Reading Message Headers in Outlook

In Exchange Server 2007, message transport uses Simple Message Transport Protocol (SMTP), whether messages are received from external addresses or from within the Exchange organization. For every email message sent through SMTP the server maintains an email header, somewhat analogous to the addressing on an envelope for a letter. Message headers are specific to each email. To view message headers in Microsoft Office Outlook 2007, open the message and expand the Options panel of the Office ribbon to show the Message Options window. The message header text is in the Internet headers area, as shown in Figure 1. Since this window doesn’t expand, it’s often easier to copy and paste the header information to a text editor, as I have done below. This is the same for Office Outlook 2010 beta, however, the panel is labeled Tags and not Options and the window is labeled Properties. Also in Outlook 2010, you can select File, Info, Properties in a message to open this same window.

Related: Tracking Messages in Exchange 2007

A full analysis of SMTP headers is beyond the scope of this tip, but here is some brief guidance. I break the header information down to three components: addressing, server information, and eXtras.

Addressing includes the recipient and sender addresses, the date of the message, and the subject. The server information includes message content type, anti-spoofing results, and the long message ID that appears as an email address. The ID is unique to the message and helps email servers identify message status and log events specific to this message. It also identifies the source IP address of the last sending server, which may be the only item in the header that isn’t spoofable. The eXtras section contains the X-headers, which can be used to describe events pertaining to message flow. X-headers are commonly used for anti-virus or anti-spam status. Outlook 2007 and Outlook 2010 use X-headers for fingerprinting messages. Exchange 2003 and Exchange 2007 also use X-headers to expose anti-spam and spam confidence level results.

Here’s an example of an SMTP message header for an email sent from Outlook Web Access (OWA) to another mailbox on the same Exchange Server opened with Outlook 2007:

Received: from w2k3ex2k7las.MojaveMedia.Corp ([192.168.5.5]) by

w2k3ex2k7las.MojaveMedia.Corp ([192.168.5.5]) with mapi; Thu, 10 Sep 2009

15:33:29 -0700

Content-Type: application/ms-tnef; name="winmail.dat"

Content-Transfer-Encoding: binary

From: Miguel Indurain

To: Pedro Delgado

CC: Miguel Indurain

Date: Thu, 10 Sep 2009 15:32:55 -0700

Subject: With attachment

Thread-Topic: With attachment

Thread-Index: AQHKNYthBf9lpv5WoU6EiJfXPiswpQ==

Message-ID:

<77D28DDA2BDE0B4E80AEDA938747301BB896B3E5@w2k3ex2k7las.MojaveMedia.Corp>

Accept-Language: en-US

Content-Language: en-US

X-MS-Has-Attach: yes

X-MS-Exchange-Organization-SCL: -1

X-MS-TNEF-Correlator:

<77D28DDA2BDE0B4E80AEDA938747301BB896B3E5@w2k3ex2k7las.MojaveMedia.Corp>

MIME-Version: 1.0

Notice in this example that Exchange has added the X-header to show a SCL value of -1, which is reserved for internal MAPI messages.

Now look at an example of an SMTP message header from an email sent from an external mail server to another accessed by Outlook 2007 using IMAP:

Return-Path:

Delivered-To: [email protected]

Received: (qmail 2125 invoked by uid 399); 10 Sep 2009 22:40:41 -0000

X-Virus-Scan: Scanned by ClamAV 0.91.2 (no viruses);

Thu, 10 Sep 2009 15:40:42 -0700

Received: from mail1.gearhost.com (69.24.64.25)

by mail2.mygisol.com with ESMTP; 10 Sep 2009 22:40:41 -0000

X-Originating-IP: 69.24.64.25

Received-SPF: pass (mail2.mygisol.com: SPF record at lefkovics.net

designates 69.24.64.25 as permitted sender)

identity=mailfrom; client-ip=69.24.64.25;

envelope-from=;

Received: from [24.234.132.95] by mail1.gearhost.com via HTTP;

Thu, 10 Sep 2009 16:38:54 -0600

From: "[email protected]"

To:

Subject: Report for August 2009

Date: Thu, 10 Sep 2009 16:38:54 -0600

Reply-To: [email protected]

Message-ID:

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_0001_222DBFE7.44175713"

X-Originating-IP: [24.234.132.95]

X-Declude-Sender: [email protected] [24.234.132.95]

X-Declude-Spoolname: 35384442.eml

X-Declude-RefID: str=0001.0A010203.4AAEC600.00BA,ss=1,fgs=0

X-Declude-Note: Scanned by Declude 4.6.35.

X-Declude-Scan: Outgoing Score [0] at 16:38:57 on 10 Sep 2009

X-Declude-Tests: Whitelisted

X-Country-Chain:

X-Declude-Code: 0

X-Declude-Recipcount: 1

X-Identity: 24.234.132.95 | | mojavemediagroup.com

In this second example, there are extensive X-headers showing the results of a message scan by Internet security software Declude. Headers have subtle differences between the different email servers and clients, but they do adhere to a standard and represent one of the important troubleshooting tools for message flow.

Learn more: Transport Rules and Message Classifications in Exchange 2007