Helping people with computers... one answer at a time.

Like most email programs and interfaces, Gmail hides the administrative information or 'headers' in email messages. They're still easy to view.

I'm trying to figure out an email problem and the ISP support said I needed to send them the "full email headers" of the message. Huh? What's that and how do I get it? I use Gmail.

There's a more to email than meets the eye.

In fact, there's a LOT more.

Bundled with every message is typically a list of information, including the mail server that it originated from, the servers that it traveled across along its way, as well as a bunch of other optional information relating to who sent it, anti-spam information, mailing list unsubscribe information, and much, much more.

It's a bunch of geekery that you really don't want to see every time.

But if you do, it's easy to get at it, particularly in Gmail.

Headers in Gmail

Here's an email message displayed in Gmail:

Email message in Gmail

Hopefully, that's a very familiar looking message - a copy of my newsletter Smile

Next to the date towards the top right are a couple of icons. Click the downward-pointing triangle:

Menu of additional action items for a Gmail message

Click Show original.

This will open the full original email message in a new tab or window in the text format in which it's actually encoded:

Email headers courtesy of Gmail

The "email headers" include everything until the first blank line. Everything after that is the email message itself.

Sending email headers

Even though you might send rich text and even pictures, email is always sent in plain text. Anything that's not plain text in your message will be encoded into something that can be represented in plain text.

The headers themselves are always plain text.

If your ISP or someone helping you diagnose an email problem has asked for the headers, start by composing a new message - it'll be helpful if you can select plain text format or compose that new message as plain text.

From the window in which Gmail is displaying the original message, select all the text from the top to the first blank line, right-click it and click Copy.

Then, switch to the message that you're composing, right-click in the body, and click Paste.

Send that message to whomever was requesting it.

What is all this junk?

Go ahead and page up and down and have a look around in the original message. You'll see a lot of stuff in there.

A lot of "geekery," as I said earlier.

The headers are a series of lines of information about the message being sent. If the first column is not blank, then the line begins with a token followed by ":". For example, you'll see many lines that begin with "Received:". Each mail server along the path from sender to recipient adds a Received: line to the header so that the email messages path can be identified.

You'll also see some familiar lines line To:, From: and Subject:, which are themselves nothing more than header lines.

There are too many to cover them all here. Many are obvious, many are not.

Header information can be faked

Finally, I want to point out that we often think of using header information to trace where an email comes from. While technically possible to a point, it's often the case that a specific sender can NOT be identified if they're trying to be sneaky.

And to the technically-inclined, it's not hard to be sneaky.

Information in the header can be faked or spoofed, and it sometimes takes a close, knowledgeable eye to be able to identify when this happens.

That's probably why you're sending it to someone who understands it.

Article C5313 - May 9, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

4 Comments
Gabe
May 11, 2012 9:20 AM

Leo, correct me if I'm wrong, one thing the sender can't spoof is the header's actual "From" information. While they can make an email address like "trust_me@irs.gov" appear in the "From" field in an effort to make you think it's an email from the US Government, the header will always show the real "From" field that sent it. Granted, if it's a "sneaky" sender, they won't be sending it from their actual email server, rather it will come from "hijacked_account@botnet_server.com"...correct?

Actually that's not true. There is no "real" "From:" field - the From field you see, the one that's easily spoofable, is the only From: field there is. You don't really need an email account to send email if mail servers are configured improperly. The only thing in the header that can't be spoofed that I'm aware of is the IP address of the server or network from which the email first enters the internet - and that can be obfuscated in various ways.
Leo
11-May-2012
Cole Alenick
May 11, 2012 10:45 AM

I CANNOT send a letter or an eMail with the latest update of Mozilla Thunderbird??
It simply does Not have a "Send"
Any suggestions??
{email address removed}

Mine certainly has a Send when I'm in a compose window. Try CTRL+Enter to send.
Leo
11-May-2012
Ron_H
May 11, 2012 5:39 PM

Re: No send in T_Bird -- Cole, Open "write" window,
right click 2nd band at top. Should see "menu bar"
and "composition toolbar" with check before each.
If Missing check, select item to add check. Should bring back send. Customize while there. Best wishes,
Ron_H Thanks go to Leo!

Gabe
May 14, 2012 6:03 AM

Thanks for the reply Leo...and that's why people visit your site and sign up for your email list...you can explain things very well. You've cleared up some confusion I was having.

An example of what I was looking at is a spam message from "Post Express" (it had a virus attached to it) and it comes across as trying to be from the United States Postal Service and wants me to open the attachment.
The "Received:" info in the header says:
"Received: from abcdefg.com ([123.123.123.123])"
(I've changed the IP and domain to protect the innocent)

Then the "From" line says:
"From: "Post Express" postmail@abcdefg.com"
This begs the question, why would the USPS use a mail server named "abcdefg.com". The answer is simply that they wouldn't. Since many would be suspicious they've put "Post Express" in there knowing that anyone using MS Outlook and possibly some other mail clients will ONLY see those words and it will help with the spoofing.

So, this confirms what you stated...the "From:" information can be anything (and who knows if "postmail" exists on that server) but it came from abcdefg.com, which is not the USPS.

Thanks for the reply Leo.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.