Email Message Headers

If you don't know how to view the complete email message headers in your mail program, see the following document:
How to view complete email message headers

Sample Message Headers

Display message headers: ALL | X-Alligate (spam control) only

Detailed descriptions of all headers are displayed in the Email message header descriptions below the headers.

Orange headers are generated by the sender's mail program. These are the typical basic headers that are usually displayed by mail programs when viewing messages.
Olive headers are additional generated by the sender's mail program.
Green headers are generated by each mail server between the sender and recipient.
Red headers are generated by Network Tallahassee's spam control system and provide details about the filtering process.
Fuchsia headers are generated by Network Tallahassee's POP3 server where the actual mailboxes reside.

Message-ID: <CC4ED5B6.BE380D4@excite.com>
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02
MIME-Version: 1.0
Date: Sun, 25 Sep 2005 01:41:41 -0700
From: "More Info" <moreinfo@excite.com>
To: <example@nettally.com>
Cc: "Someone Else" <someoneelse@nettally.com>
Subject: Urgent details please
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Status: U

Email message header descriptions

Received: These provide information about each mail server involved during the message delivery process. The bottom-most Received header is the first mail server involved (closest to the actual sender) and may be forged by some spammers/virus distributors; the top-most Received header is the last mail server involved (closest to the recipient). The server names that appear next to the IP addresses are frequently invalid/forged. The IP addresses contained in [] or () are what's important in determining the identity of these servers. The timestamps are the dates/times according to that particular mail server. If the server doesn't have the correct date/time and/or timezone, the timestamp you see will not be accurate. See the Date/Time formats section at the end of this document.
Message-ID: Unique message identifier that refers to a particular version of a particular message. The server name after the @ symbol is often invalid/forged in spam messages.
User-Agent: Information about what mail program was used to send the message. This information is usually found in the X-Mailer header.
X-Mailer: Information about what mail program was used to send the message.
X-Accept-Language: ISO-10646 language identifier associated with the character set in the message. Apparently, this header, if it exists, is inserted by the sender's Netscape mail software.
MIME-Version: Version of the Internet message body format standard in use by the sender's mail program as defined by RFC 2045: Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies
Date: The date/time and time zone according to the sender's computer (which may not be accurate). See the Date/Time formats section at the end of this document.
From: Specifies the apparent author of the message, that is, the apparent mailbox of the person or system responsible for the writing of the message. This value is entered by the sender and can be any name and email address--including yours. Spammers frequently make use of this freedom by entering any email address they want to, so long as it doesn't trace back to the spammer. Think of this as the name/address one would include in the upper-left corner of a regular envelope before sending it.
To: Address(es) of the primary recipient(s) of the message.
Cc: (Carbon copy) contains the addresses of others who are to receive the message, though the content of the message may not be directed at them.
Bcc: (Blind carbon copy) contains addresses of recipients of the message whose addresses are not to be revealed to other recipients of the message.
Subject: Contains a short string identifying the topic of the message.
Content-Type: allows mail reading programs to automatically identify the type of a structured message body and to process it for display accordingly. See RFC 1049
Content-Transfer-Encoding: Many media types which could be usefully transported via email are represented, in their "natural" format, as 8bit character or binary data. Such data cannot be transmitted over some transfer protocols. For example, SMTP restricts mail messages to 7bit US-ASCII data with lines no longer than 1000 characters including any trailing CRLF line separator. The Content-Transfer-Encoding header defines a standard mechanism for encoding such data into a 7bit short line format.
X-Alligate-MXRProb: Probability of the message being spam based on historical data associated with the mail server that sent the message to our network.
X-Alligate-MXRCountry: ISO-3166 alpha-2 country code associated with the IP address of the mail server that sent the message to our network. This is NOT related to the name of the server. This corresponds with the X-Alligate-CountryFrom header. You can block mail based on this header by editing your blacklist.
X-Alligate-MXRAction: What action was performed based on historical data associated with the mail server that sent the message to our network.
X-Alligate-RecipsValid: Number of valid recipient email addresses on our network that the message was sent to.
X-Alligate-In: Details about why the message was delivered without being held/deleted.
IGNORED:
Whitelisted: The message was whitelisted for the reason specified.

Known good address: The message was delivered because the mail server that sent it to our network is normally not known for sending spam.
Passed: The message was not whitelisted, but was still delivered.
The Adult, Spam, and Tot(al) values are the penalty points that were applied to the message during the filtering process. The Req(uired) values are the hold scores you've configured. If the message's penalty points reached any of the hold score values, the message would have been held in your Spam Digest instead of being delivered. You can use the information in this header to get an idea of how you can adjust your existing scores to better suit your needs.
X-Alligate-QueueFile: Name of the file corresponding to the message while it was being processed by the spam filtering system.
X-Alligate-EnvID: Unique identifier associated with the message while it was being processed by the spam filtering system. The name of the spam filtering server follows the @ symbol. All of our spam filtering servers share the same data.
X-Alligate-EnvIP: Apparent IP address of the mail server that sent the message to our network.
X-Alligate-RCPT: The actual recipient email address as stated in the message envelope. This address may not be visible in the To, Cc, and Bcc basic message headers.
X-Alligate-MBX: The final actual recipient email address. In our present configuration, this should be the same as X-Alligate-RCPT. If any form of alias definitions existed for specific email addresses on the filtering servers (there aren't any), this value would represent that alias destination address.
X-Alligate-EnvFrom: The email address the sender claims to be as stated in the message envelope. This is almost always falsified and typically reprents a random email address previously harvested by spyware/adware, websites that distribute their form data, etc.
X-Alligate-CountryFrom: The name and ISO-3166 alpha-2 country code associated with the IP address of the mail server that sent the message to our network. This is NOT related to the name of the server. This corresponds with the X-Alligate-MXRCountry header. You can block mail based on this header by editing your blacklist.
X-Alligate-MXRateIP: IP address of the mail server that sent the message to our network.
X-Alligate-SpamProb: Experimental: Probability that the message is spam, based on factors unrelated to the penalty points and your adult/spam scores.
X-Declude-Status: Associated with Declude Junkmail for IMail mail servers. Network Tallahassee doesn't use this product, but the header is still included by our IMail server.
X-RCPT-TO: Final recipient email address after any alias forwarding takes place on Network Tallahassee's POP3 server.
Status: Used by some mail delivery systems to indicate the status of delivery for this message when stored. See RFC 2076: Common Internet Message Headers
X-UIDL: Unique identifier used by the POP3 protocol for retrieving mail from a POP3 server. It is normally added between the POP3 server and the recipient's mail software during message retrieval.
X-IMail-ThreadID: Unique ID for the message that corresponds to log entries and processing files on the IMail server during processing.

Date/Time formats (Received and Date headers)

The time is displayed in 24-hour time in the format: hh:mm:ss. If the hours are higher than 12, subtract 12 to get the PM time. For example, 15:26:35 = 3:26:35 pm.

The 4-digit time zone number following the date/time represents the offset from Coordinated Universal Time (UTC, formerly referred to as "Greenwich Mean Time" (GMT)) that the date and time-of-day represent. The "+" or "-" indicates whether the time-of-day is ahead of (i.e., east of) or behind (i.e., west of) UTC. The first two digits indicate the number of hours difference from UTC, and the last two digits indicate the number of minutes difference from UTC. For example, during US standard time, the eastern time zone would appear as -0500 because the eastern time zone is 5 hours behind UTC. During US daylight saving time the eastern time zone would appear as -0400.