HomeContact Us at 1.800.458.3348 Support ResellersPrivacy Reseller Login Blog
SpamStopsHere Home
Support Menu
User Name: Password:
Help with Email Headers
Summary: This page describes how to examine the header of an email message to determine where it originated and what mail servers and relays it passed through. While this information certainly is not needed to use the SpamStopsHere service, you can use it to:
  • Confirm that the SpamStopsHere service is active for your email.
  • Confirm that a specific message went through the SpamStopsHere service.
  • Learn more about where spam comes from.
  • Determine the IP addresses of mail servers that you want to add to your domain whitelist or blacklist.
How to display an e-mail header

While email programs do not normally display the full Internet headers for an email message by default, all Internet email messages have a very detailed header that shows where the email originated, to whom it was sent, what relays it passed through, when it was received, and more.

All Internet email clients should be capable of showing you the full Internet headers of an email message, but you may need to read the documentation that came with it to determine how to do this. There are too many email clients for us to list instructions for them all, but following are some instructions for viewing headers on some versions of the two most popular email clients.

Outlook Express
  1. Right-click on the subject/info line of the message in the preview pane and select "Properties" from the drop down menu.
  2. Click on the "Details" tab, and you will be presented with the message's headers.
Outlook
  1. Double-click on the subject/info line of the message in the preview pane to open it in its own window.
  2. Click on "View" and then "Options" in the new window for the message.
  3. Header information appears under Delivery options in the Internet headers box.

If these instructions do not seem to work for you, you may have a different version of these programs. Please consult the documentation for your email program for instructions on viewing the full Internet headers of an email message.

Some office or home environments may use a local email client for delivery, rather than an Internet client, which can result in messages being stored on a local server. If this is the case, you may not be able to retrieve the Internet headers, as your Internet email message will have been converted into a local email message. Please contact your mail server administrator about how to retrieve the Internet headers for your messages.

How to interpret the header

The header contains the "Return-Path:", "Subject:", "From:", and "To:" fields with which you may be familiar. Note that in spam, the "From:" and "To:" fields are usually fake.

The "Received:" field is the key to this discussion; there are often two or more of these fields. Typical header fields when using the SpamStopsHere service is:

Received: from fwd.spamh.com ([1.2.3.4])
by mail.example.com (8.12.11/8.12.9) with ESMTP id i44J35uS038665
for ; Tue, 4 May 2004 15:05:12 -0400
Received: from relay.spamh.com (relay.spamh.com [1.2.3.5])
by out.example.com (8.12.11/8.12.11) with ESMTP id i44J58dF005675
for ; Tue, 4 May 2004 15:05:09 -0400

Each mail server or relay involved in sending the message from the source to your mail server adds a detailed "Received:" field.

In the example above, the top "Received:" field indicates that the email was received from "fwd.spamh.com" (the forwarding server) by "mail.example.com" the destination mail server.

relay.spamh.com is one of the possible SpamStopsHere filtering "relays". Other names are possible at the spamh.com domain. This confirms that the SpamStopsHere service is active and that this message passed through our service instead of bypassing it.

Example of a tagged message

Received: from fwd.spamh.com ([1.2.3.4])
by mail.example.com (8.12.11/8.12.9) with ESMTP id i44J35uS038665
for ; Tue, 4 May 2004 15:05:12 -0400
Received: from relay.spamh.com (relay.spamh.com [1.2.3.5])
by out.example.com (8.12.11/8.12.11) with ESMTP id i44J58dF005675
for ; Tue, 4 May 2004 15:05:09 -0400
X-SpamH-CheckIP: 2.3.4.5
X-SpamH-Recipient:
X-SpamH-ID: i44J58dF005675
X-SpamH-IP-RBL: IP Blacklisted in RBL bl.spamcop.net
X-SpamH-Action: MODIFY SUBJECT

The X-SpamH-CheckIP header shows the IP address of the actual mail server that delivered the email message to our servers. The X-SpamH-IP-RBL header shows that that IP address was black listed by the bl.spamcop.net third party Real-Time Blacklist. This user is modifying the subject for messages identified by this filter.

Adding an IP address to your domain whitelist

You can create a domain whitelist to ensure that important clients and contacts are never blocked, even if they send you spam.

To create the whitelist, you must determine the IP address of the mail server used by your client/contact. This can be done by examining the header of an email sent by them to you and looking at the X-SpamH-CheckIP header. This is the IP address which you enter into your domain whitelist.

Refer to "Using the Control Panel" for directions for creating a personal whitelist.

Once the IP address has been added to your personal whitelist, it will never be blocked for your domain.

Adding an IP address to your domain blacklist

You can also create a domain "black list" to block e-mail from certain sources. We do not recommend using it to block any remaining spam. However, it can be used to block someone who is harassing your employees.

Refer to "Using the Control Panel" for directions and many cautions!

To create the blacklist, you must determine the IP address of the mail system you wish to block. The method is exactly the same as for the Whitelist.