Deciphering Mail Headers from the January 2002 newsletter

by Rob Zorn

 

WARNING: Names have been changed in the following article to protect the nerdish.

I can remember from my time in customer support that it is quite an experience to watch an e-mail technician dig through an e-mail's headers. They can tell you exactly where an e-mail has been, what it did along the way, and I wouldn't have been that surprised if they'd been able to tell what colour shirt the e-mail technician at the other end had been wearing!

Now, I can't quite do that but I thought it might be interesting to write a little about what some of the gobbledy-geek-speak in mail headers means. If you feel inclined after you've read this article, open up the mail headers on one of your e-mails (preferably one from overseas) and see what you can decipher for yourself.

Checking Mail Headers in Outlook Express
1. Right-click on the e-mail in your inbox.
2. Left-click on Properties.
3. The box that pops up will have two tabs: General and Details. Select the Details tab.
4. If you'd like a bigger view, click the Message Source button to the bottom left and adjust.

Checking Mail Headers in Outlook 2000
1. Right-click on the e-mail in your inbox
2. Left-click on Options. A box will pop up which includes miscellaneous information about the e-mail, including its headers.

Checking Mail Headers in Netscape 4.7
1. Select the e-mail in your inbox by clicking on it.
2. On the Toolbar at the top of the program, click View, and then Headers, and then All.

The first thing to understand about mail headers is that they are basically just a list of technical details about your e-mail - who it's from and who it's to. They also contain a list of identification stamps. Imagine it like this: An e-mail from America will have been passed through a number of servers before it reaches you. A mail server is a computer who's main function is to receive an e-mail and pass it on to someone or something else. An e-mail will go through at least a couple of these before it leaves America, and then through at least a couple more here in New Zealand before it reaches your computer. Each time one of these servers deals with the e-mail, it will add a stamp to the headers identifying the server's name, the time, and what it did with the e-mail. It is this sort of information that e-mail technicians become so proficient at deciphering. They need to be proficient too because one mail server can't be relied upon to do or write things in exactly the same way as another mail server. That's why mail headers you look at may look quite different from the ones we'll examine here. Things will be in a different order, some things won't be included and so forth.

Lastly, mail headers are best understood in reverse order. The information at the top is a record of the last thing that happened to the e-mail, so in our examination of the mail headers below, we'll start at the bottom.

Received: by ragas.actrix.co.nz (mbox editor)
   (with Cubic Circle's cucipop (v1.31 1998/05/13) Thu Dec 6 08:33:14 2001)
X-From_: norrie@nerdinamerica.com Thu Dec 6 02:17:44 2001
Return-Path: <norrie@nerdinamerica.com>
Delivered-To: editor@creative.actrix.co.nz
Received: from out4.mx.nwbl.wi.voyager.net (out4.mx.nwbl.wi.voyager.net [169.207.1.77])
   by creative.actrix.co.nz (Postfix) with ESMTP id B10CB11E5    for <editor@actrix.co.nz>; Thu, 6 Dec 2001 02:17:43 +1300 (NZDT)
Received: from vm1.mx.voyager.net (vm1.mx.voyager.net [216.93.24.2])
   by out4.mx.nwbl.wi.voyager.net (8.11.1/8.11.1) with ESMTP id fB5DKj691722
   for <editor@actrix.co.nz>; Wed, 5 Dec 2001 07:20:45 -0600 (CST)
Received: from 63e4n (d168.as1.yntw.oh.voyager.net [216.196.54.235])
   by vm1.mx.voyager.net (8.10.2/8.10.2) with SMTP id fB5DJEO94789
   for <editor@actrix.co.nz>; Wed, 5 Dec 2001 08:19:14 -0500 (EST)
Reply-To: <norrie@nerdinamerica.com>
From: "Norton T Nerd III" <norrie@nerdinamerica.com>
To: "Rob Zorn" <editor@actrix.co.nz>
Subject: Mastermind
Date: Wed, 5 Dec 2001 06:16:27 -0500
Message-ID: <NDBBJFGNNLKCFPKOCFGHKEDHCEAA.norrie@nerdinamerica.com>
X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U)
MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii
Content Transfer Encoding: 7bit

These mail headers (let's say) are from my friend Norrie the Nerd who's over in America at the moment participating in the Grand Finale of the International Mastermind Competition. His topic, by the way, is Early Server Development March 1965 - August 1968. We'll start at the bottom and go through them briefly, one block at a time.

Message-ID: <NDBBJFGNNLKCFPKOCFGHKEDHCEAA.norrie@nerdinamerica.com>
X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U)
MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii
Content Transfer Encoding: 7bit

The bottom two lines here just contain information about the way in which the e-mail was sent and how it was encoded. This is not the same as encryption. E-mails, are usually sent with no encryption at all. Here it just refers to the way in which the text is to be copied on from server to server in the sending chain. The third line up from the bottom tells me what sort of mail program Norrie was using. Mozilla here means Netscape Mail the version being 4.76. This gives me the clue that Norrie may well not be much of a Microsoft Man. If he was, I'd probably see the words Outlook, or Outlook Express (and the version number) here. I can also see that Norrie's computer is using Windows NT 5 for its operating system. Obviously Norrie doesn't completely hate Microsoft. The fourth line up gives me the message ID. As I stated above, each server stamps an e-mail with something like this. It helps track where the e-mail has been. Records of these stamps are kept at an ISP for a time so that e-mails, or at least their pathways, can be checked or investigated. ID stamps like this are always unique.

Reply-To: <norrie@nerdinamerica.com>
From: "Norton T Nerd III" <norrie@nerdinamerica.com>
To: "Rob Zorn" <editor@actrix.co.nz>
Subject: Mastermind
Date: Wed, 5 Dec 2001 06:16:27 -0500

These lines are pretty standard and easy to understand. They tell me when the e-mail was sent, to whom it was sent, its subject and so forth.

Received: from 63e4n(d168.as1.yntw.oh.voyager.net [216.196.54.235])
   by vm1.mx.voyager.net (8.10.2/8.10.2) with SMTP id fB5DJEO94789
   for <editor@actrix.co.nz>; Wed, 5 Dec 2001 08:19:14 -0500 (EST)

As we continue to work our way up the headers, we come across a series of paragraphs all starting with "Received:". Again, these are just a series of stamps telling me the name of the server that received the e-mail and which server it received it from. I can see here that at 8:19 a.m. (Eastern Standard Time), Norrie's e-mail to me was sent by a server named vml.mx.voyager.net to another server named d168.as1.yntw.oh.voyager.net. Because I know Norrie was in America at the time he sent this to me, I could hazard a guess that the "oh" in one of these server names represents Ohio. All these server names would be known by the Actrix mail servers, so if I really wanted to investigate this e-mail and find out (hypothetically) why it was delayed for a great deal of time, I could find out who owns those servers and contact them asking for an explanation. You can also see here that the e-mail was given another ID number as it went through (id fB5DJEO94789). Lastly, you'll see that the IP addresses of the servers is given. IP addresses are the numerical names of machines, eg 216.196.54.235. I won't go into detail on IP addresses here, but they're necessary because computers don't actually speak English to each other. They speak Number.

Received: from out4.mx.nwbl.wi.voyager.net (out4.mx.nwbl.wi.voyager.net [169.207.1.77])
   by creative.actrix.co.nz (Postfix) with ESMTP id B10CB11E5    for <editor@actrix.co.nz>; Thu, 6 Dec 2001 02:17:43 +1300 (NZDT)

Skipping upwards to the third "Received:" paragraph, I can see the details about when this e-mail finally landed in New Zealand. It seems to have crossed a network owned by Voyager in America until it has reached a server named out4.mx.nwbl.wi.voyager.net. Its short name (out4) probably indicates that its the fourth in a series of mail servers designed to send mail out of the network. The "wi" in the server name would represent another American state (Wisconsin) again. If you had a big network in a big country like the U.S., then putting the location of the server in the server name would seem like a good idea. Out4 gave it another ID stamp  (id B10CB11E5) and squirted it across the Southern Cross Cable to a mail server here at Actrix named Creative (Creative is one of two mail servers that Actrix has for receiving mail - the other one's name is Dragon). In effect, Out4 is saying to Creative, "Here is a package for someone named editor who lives near you. Please see that he gets it." Creative then would have taken my e-mail and put it in a folder named editor on a file server (like an electronic filing cabinet). There it would sit waiting for the next time I logged on to check my e-mail.

Received: by ragas.actrix.co.nz (mbox editor)
   (with Cubic Circle's cucipop (v1.31 1998/05/13) Thu Dec 6 08:33:14 2001)
X-From_: norrie@nerdinamerica.com Thu Dec 6 02:17:44 2001
Return-Path: <norrie@nerdinamerica.com>
Delivered-To: editor@creative.actrix.co.nz

The last block on our way up the mail headers tells me about the time that I checked my mail. A POP3 server (special servers designed to get mail out of the mailbox [mbox] on the file server and download it to you) at Actrix named Ragas used a program named cucipop v1.31 (and released in May 1998) to retrieve that e-mail from the editor mailbox for me. Again, various date, time and return path information is given. You'll see that the Delivered to: field includes "creative" in my e-mail address - simply indicating that Creative was the name of the server through which the e-mail was received for me.

Okay, that will probably do for this article. I hope it hasn't been too geek-based. I'll close by reminding you that e-mail headers are always different, depending on where the e-mail has been, what servers have touched it and so forth. If you have a look at a few examples of your own, though, you should be able to decipher most of them in no time at all. If you'd like to delve a little more into what happens behind the scenes when you're online, you could try the "What happens When I Click Connect?" article in the May 2000 newsletter.