How to read and interpret raw headers?

Raw headers can look overwhelming, but they follow patterns. Here's how to read them:

Read Received headers bottom to top: Each server that handles the message adds a Received header at the top. The bottom Received header is the origin; the top is the final destination. Reading upward traces the message's journey chronologically.

Key headers to examine:

• From: Display sender address
• To: Display recipient address
• Subject: Message subject
• Date: When the sender's client created the message
• Message-ID: Unique identifier for tracking
• Received: Server handoffs with timestamps and IPs
• Authentication-Results: SPF, DKIM, DMARC verdicts
• Return-Path: Envelope sender (bounce address)

Format: Headers follow Name: Value format. Long values may wrap with whitespace. Multiple headers with the same name are valid (common for Received).

Timestamps: Received headers include timestamps. Comparing them reveals transit time between servers. Large gaps indicate queuing or delays.

IP addresses: Received headers show which IPs handled the message. Cross-reference these with reputation tools to identify problems.