Summary
Determining an email sending platform largely hinges on a thorough analysis of email headers. The 'Received' headers are paramount, offering a chronological trail of servers and their IP addresses, allowing for reverse DNS and 'whois' lookups to pinpoint origins. The 'Authentication-Results' header is also vital, as the domains linked to SPF and DKIM results frequently reveal the underlying ESP infrastructure. Further clues can be found in the 'Return-Path' and 'Message-ID' headers, which often contain domain names associated with the sending platform. Some services, like Amazon SES or SendGrid, may include unique, proprietary headers that instantly identify them. Additionally, checking the SPF record of the 'From' domain can expose common ESP 'include' directives. While manual analysis is possible, online email header analyzer tools significantly streamline the process, automatically parsing content and cross-referencing information to help identify the sending platform.
Key findings
- Received Headers are Key: The 'Received' headers are the most crucial element, as they document the path an email took, including IP addresses and hostnames of the servers involved. The first 'Received' header often pinpoints the originating server or ESP.
- Authentication Results: The 'Authentication-Results' header provides insights into SPF, DKIM, and DMARC results. The domains specified in these results (e.g., `spf.protection.outlook.com` or `sendgrid.net` in SPF records, or `header.d=` in DKIM) frequently correspond directly to the email sending platform's infrastructure.
- Return-Path and Message-ID: The 'Return-Path' header often contains an email address belonging to the sending platform's bounce processing infrastructure, directly indicating the ESP. Similarly, the domain part of the 'Message-ID' header can also point to the sending server or platform.
- X-Mailer Header: Some email sending software or services explicitly identify themselves in the 'X-Mailer' header, though this is not always present or specific enough.
- SPF Records of From Domain: For bulk senders, checking the SPF record of the domain in the 'From' address can reveal the sending platform. Many large ESPs require clients to include their SPF records, such as `include:spf.protection.outlook.com` or `include:sendgrid.net`.
- Online Header Analyzers: Using online tools like MXToolbox's or Microsoft's Message Header Analyzer simplifies the process by parsing complex headers, highlighting critical details like sending IP, hostnames, and performing lookups, often identifying the source and potential ESP.
Key considerations
- Read Headers Bottom-Up: When analyzing 'Received' headers, always read them in reverse chronological order, from the bottom up, as the initial 'Received' header typically reveals the actual sender's IP address and hostname.
- Perform Lookups: Utilize reverse DNS lookups for IP addresses and 'whois' lookups for hostnames found in the 'Received' headers to trace their origin to a specific cloud provider, email service, or large ESP.
- Outbound SMTP Differences: Be aware that the outbound server IP may not accept inbound SMTP connections, and the hostname might have a different MX record than the one used for sending.
- Proprietary Headers: Look for specific, proprietary headers (e.g., X-SES-Signature for Amazon SES, X-SG-ID for SendGrid) that certain platforms add, as their presence can immediately confirm the sending service.
- Direct Inquiry: If feasible and appropriate, directly asking the sender or client about their email sending platform can be the most straightforward method.
- Not Always Direct: While many clues exist, some email configurations or generic server setups may not provide an immediate, clear identifier of the sending platform, requiring a more investigative approach.
What email marketers say
12 marketer opinions
To determine an email's sending platform, a meticulous examination of its full headers is paramount. While the 'Received' headers offer a chronological pathway of servers, and 'Authentication-Results' headers reveal platform-specific domains through SPF and DKIM records, other header fields provide additional insights. The 'X-Mailer' header, when present, can explicitly name the sending software, and the domain within the 'Message-ID' often points to the originating server. Many large Email Service Providers also require their SPF records to be included in the sender's domain, acting as a clear identifier. Furthermore, some platforms, like SendGrid, embed distinctive hostnames in 'Received' headers or add custom headers for tracking. Utilizing online header analyzer tools can greatly simplify this process, as they parse complex data and perform necessary lookups, making platform identification more efficient.
Key opinions
- Comprehensive Header Analysis: Beyond the most common headers, a thorough review of all available headers, including 'List-Unsubscribe' for potential clues, is essential for a complete picture of the sending platform.
- 'Received' and 'Authentication-Results' are Primary: These headers consistently provide the most direct paths to identifying the sending infrastructure through IP addresses, hostnames, and specific domains associated with SPF, DKIM, and DMARC.
- Service-Specific Indicators: Major Email Service Providers often leave recognizable footprints, such as unique hostnames in 'Received' headers (e.g., 'ismtpd.sendgrid.net'), proprietary custom headers (e.g., 'X-SG-ID'), or explicit 'include' statements in the sender's SPF record.
- 'X-Mailer' and 'Message-ID' Insights: The 'X-Mailer' header can sometimes directly name the software used, while the domain part of the 'Message-ID' often corresponds to the sending server or platform, providing an additional investigative avenue.
- Automated Analyzer Tools: Online tools like MXToolbox's header analyzer streamline the process by parsing complex headers, performing reverse DNS lookups, and cross-referencing information against known ESPs, significantly simplifying platform identification.
Key considerations
- Full Header Access is Critical: Obtaining the complete, raw email headers is the absolute first step and is indispensable for accurate diagnosis and tracing of the sending platform.
- Read 'Received' Headers Bottom-Up: Always interpret the 'Received' headers in reverse chronological order, as the first entry (at the bottom) typically indicates the immediate sender's server or Email Service Provider.
- Utilize Lookup Tools: Perform reverse DNS lookups on IP addresses and 'whois' lookups on hostnames found in headers to uncover the ownership and potential affiliation with an ESP or cloud provider.
- Direct Server Communication: For advanced investigation, consider using tools like telnet to directly connect to mail server IPs on port 25 to gather information.
- Outbound Server Nuances: Be aware that the IP address of the outbound mail server might not accept inbound connections, and its hostname could have a different MX record, complicating direct queries.
- Consider Direct Inquiry: If circumstances allow, simply asking the client or sender about their email sending platform can be the most straightforward and fastest method.
Marketer view
Marketer from Email Geeks explains that the provided List-Unsubscribe header format does not look like a PowerMTA deployment and suggests checking GreenArrow's documentation for clues.
27 Jan 2023 - Email Geeks
Marketer view
Marketer from Email Geeks explains that full email headers are crucial for identifying the email platform. They suggest using mxtoolbox.com/diagnostic.aspx or telnet to an IP address or host on port 25 to talk to the mail server, providing examples for Google Mail and Postfix.
9 Jul 2023 - Email Geeks
What the experts say
2 expert opinions
Identifying an email's sending platform primarily relies on a deep dive into its full header information. Experts highlight the 'Received' headers as fundamental, illustrating the email's chronological journey and often revealing the sending server's IP address and hostname. Crucial insights also come from the 'Authentication-Results' header, which frequently contains domains linked to the sender's SPF and DKIM configurations, thereby signaling the specific Email Service Provider. Furthermore, fields like the 'Return-Path' can disclose the ESP's bounce handling domain, while the 'Message-ID' might carry internal identifiers of the sending system, all contributing to a clearer picture of the email's origin.
Key opinions
- Tracing Via 'Received' Headers: The 'Received' headers are paramount for identifying the sending platform, as they map the email's path and typically include the IP address and hostname of the originating server or Email Service Provider.
- Authentication Results Reveal ESPs: Analysis of the 'Authentication-Results' header, specifically the domains used for SPF and DKIM, often points directly to the infrastructure of the email sending platform or ESP.
- 'Return-Path' for Bounce Domain: The 'Return-Path' header frequently contains the domain used by the Email Service Provider for bounce processing, offering a strong clue about the sending platform.
- 'Message-ID' for System Identifiers: The 'Message-ID' header can sometimes include unique identifiers that directly link back to the specific email sending system or platform.
Key considerations
- Reverse Chronological Reading: When analyzing 'Received' headers, always read them from the bottom up, as the first 'Received' header in the list (the last one added chronologically) usually indicates the initial sending server.
- IP and Hostname Investigation: Utilize the IP addresses and hostnames found in 'Received' headers to perform reverse DNS lookups and 'whois' queries, helping to associate them with known ESPs or cloud providers.
- Cross-Referencing Headers: Combine information from multiple headers, such as 'Received,' 'Authentication-Results,' 'Return-Path,' and 'Message-ID,' to build a comprehensive understanding and confirm the sending platform.
Expert view
Expert from Spam Resource explains that the 'Received' headers in an email are crucial for determining the sending platform, as they show the path the email took and often include the IP address and hostname of the sending server or ESP. Other headers like 'Authentication-Results' can also point to domains associated with the sender.
30 Apr 2024 - Spam Resource
Expert view
Expert from Word to the Wise explains that email headers contain vital clues for identifying the sending platform. Specifically, the 'Received' headers provide a trail of servers and their IP addresses, allowing you to trace the email's origin. The 'Message-ID' can sometimes contain identifiers of the sending system, and the 'Return-Path' often points to the ESP's bounce processing domain. 'Authentication-Results' also reveal domains used by the sender for SPF/DKIM.
20 Oct 2023 - Word to the Wise
What the documentation says
4 technical articles
Uncovering an email's sending platform is best achieved through a detailed analysis of its comprehensive headers. Key sections like the 'Received' headers offer a traceable path through server IP addresses and hostnames, with reverse DNS lookups often clarifying the origin. The 'Authentication-Results' header is also highly informative, as the domains within its SPF, DKIM, and DMARC results frequently point to the sending platform's infrastructure. Specific proprietary headers, such as those found in emails from Amazon SES, can immediately confirm the platform. Additionally, the 'Return-Path' header often contains an address linked to the sender's infrastructure, further aiding in identification. Tools like Microsoft's Message Header Analyzer simplify this investigative process by parsing data and highlighting crucial origin details.
Key findings
- Foundational Header Analysis: The 'Received' and 'Authentication-Results' headers continue to be paramount. They offer crucial details on IP addresses, hostnames, and authentication domains (SPF, DKIM, DMARC) that frequently point directly to the sending platform's infrastructure.
- Proprietary Header Identifiers: Specific email sending platforms often include unique, proprietary headers, such as AWS's 'X-SES-Signature' or 'X-SES-Configuration-Set,' which immediately confirm the platform in use, even if other headers are generic.
- Return-Path and Infrastructure: Reviewing the 'Return-Path' header is highly indicative, as it typically contains an address belonging to the email sending platform's infrastructure, particularly its bounce management system.
- IP and Hostname Scrutiny: Close examination of IP addresses and hostnames within 'Received' headers, coupled with reverse DNS resolution, can unveil the underlying domains of major Email Service Providers or cloud services.
- Tool-Assisted Identification: Leveraging specialized tools, like Microsoft's Message Header Analyzer, streamlines the process by parsing complex header information and highlighting critical details about the email's origin and authentication status, significantly aiding platform identification.
Key considerations
- Leverage Header Analyzer Tools: Utilize dedicated email header analyzer tools to efficiently parse complex header information and automatically identify key indicators such as IP addresses, hostnames, and authentication results, simplifying the determination of the sending platform.
- Prioritize Proprietary Headers: Always check for proprietary headers, for example, 'X-SES-' headers for AWS SES, as their presence provides the most direct and unmistakable confirmation of the sending platform.
- Cross-Reference All Clues: Synthesize insights from multiple header fields, including 'Received,' 'Authentication-Results,' and 'Return-Path,' to build a comprehensive and accurate picture of the email's origin and sending service.
- IP and Hostname Lookup Importance: Thoroughly perform reverse DNS lookups on IP addresses and 'whois' queries on hostnames found in the 'Received' headers to trace their ownership back to specific Email Service Providers or cloud providers.
Technical article
Documentation from Microsoft Learn explains that Microsoft's Message Header Analyzer tool parses email headers, especially the "Received" and "Authentication-Results" sections, to provide insights into the email's origin, IP addresses, and authentication status (SPF, DKIM, DMARC), which can help identify the sending platform, particularly for emails originating from or passing through Microsoft's own services like Exchange Online.
9 Mar 2023 - learn.microsoft.com
Technical article
Documentation from Cisco Talos Intelligence Group's guide on email headers emphasizes that security analysts can determine the sending platform by scrutinizing "Received" headers for IP addresses and hostnames. These are often reverse-DNS resolved to reveal domains belonging to large ESPs, and the presence of specific proprietary headers or mail server banners can also serve as direct identifiers.
12 Jun 2025 - talosintelligence.com
How can I check if an email is sent from a dedicated or shared IP without contacting the ESP?
How can I determine if a company's email is using Gmail or Yahoo under the hood?
How can I determine the ISP or mailbox provider of an email address?
How can I identify the ESP used to send a spam email using the email headers?
How do you migrate an email sending domain from one platform to another?
What platforms are used to monitor email deliverability, reputation score, and sender score?
