The most important email headers for deliverability: Authentication-Results (shows SPF, DKIM, DMARC pass/fail), Received (shows the path the email traveled), From (the visible sender), Return-Path (where bounces go — must align with From for SPF/DMARC), DKIM-Signature (the cryptographic signature), and List-Unsubscribe (one-click unsubscribe header required by Gmail/Yahoo). View headers in Gmail: three dots → Show Original. In Outlook: three dots → View Message Source.
Email Headers Explained: Every Important Header for Deliverability
How to Read Headers
In Gmail
- Open the email
- Click the three dots (top right of message)
- Click Show Original
- Gmail shows a summary of SPF, DKIM, DMARC at the top
- Full headers are below
In Outlook
- Open the email
- Click the three dots
- Click View Message Source or Message Details
The Headers That Matter
Authentication-Results
Most important header for deliverability. Added by the receiving server.
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of [email protected] designates 198.2.135.10 as permitted sender) [email protected];
dkim=pass [email protected] header.s=s1;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=yourdomain.com
What to check:
spf=pass✓ (if fail: sending IP not in SPF record)dkim=pass✓ (if fail: DKIM signature invalid or DNS record missing)dmarc=pass✓ (if fail: neither SPF nor DKIM aligns with From: domain — see authentication guide)
From
From: Newsletter <[email protected]>
The visible sender. What recipients see. Must align with SPF or DKIM domain for DMARC to pass.
Return-Path (Envelope Sender)
Return-Path: <[email protected]>
Where bounces are sent. For SPF alignment in DMARC, this domain must match the From: domain (relaxed alignment allows subdomain match).
Common issue: Your ESP sets Return-Path to their domain (e.g., bounce.sendgrid.net). This means SPF passes for SendGrid's domain, not yours. DMARC SPF alignment fails. DKIM alignment must save you.
DKIM-Signature
DKIM-Signature: v=1; a=rsa-sha256; d=yourdomain.com; s=s1;
h=from:to:subject:date:message-id:content-type;
b=BASE64_SIGNATURE...
What to check:
d=should be your domain (not your ESP's domain)s=is the selector (used to look up the public key in DNS)a=should bersa-sha256(the signing algorithm)
If d= shows your ESP's domain instead of yours, custom DKIM signing isn't configured.
Received
Received: from mail-sor-f41.google.com (mail-sor-f41.google.com [209.85.220.41])
by mx.google.com with SMTPS id abc123
for <[email protected]>;
Sun, 30 Mar 2026 10:30:00 -0700 (PDT)
Each hop adds a Received header. Read bottom to top to trace the email's journey. Useful for identifying:
- Which server sent the email
- How long each hop took (delivery speed)
- Whether the email was relayed through unexpected servers
List-Unsubscribe
List-Unsubscribe: <https://yourdomain.com/unsubscribe?id=abc123>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
Required by Gmail and Yahoo for bulk senders (5,000+/day). Without these headers, Gmail may reject or spam-filter your marketing email. Most ESPs add these automatically.
X-Headers (Custom)
ESPs add custom headers for their own tracking:
X-Mailer:— software that sent the emailX-SG-EID:— SendGrid event IDX-Mailgun-Sid:— Mailgun session ID
These don't affect deliverability directly but are useful for debugging delivery paths.
Using Headers to Diagnose Problems
| Symptom | Header to Check | What to Look For |
|---|---|---|
| Email goes to spam | Authentication-Results | SPF/DKIM/DMARC fail |
| DMARC failing | From + Return-Path + DKIM-Signature | Alignment mismatch |
| Email delayed | Received (timestamps) | Long gaps between hops |
| Unknown sender | Received (bottom entry) | Which server originated the message |
| ESP not signing correctly | DKIM-Signature → d= | ESP domain instead of your domain |
Practitioner note: The first thing I check on any deliverability issue: Authentication-Results header. It takes 30 seconds and tells you whether the problem is authentication, reputation, or content. If SPF/DKIM/DMARC all pass, the issue isn't authentication. If any fail, that's your starting point.
Practitioner note: A common gotcha: DKIM passes (
dkim=pass) but withd=sendgrid.netinstead ofd=yourdomain.com. DKIM passes for SendGrid's domain, but DMARC alignment fails because it doesn't match your From: domain. Always check the d= value in the DKIM-Signature header, not just whether DKIM passed.
If you can't interpret your email headers or need help diagnosing a delivery problem, schedule a consultation — I'll trace the exact issue from the headers.
Sources
- RFC 5322: Internet Message Format
- RFC 7489: DMARC
- Google: Read Email Headers
v1.0 · March 2026
Frequently Asked Questions
How do I view email headers?
Gmail: open email → three dots (top right) → Show Original. Outlook: open email → three dots → View Message Source. Apple Mail: View → Message → Raw Source. The headers appear at the top of the raw message.
What is the Authentication-Results header?
Added by the receiving server, it shows whether SPF, DKIM, and DMARC passed or failed. Look for 'spf=pass', 'dkim=pass', 'dmarc=pass'. If any show 'fail', that's your deliverability problem.
What is the Return-Path header?
The Return-Path (also called envelope sender) is where bounces are sent. For DMARC SPF alignment, the Return-Path domain must match the From: header domain. ESPs sometimes set Return-Path to their own domain — this can cause alignment failures.
What does the Received header tell me?
Each server that processes the email adds a Received header. Read them bottom-to-top to trace the email's path from sender to recipient. Useful for identifying delays, routing issues, and which server handled each step.
What is the X-Mailer header?
X-Mailer identifies the software that sent the email (e.g., 'Mailgun' or 'Microsoft Outlook'). Spam filters can use this — emails claiming to be from Outlook but sent from a Linux server may be flagged. Most ESPs set this correctly.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.