How to Read Email Headers
Email headers are the hidden record of a message's journey. Reading them helps you trace where mail came from and why it was flagged.
Step-by-step
- Open the message in your mail client or webmail.
- Find "Show original" / "View source" / "View headers" — in Roundcube webmail, use the More menu → Show source.
- Read from the bottom up. The earliest "Received" lines are nearest the sender; each hop adds a line on top.
- Check the authentication results — look for spf=pass, dkim=pass and dmarc=pass to confirm the sender is genuine.
- Inspect the real From and Return-Path — spoofed mail often has a mismatch between display name and actual address.
- Use the originating IP to investigate suspicious senders, and blacklist if needed.
💡 Good to know
- spf=pass and dkim=pass on your own outgoing mail confirm your authentication is working.
- A mismatched From and Return-Path is a hallmark of phishing.
- Headers are also what support will ask for when diagnosing delivery problems.