Email Headers Deep Dive: Received, SPF, DKIM, and How Email Really Travels

Every email carries far more information than what users see in their inbox. Hidden behind the scenes are email headers — a complete technical record of how a message was sent, routed, authenticated, and evaluated.

For developers, system administrators, and security professionals, headers are the single most reliable source of truth when troubleshooting delivery issues, spam filtering, or phishing attempts.

This article provides a deep, practical breakdown of the most important headers: Received, SPF, DKIM, and how they fit together.

What Are Email Headers?

Email headers are metadata fields added by mail servers as a message travels from sender to recipient.

• They are plain text and RFC-defined
• Each mail server appends its own headers
• They cannot be modified retroactively without detection

Headers explain where the email came from, how it was authenticated, and why it was accepted or rejected.

The Received Header: Tracing the Email Path

The Received header is added by every SMTP server that handles the message. It creates a chronological trail of the email’s journey.

Received: from mail.example.com (192.0.2.10)
by mx.google.com with ESMTPS id abc123
for <user@gmail.com>;
Tue, 21 Dec 2025 14:32:11 +0000

How to Read Received Headers

• Read bottom to top
• The bottom entry is the sending server
• The top entry is the final receiving server

Received headers help identify:

• Sending IP addresses
• Relay servers
• Unexpected hops or relays
• Spoofing attempts

SPF Headers: Sender Authorization Results

SPF (Sender Policy Framework) checks whether the sending IP address is authorized to send mail for a domain.

Received-SPF: pass (google.com: domain of sender@example.com
designates 192.0.2.10 as permitted sender)

Common SPF Results

• pass — sender is authorized
• fail — sender is not authorized
• softfail — suspicious but not enforced
• neutral — no explicit policy

SPF alone does not protect the visible “From” address, which is why it must be combined with DKIM and DMARC.

DKIM Headers: Message Integrity and Authenticity

DKIM (DomainKeys Identified Mail) ensures the email was not modified after it was sent and confirms the sending domain.

DKIM-Signature: v=1; a=rsa-sha256; d=example.com;
s=selector1; h=from:to:subject:date;
bh=abc123...; b=def456...

After verification, receivers add an authentication result:

Authentication-Results: mx.google.com;
dkim=pass header.d=example.com

Why DKIM Matters

• Survives forwarding
• Protects message content
• Builds long-term sender reputation

Authentication-Results: The Verdict

Most modern mail servers summarize authentication outcomes in the Authentication-Results header.

Authentication-Results: mx.google.com;
spf=pass;
dkim=pass;
dmarc=pass

This header is critical when diagnosing:

• Spam filtering issues
• DMARC failures
• Phishing or spoofing attempts

Common Header Red Flags

• Mismatch between From and DKIM domain
• SPF fail with DMARC enforcement
• Unexpected relay servers
• Missing DKIM signature
• Private IPs in Received headers

Headers in EML Files

EML files preserve full headers exactly as received, making them ideal for deep inspection and forensic analysis.

When investigating email issues, always request the original message source or EML export — screenshots are not sufficient.

When and Why to Analyze Email Headers

• Delivery failures
• Spam placement
• Phishing investigations
• Email authentication setup
• Security incident response

Final Thoughts

Email headers expose the full technical truth behind every message. Understanding them turns email from a black box into a transparent, debuggable system.

Mastering headers is a foundational skill for anyone working with email infrastructure, security, or deliverability.