How-to get detailed E-mail headers from the message log

Created by Nadav Shenker, Modified on Mon, 9 Dec at 4:45 PM by Yves Lacombe

What is happening with E-mail Headers?


E-mail header information has been added to Message Log Details.


Administrators will now be able to view and download email message headers directly from the message detail window.



How do I access the E-mail Header Information?


E-mail header information is accessed from the Message Log Details window of a given message.


  1. Navigate to the Log Search page
  2. Perform a search
  3. Click the Details button (under Actions column) for a given message
  4. Select either Preview or Download


Preview : Display email header information on the screen
Download : Download a copy of the email headers (File is downloaded as a zipped EML file. No message body or attachments are included)



There is currently a known limitation where the 'download' button only works for a local administrator (ie. organization admin).

Partner admins can still preview header information.






How can I use the E-mail Headers to Investigate an Email?


Headers contain many helpful pieces of information.
Here are a couple examples, however many other fields can also be valuable.


    1.    A valuable field in the headers will be the "Authentication-Results:" field.


This can be used to evaluate email authentication results when trying to determine the legitimacy of an email, or to try to understand why one was blocked.



  • spf = spf result. typically pass/fail
  • smtp.mailfrom =envelope sender domain (what SPF authenticates)
    • Note: For SPF alignment (for purposes of DMARC) this field must match header.from value
  • dkim = dkim result. typically pass/fail
  • header.d= domain value (d=) from the DKIM signature
    • Note: For DKIM alignment (for purposes of DMARC) this field must match header.from value
  • header.s = selector value (s=) from the DKIM signature
  • dmarc = dmarc result. typically pass/fail
  • header.from = from header domain (what DMARC authenticates)
  • header.policy = DMARC policy from DNS (none/quarantine/reject)







    2.     Another valuable field in the headers is the "Reply-To:" field.


When the Reply-To address is unrelated to the sender, this can be an indication of malicious intention (especially if the reply-to domain is a public email domain such as Gmail, Yandex, etc)


Note: End users often don't realize when the recipient address of their reply message is different from the sender address of the email that they received.