Sender authentication part 2: Reading email headers

As we saw in our previous post, 5 basic commands are needed for SMTP.  When the receiving mail transfer agent (MTA) receives the message, it inserts additional headers which allow us to trace the message to its source.  In the example from the previous post, here would be the headers from the sample message:

From me@tzink.net
Received: from mailhost.tzink-is-awesome.com (mailhost.tzink-is-awesome.com [292.13.130.22]) by mail.tzink.net (8.8.5) for me@tzink-is-awesome.com with EMSTP id 123456789-0AH for <me@tzink.net>
From: my.alias@tzink.net
To: another.email@tzink-is-awesome.com
Date: Fri, Jun 18, 2007 20:20:20 PST
Message-ID: <elmsley-flushtration-484@mail.tzink.net>
Subject: How's it going?

Let's step through these one by one.  The first line is the From address and it is the envelope sender.  The envelope sender is generated by the receiving machine and it is generated by the MAIL FROM command from the transmitting machine.  Note the lack of a colon in the From header, this distinguishes it from the other From: header later on.  The convention is not universal but it is frequent.  The envelope headers are generated by the receiving machine while the message headers are created by the transmitting machine.

The next line is a received header.  This received header is also an envelope sender because it is generated by the receiving machine.

Received: from mailhost.tzink-is-awesome.com

This piece of mail was received from a machine that calls itself mailhost.tzink-is-awesome.com.

(mailhost.tzink-is-awesome.com [292.13.130.22])

The IP address of the sending machine is 292.13.130.22.  Received headers will always log the sending IP address, and the name of the machine is mailhost.tzink-is-awesome.com.  This name is found by doing a reverse DNS lookup of the IP address.  In other words, here's what happened:

  1. The message was received from a machine that said its name was mailhost.tzink-is-awesome.com.
  2. The IP address of the transmitting machine was 292.13.130.22.
  3. A reverse DNS lookup of that IP address is mailhost.tzink-is-awesome.com.

Not all IP addresses have reverse IP lookups, but when they exist it is easier to implement a weak form of sender authentication.  If it didn't exist, the name part would be blank.  Another possibility is that the Received: from xxxxx  name could be different than the name in the reverse DNS lookup.  The next header is the following:

by mail.tzink.net (8.8.5)

The machine that received the message is mail.tzink.net using a program called Sendmail, version 8.8.5.

with EMSTP id 123456789-0AH

The receiving machine assigned the ID number 123456780-0AH to the message.  This is used more for mail administrators for checking logs but is also sometimes useful for spam analysts.

for <me@tzink.net>

This message was addressed to me@tzink.net.  This is the Envelope To, the one that is specified in RCPT TO by the sending machine.  It is this address that the message is routed to.  Note that this email does not have to be the same as the one in the To: header later on.  The envelope sender is not always in a received header, sometimes it is in a header elsewhere in the message.

The next few headers are message headers.

From: my.alias@tzink.net
To: another.email@tzink-is-awesome.com
Date: Fri, Jun 18, 2007 20:20:20 PST
Message-ID: <elmsley-flushtration-484@mail.tzink.net>
Subject: How's it going?

The above headers are created by the transmitting machine.  The Message-ID is different than the SMTP ID, it can have the sender's email address embedded in it.  Other times there is no intelligible meaning associated with it.  This ID is associated with this email message for life.

Note that there are four important routing headers, the Envelope To, the Envelope From, the message To: and the message From:.  The Envelope headers are generated by the receiving machine based upon the SMTP commands used by the transmitting machine while the To: and From: headers are extra headers inserted into the body of the message (that often show up in your email client like Thunderbird, Apple Mail or Outlook).  The message is routed based on the Envelope headers, not the message headers  Also note the absence of a colon in the Envelope headers.

Envelope headers appear differently in different mail servers.  Sometimes the envelope sender is specified in the Return-Path header.

It is important to note that my example above is simple.  Often times, a message will go through more routing and will have a few more Received: from headers.