Skip to main content

Cornell University

Find Out Where an Email Came From (Read Email Headers)

How to interpret email headers so you can find out where an email came from

This article applies to: Security & Policy , Students

On This Page

It is easy to fake what appears in the From or Reply-to line of an email message. Check the message headers to discover the message's real origin. Message headers are the material that comes before the body of a message.

Quick Check

Sometimes information in the headers contradicts the From line. For instance, here are the headers of a message that claims to be from PayPal:

(1)-From: “PayPal Customer Service”     Subject: Account Management     Date: Tue, 12 Feb 2008 17:49:19 -0600     X-Original-IP: 131.204.2.2 (2)-X-Original-Hostname: d1.duc.auburn.edu

(1) The From address looks fine (service@paypal.com).

(2) The X-Original-Hostname shows that the message actually came from somewhere at Auburn University (d1.ducaubum.edu).

Full Headers Check

If a quick check doesn't give you the answer, look at the message's full headers. See instructions to display full headers.

Full headers show the path that an email message traveled, and they can be quite long. For example, you normally see the following:

From: “PayPal” Subject: PayPal - Security Measures Date: Tue, 25 Dec 2007 12:30:24 -0600

Turning on full headers reveals the full picture:

Return-Path: Received: from postoffice7.mail.cornell.edu ([unix socket]) by postoffice7.mail.cornell.edu (Cyrus v2.1.11) with LMTP; Tue, 25 Dec 2007 13:51:10 -0500 Received: from hermes30.mail.cornell.edu (hermes30.mail.cornell.edu [132.236.56.55]) by postoffice7.mail.cornell.edu (8.12.10/8.12.6) with ESMTP id lBPIp7SV004763 for ; Tue, 25 Dec 2007 13:51:07 -0500 (EST) Received: (from daemon@localhost) by hermes30.mail.cornell.edu (8.13.6/8.12.6) id lBPIp64G017076 for ewe2@postoffice7.mail.cornell.edu; Tue, 25 Dec 2007 13:51:06 -0500 (EST) Received: from localhost.localdomain (soapstone1.mail.cornell.edu [128.253.83.143]) by hermes30.mail.cornell.edu (8.13.6/8.12.6) with ESMTP id lBPIp4F8017044 for ; Tue, 25 Dec 2007 13:51:05 -0500 (EST) Received: from unknown-host by soapstone1 with queue (Sophos PureMessage Version 5.301) id 72862194-1 for ewe2@cornell.edu; Tue, 25 Dec 2007 18:41:18 GMT Received: from router1_tc [10.253.83.144] by with SMTP id ; Tue, 25 Dec 2007 18:41:18 GMT (envelope-from service@paypal.com) Received: from mail01.crtc.com.tw (unknown [61.30.114.162]) by 128.253.83.144; Tue, 25 Dec 2007 13:41:18 -0500 (3)-Received: from dc2 ([12.47.15.100]) by mail01.crtc.com.tw with Microsoft SMTPSVC (6.0.3790.1830); Wed, 26 Dec 2007 02:40:44 +0800 X-PH: V4.1@hermes30 From: “PayPal” Subject: PayPal - Security Measures Date: Tue, 25 Dec 2007 12:30:24 -0600 ...

(3) The highlighted information indicates where the email message started its journey. Check the line starting with Received above the Subject line. In the example, the hostname is mail01.crtc.com.tw. The .tw stands for Taiwan, an unlikely origin for a message from PayPal.

If the email had actually come from PayPal, the Received line would probably show that the email started its journey at paypal.com:

Received: from email-120.paypal.com (email-120.paypal.com [206.165.243.120]) by 128.253.83.155;Thu, 2 Oct 2008 13:05:54 -0400

Comments?

To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.