How to Use E-mail Header Information

Created by Nadav Shenker, Modified on Sun, 29 Jan 2023 at 02:57 AM by Nadav Shenker

What is happening with E-mail Headers?

E-mail header information has been added to Message Log Details.

Administrators will now be able to view and download email message headers directly from the message detail window.

How do I access the E-mail Header Information?

E-mail header information is accessed from the Message Log Details window of a given message.

  1. Navigate to the Log Search page
  2. Perform a search
  3. Click the Details button (under Actions column) for a given message
  4. Select either Preview or Download

Preview : Display email header information on the screen
Download : Download a copy of the email headers (File is downloaded as a zipped EML file. No message body or attachments are included)

There is currently a known limitation where the 'download' button only works for a local administrator (ie. organization admin).

Partner admins can still preview header information.

How can I use the E-mail Headers to Investigate an Email?

Headers contain many helpful pieces of information.
Here are a couple examples, however many other fields can also be valuable.

    1.    A valuable field in the headers will be the "Authentication-Results:" field.

This can be used to evaluate email authentication results when trying to determine the legitimacy of an email, or to try to understand why one was blocked.

  • spf = spf result. typically pass/fail
  • smtp.mailfrom =envelope sender domain (what SPF authenticates)
    • Note: For SPF alignment (for purposes of DMARC) this field must match header.from value
  • dkim = dkim result. typically pass/fail
  • header.d= domain value (d=) from the DKIM signature
    • Note: For DKIM alignment (for purposes of DMARC) this field must match header.from value
  • header.s = selector value (s=) from the DKIM signature
  • dmarc = dmarc result. typically pass/fail
  • header.from = from header domain (what DMARC authenticates)
  • header.policy = DMARC policy from DNS (none/quarantine/reject)

    2.     Another valuable field in the headers is the "Reply-To:" field.

When the Reply-To address is unrelated to the sender, this can be an indication of malicious intention (especially if the reply-to domain is a public email domain such as Gmail, Yandex, etc)

Note: End users often don't realize when the recipient address of their reply message is different from the sender address of the email that they received.