The structure of a Received: header is
- Received: from - the name the sending computer gave for itself (the name associated with that computer's IP address)
- by - the receiving computer's name (the software that computer uses) (usually Sendmail, qmail or Postfix)
- with - protocol (usually SMTP, ESMTP or ESMTPS)
- id - id assigned by local computer for logging;
- timestamp - (usually given in the computer's localtime; see below for how you can convert these all to your time)
The elements in bold are the literal words in the header. Items in italics are the bits that change from header to header. The underlined elements are the ones that can be manipulated by spammers and scammers.
Received: headers are recorded any time a message is handed between two computers. So, for any pair of Received headers, the sending computer of the first line should always match the receiving computer of the second line. The newest Received: header is always added to the top of the headers, so reading headers from top to bottom traces the message from you back to the sender.
Let's look at an example. Here's a message being sent from someone's iPhone, through their Gmail account, to a Pobox Mailstore account. (Note: Normal Received headers are not numbered. I added those to help in tracing the message.)
1. Received: from maroon.pobox.com (maroon.pobox.com [208.72.237.40]) by mailstore.pobox.com
(Postfix) with ESMTP id 847989746 for <address>; Wed, 15 Jun 2011 10:42:09 -0400 (EDT)
2. Received: from maroon.pobox.com (localhost [127.0.0.1]) by maroon.pobox.com (Postfix) with
ESMTP id EA14340A31F; Wed, 15 Jun 2011 10:42:35 -0400 (EDT)
3. Received: from mail-qw0-f46.google.com (mail-qw0-f46.google.com [209.85.216.46]) by
maroon.pobox.com (Postfix) with ESMTPS id 70BCC40A1DB for <address>; Wed, 15 Jun 2011
10:42:13 -0400 (EDT)
4. Received: by qwk3 with SMTP id 3so281681qwk.33 for <address>; Wed, 15 Jun 2011
07:42:11 -0700 (PDT)
5. Received: by 10.229.78.96 with SMTP id j32mr509819qck.121.1308148929825; Wed, 15
Jun 2011 07:42:09 -0700 (PDT)
6. Received: from [10.231.252.223] (79.sub-174-252-72.myvzw.com [174.252.72.79]) by
mx.google.com with ESMTPS id m16sm345129qck.28.2011.06.15.07.42.02
(version=TLSv1/SSLv3 cipher=OTHER); Wed, 15 Jun 2011 07:42:08 -0700 (PDT)
Starting at the top:
- A Pobox mailserver (maroon.pobox.com) sent the message to mailstore.pobox.com, which is where I picked it up to read it.
- Pobox sent the message internally. This is the step where message filtering happens.
- Google (mail-qw0-f46.google.com) sent the message to Pobox.
- Google handles the message internally.
- Google handles the message internally.
- A Verizon server (79.sub-174-252-72.myvzw.com) hands the message to Google.
So, the message starts at Verizon, proceeds through various internal processes at Google and Pobox, then ends up in my Inbox at mailstore!
A note about encryption and the protocols mentioned in the Received: header:
- SMTP and ESMTP indicate the mail was sent unencrypted between the two servers mentioned. This may be across an internal or private network, but across the Internet it may be cause for concern.
- ESMTPS indicates that the mail was sent after the two servers mentioned established an encrypted TLS link using the STARTTLS command. This can provide protection from tampering and eavesdropping of the mail.
Finally, Received: headers can themselves be tampered with so we can only be really certain of the protocol with which mails are delivered to Pobox, rather than its whole journey.