPal.

If the email had actually come from PayPal, the Received line would probably show that the email started its journey at

Received: from ( []) by;Thu, 2 Oct 2008 13:05:54 -0400


To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.