πŸ“§: Message Header Debugging

When you send an email, as it completes its journey through the Internet, it will pass through various email servers that then forward it onto the next hop, no, not like a bunny, more like the next server to get to his destination.

This is logged in the email and it’s commonly known as a message header, some of the products will also know it Internet headers, however, here’s the rub, it’s technically not an Internet header due to the fact that if it only goes internally, it’s not touched the Internet - so if you send an email between employees. Those messages will still contain the message headers - however they will only be internal servers.

Message headers are usually hidden away in a submenu or off hidden away in a place you would not expect to find them, most people don’t concern themselves with these headers.

Message headers also contain a wealth of other information which can be handy for troubleshooting and diagnosing why messages don’t reach their intended destination or end up in the wrong folder like your spam folder or junk folder or deleted items.

The Message Headers

The raw message headers will include the full path the e-mail has taken, this is made more complex if you have DKIM enabled as it has to pass version "checks" before its delivered, so for ease of usage I will remove the DKIM records, and this is the e-mail flow in the raw format.....

Delivered-To: bear@pokebearwithsticks.com

Received: by 2002:a05:6022:51e:b0:3f:99b6:1a47 with SMTP id q30csp2681166laq;

        Wed, 31 May 2023 14:04:57 -0700 (PDT)

X-Received: by 2002:a05:620a:9006:b0:75b:23a1:44d with SMTP id rk6-20020a05620a900600b0075b23a1044dmr5896390qkn.19.1685567097092;

        Wed, 31 May 2023 14:04:57 -0700 (PDT)

 spf=softfail (google.com: domain of transitioning bounces+29029572-2f28-bear@send.thenueco.com does not designate 209.85.220.41 as permitted sender) smtp.mailfrom="bounces+29029572-2f28-bear@send.thenueco.com"

Return-Path: <bounces+29029572-2f28-bear@send.thenueco.com>

Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41])

        by mx.google.com with SMTPS id y75-20020a37644e000000b00757867d5a4bsor8574844qkb.16.2023.05.31.14.04.56

        for <bear@pokebearwithsticks.com>

        (Google Transport Security);

        Wed, 31 May 2023 14:04:57 -0700 (PDT)

Received-SPF: softfail (google.com: domain of transitioning bounces+29029572-2f28-bear@send.thenueco.com does not designate 209.85.220.41 as permitted sender) client-ip=209.85.220.41;

Authentication-Results: mx.google.com;

       dkim=pass header.i=@thenueco.com header.s=s1 header.b=tgBT+lpi;

       arc=pass (i=1 spf=pass spfdomain=send.thenueco.com dkim=pass dkdomain=thenueco.com);

       spf=softfail (google.com: domain of transitioning bounces+29029572-2f28-bear@send.thenueco.com does not designate 209.85.220.41 as permitted sender) smtp.mailfrom="bounces+29029572-2f28-bear@send.thenueco.com"

X-Received: by 2002:a05:620a:2a13:b0:75b:23a1:43e with SMTP id o19-20020a05620a2a1300b0075b23a1043emr8746243qkp.4.1685567096821;

Return-Path: <bounces+29029572-2f28-bear@send.thenueco.com>

Received: from o1361.shared.klaviyomail.com (o1361.shared.klaviyomail.com. [168.245.125.197])

        by gmr-mx.google.com with ESMTPS id to4-20020a05620a4c8400b0075b2874f042si1418491qkn.5.2023.05.31.14.04.56

        for <bear@pokebearwithsticks.com>

        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);

        Wed, 31 May 2023 14:04:56 -0700 (PDT)

Received-SPF: pass (google.com: domain of bounces+29029572-2f28-bear@send.thenueco.com designates 168.245.125.197 as permitted sender) client-ip=168.245.125.197;

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thenueco.com; h=content-type:from:mime-version:subject:list-unsubscribe:to:cc: content-type:from:subject:to; s=s1; bh=pDgaifD1sT37NzwPDRi7UEDrcur8ErEP7zUJBGhA41I=; b=tgBT+lpieh7abZ5RVXCKRK0GTMoYgTKsA6jj+hEe631pjt8yG+KT9oapN7ssbZvx0roR 1+4lvTXCm5e83vlbKUgGCsD26T2UbKFWcKdmbzZYVvAe1Ec2ZEBiei+GdTdOddOvE0xLt5 fHo8f2cH3uBqEU+O/BdqOjqVIULOCfgRx61v8sgb6G8CtG9ryeOxTeOfxx4aG8ydmtjkwc 1o2w5oForcriWMxv0sZ5hAxF0pSEPQp4oHEHS82GM79425UBNXZn9EwcM3gOneOROl60d5 UNyHxWqH741bmxUxD6nI99wFF7GA8FjhmLzlngfmxxsqU4QgWb77GqNSgGiFygwg==

Received: by filterdrecv-8684c58db7-5vsrj with SMTP id filterdrecv-8684c58db7-5vsrj-1-6477B677-3B

        2023-05-31 21:04:55.710476549 +0000 UTC m=+1805202.529403429

Received: from MjkwMjk1NzI (unknown) by geopod-ismtpd-14 (SG) with HTTP id -hO9OPdmQC67rh9bUauB-g Wed, 31 May 2023 21:04:55.569 +0000 (UTC)

Content-Type: multipart/alternative; boundary=9364a5ad43783d5b3a1be90f7770d52bbdfb03d534ab8a206f3a2c8e2a6b

Date: Wed, 31 May 2023 21:04:55 +0000 (UTC)

From: "The Nue Co." <info@thenueco.com>

Mime-Version: 1.0

Message-ID: <-hO9OPdmQC67rh9bUauB-g@geopod-ismtpd-14>

Subject: Last chance for 25% off

X-Kmail-Message: 01H1RJQ1TQGY3DYHWHYQ06NJ28

X-Kmail-Account: TsuQt6

X-Kmail-Relay: [3023552.krelaymail.com]:587

To: Magical Bear <bear@pokebearswithsticks.com>

X-Entity-ID: dLtYHFmbmgZlO8fgUt71Lg==

Once we have this the mail flow is from the bottom of the message to the top, so at the bottom you see the source of the e-mail which is this:

Basic Data

From: "The Nue Co." <info@thenueco.com>
Mime-Version: 1.0
Message-ID: <-hO9OPdmQC67rh9bUauB-g@geopod-ismtpd-14>
Subject: Last chance for 25% off
X-Kmail-Message: 01H1RJQ1TQGY3DYHWHYQ06NJ28X-Kmail-Account: TsuQt6
X-Kmail-Relay: [3023552.krelaymail.com]:587
To: Magical Bear <bear@pokebearswithsticks.com>

Message Routing

Then next up is the routing of the e-mail from the source to my mailbox which will navigate though gmail SMTP like this:

Received: by 2002:a05:6022:51e:b0:3f:99b6:1a47 with SMTP id q30csp2681166laq;

        Wed, 31 May 2023 14:04:57 -0700 (PDT)

X-Received: by 2002:a05:620a:9006:b0:75b:23a1:44d with SMTP id rk6-20020a05620a900600b0075b23a1044dmr5896390qkn.19.1685567097092;

        Wed, 31 May 2023 14:04:57 -0700 (PDT)

 spf=softfail (google.com: domain of transitioning bounces+29029572-2f28-bear@send.thenueco.com does not designate 209.85.220.41 as permitted sender) smtp.mailfrom="bounces+29029572-2f28-bear@send.thenueco.com"

Return-Path: <bounces+29029572-2f28-bear@send.thenueco.com>

Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41])

        by mx.google.com with SMTPS id y75-20020a37644e000000b00757867d5a4bsor8574844qkb.16.2023.05.31.14.04.56

        for <bear@pokebearwithsticks.com>

        (Google Transport Security);

        Wed, 31 May 2023 14:04:57 -0700 (PDT)

Received-SPF: softfail (google.com: domain of transitioning bounces+29029572-2f28-bear@send.thenueco.com does not designate 209.85.220.41 as permitted sender) client-ip=209.85.220.41;

Authentication-Results: mx.google.com;

       dkim=pass header.i=@thenueco.com header.s=s1 header.b=tgBT+lpi;

       arc=pass (i=1 spf=pass spfdomain=send.thenueco.com dkim=pass dkdomain=thenueco.com);

       spf=softfail (google.com: domain of transitioning bounces+29029572-2f28-bear@send.thenueco.com does not designate 209.85.220.41 as permitted sender) smtp.mailfrom="bounces+29029572-2f28-bear@send.thenueco.com"

X-Received: by 2002:a05:620a:2a13:b0:75b:23a1:43e with SMTP id o19-20020a05620a2a1300b0075b23a1043emr8746243qkp.4.1685567096821;

Return-Path: <bounces+29029572-2f28-bear@send.thenueco.com>

Received: from o1361.shared.klaviyomail.com (o1361.shared.klaviyomail.com. [168.245.125.197])

        by gmr-mx.google.com with ESMTPS id to4-20020a05620a4c8400b0075b2874f042si1418491qkn.5.2023.05.31.14.04.56

        for <bear@pokebearwithsticks.com>

        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);

        Wed, 31 May 2023 14:04:56 -0700 (PDT)

Received-SPF: pass (google.com: domain of bounces+29029572-2f28-bear@send.thenueco.com designates 168.245.125.197 as permitted sender) client-ip=168.245.125.197;

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thenueco.com; h=content-type:from:mime-version:subject:list-unsubscribe:to:cc: content-type:from:subject:to; s=s1; bh=pDgaifD1sT37NzwPDRi7UEDrcur8ErEP7zUJBGhA41I=; b=tgBT+lpieh7abZ5RVXCKRK0GTMoYgTKsA6jj+hEe631pjt8yG+KT9oapN7ssbZvx0roR 1+4lvTXCm5e83vlbKUgGCsD26T2UbKFWcKdmbzZYVvAe1Ec2ZEBiei+GdTdOddOvE0xLt5 fHo8f2cH3uBqEU+O/BdqOjqVIULOCfgRx61v8sgb6G8CtG9ryeOxTeOfxx4aG8ydmtjkwc 1o2w5oForcriWMxv0sZ5hAxF0pSEPQp4oHEHS82GM79425UBNXZn9EwcM3gOneOROl60d5 UNyHxWqH741bmxUxD6nI99wFF7GA8FjhmLzlngfmxxsqU4QgWb77GqNSgGiFygwg==

Received: by filterdrecv-8684c58db7-5vsrj with SMTP id filterdrecv-8684c58db7-5vsrj-1-6477B677-3B

        2023-05-31 21:04:55.710476549 +0000 UTC m=+1805202.529403429

Received: from MjkwMjk1NzI (unknown) by geopod-ismtpd-14 (SG) with HTTP id -hO9OPdmQC67rh9bUauB-g Wed, 31 May 2023 21:04:55.569 +0000 (UTC)

This tells you that the first hop with a Google server was:

Received: from MjkwMjk1NzI (unknown) by geopod-ismtpd-14 (SG) with HTTP id -hO9OPdmQC67rh9bUauB-g Wed, 31 May 2023 21:04:55.569 +0000 (UTC)

Then the last hop before it arriving in my mailbox is this server:

Received: by 2002:a05:6022:51e:b0:3f:99b6:1a47 with SMTP id q30csp2681166laq;

Now, what if you require a visual of this, as that can be hard to decipher, well in that case my friend you can use this tool here

That will then show you this:


Paste you header in this box and click the Analyse button for the results......this will then show you a visual as below:

This particular e-mail ended up in my spam folder, and the reason for that is it failed the SPF check, but this was only a softfail but it did pass DKIM and ARC which means it was not blocked at source.



DMAC and Spam e-mail

If you get a lot of spam you may wish to enable DMARC, this is a record that help fight spam when it fails certain tests and it has three modes - monitor, quarantine and reject - monitor is essentially off as it does nothing.

Once you have monitor running you need to look at the reports and/or use some software to do it, in this instance I use dmarcadvisor.com to monitor these actions, but as you can see this is in "reject" mode with forensic reports enabled.

v=DMARC1; p=reject; rua=mailto:zlthnybq@ag.eu.dmarcadvisor.com; ruf=mailto:zlthnybq@fr.eu.dmarcadvisor.com; fo=s;

However malicious e-mails can also now sign using DKIM so this will not be a "silver bullet" to fix your issues, there is no silver bullet, it would appear that the malicious threat actors are dining on the fact that we are human and have flaws. 

Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„