Recent Searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            How to Use E-mail Header Information

            Created by Nadav Shenker, Modified on Sun, 29 Jan 2023 at 02:57 AM by Nadav Shenker

            What is happening with E-mail Headers?


            E-mail header information has been added to Message Log Details.


            Administrators will now be able to view and download email message headers directly from the message detail window.


            How do I access the E-mail Header Information?


            E-mail header information is accessed from the Message Log Details window of a given message.


            1. Navigate to the Log Search page
            2. Perform a search
            3. Click the Details button (under Actions column) for a given message
            4. Select either Preview or Download


            Preview : Display email header information on the screen
Download : Download a copy of the email headers (File is downloaded as a zipped EML file. No message body or attachments are included)



            There is currently a known limitation where the 'download' button only works for a local administrator (ie. organization admin).

Partner admins can still preview header information.





            How can I use the E-mail Headers to Investigate an Email?


            Headers contain many helpful pieces of information.
            Here are a couple examples, however many other fields can also be valuable.


                1.    A valuable field in the headers will be the "Authentication-Results:" field.


            This can be used to evaluate email authentication results when trying to determine the legitimacy of an email, or to try to understand why one was blocked.



            • spf = spf result. typically pass/fail
            • smtp.mailfrom =envelope sender domain (what SPF authenticates)
              • Note: For SPF alignment (for purposes of DMARC) this field must match header.from value
            • dkim = dkim result. typically pass/fail
            • header.d= domain value (d=) from the DKIM signature
              • Note: For DKIM alignment (for purposes of DMARC) this field must match header.from value
            • header.s = selector value (s=) from the DKIM signature
            • dmarc = dmarc result. typically pass/fail
            • header.from = from header domain (what DMARC authenticates)
            • header.policy = DMARC policy from DNS (none/quarantine/reject)







                2.     Another valuable field in the headers is the "Reply-To:" field.


            When the Reply-To address is unrelated to the sender, this can be an indication of malicious intention (especially if the reply-to domain is a public email domain such as Gmail, Yandex, etc)


            Note: End users often don't realize when the recipient address of their reply message is different from the sender address of the email that they received.


            Preview
            0 of 0