What is a Message Header?
Reading a message header is a simple and necessary skill for Office 365 & Exchange Admins. These days it is becoming less and less common. However, it certainly is one of those skills that you need when issues pop up.
We often had to review message headers with on-prem email servers, particularly when routing mail on private connections to partner companies or troubleshooting application mail. These days it is becoming less and less common. Most message headers are not exciting anymore, with only a few entries going from one Exchange Online gateway to another.
With the continued issue of Domain Spoofing, reading a message header is crucial to looking at a message and helping determine its authenticity.
In this article, we will review how to interpret a message header. For information on how to read a header for some applications, including the most popular Mail Systems & Applications click here.
How To Interpret a Message Header
Think of a message header as the package tracking of your email. As the message moves from one server to the next, its movement history gets added to the header of the email. The entries will include DNS names, IP addresses, and security information. The security information has critical information to help with message security like DKIM Signatures or SPF verification. This information all helps our message hygiene system do its job and verify the authenticity of email. As migration administrators, we sometimes have to do some unique routing to ensure that we maintain the integrity of the security posture when routing mail, often needing to use message rewrite services when spanning domains. When not done correctly, or coming from a bad actor, this information is either missing or wrong and should result in message hygiene systems blocking mail.
Here is an example message header that I have simplified & altered for discussion purposes. I pulled this from a Twitter Alert I got the other day, and I pulled the routing information from the top of the header.
At first, this can be overwhelming. But let’s make it simple. Each time you see “Received”, this is a hop. Think of a package travelling around the globe instead of an email. Each “Received” entry is a package going into a package sort centre. Each section notes the IP address and name of the server that it went through. (The equivalent of saying, “This came off Flight 101 into Nashville, TN USA on Feb 1 at 12:03”). It will also add important security information, which we don’t need to worry about in this article.
In our Cloud-Centric world, message headers look like the example above. The first entry is the most recent. In this case, this is the message going into the hub server where my Exchange Online Mailbox resides. We can see the different hops it went through as we go down the header. In the final entry, we can see a very streamlined message origination from Twitter’s outgoing mail gateway for alerts, something logical when thinking about all the different messages they send daily.
When on-prem email is in play, we can quickly identify this based on the IP addresses early on in the message header. The originating mail gateways may have a Private IP address range. When the mail is coming from a traditional Exchange environment, this is less exciting. However, if it comes from an application sending email, this data can sometimes be very helpful information.
Plenty of legitimate mail come from applications. However, from time to time, a bad actor could work their way into one of these mail gateways and put their “bad” email into the mail flow. This “bad” email would look like it came from the company because it went through their servers. The days of Open Relays, or SMTP servers that didn’t force some form of authentication should be gone. However, this is an attack vector and still comes in from time to time. When looking at a potentially fraudulent email, look at the originating server and keep this possibility in mind as part of your investigation. If you need instructions on how to look at message headers from common email clients, like Outlook, Outlook.com, Yahoo, and Gmail, see my article here: https://madmike.net/how-to-read-an-email-message-header-in-microsoft-outlook-office-365-gmail-yahoo-more