Why is it important to identify the email sending platform?

It's crucial for several reasons: to troubleshoot email deliverability issues , identify the source of spam or phishing attempts, ensure compliance with email sending policies, and gain insights into a company's email infrastructure for migration or auditing purposes. Knowing the platform helps you understand the technical characteristics and potential reputation of the sender.

What are the key pieces of information to extract from email headers?

The most reliable piece of information is the IP address in the lowest Received header, which corresponds to the first server the email originated from. Additionally, specific Message-ID formats, Return-Path domains, and DKIM signatures can strongly indicate the sending platform.

Can shared IP addresses make platform identification more difficult?

Shared IPs are common with most ESPs and can make it difficult to determine the specific client sending the email, as many clients use the same IP address. However, the IP still points to the general infrastructure of the ESP. Advanced analysis might involve cross-referencing sender behavior or other unique identifiers if available.

How reliable are email headers for identifying the true sender?

While headers can be forged to a degree (especially the "From" address), core routing headers like Received are typically reliable as they are added by servers you don't control. Mail servers add these headers as the message passes through, making it challenging for a malicious actor to falsify the entire chain without controlling intermediate servers.

How to determine an email sending platform from email headers or server information? - Technical - Email deliverability - Knowledge base

Understanding the origins of an email, specifically which platform was used to send it, is a critical skill for anyone involved in email deliverability, security, or compliance. Whether you are troubleshooting a deliverability issue, investigating a suspicious email, or simply trying to map out a company's email infrastructure, the clues are often hidden in plain sight within the email's metadata. We often think of an email as just the subject, sender, and body, but the real story lies in the email headers and associated server information. These elements provide a detailed trail of every server an email has traversed on its journey to the recipient's inbox.

Email headers act like a digital passport, stamped at each point of transit. By learning how to read and interpret these stamps, we can uncover a wealth of information about the sending source, including the specific email sending platform or mail transfer agent (MTA) used. This information can be invaluable for diagnosing issues, verifying legitimate senders, and understanding the complete journey of a message.

Decoding email headers to identify sending platforms

Email headers are a collection of metadata fields found at the top of every email message. While most email clients only show a simplified view, the full headers contain detailed routing information, authentication results, and other technical specifics. These headers are added sequentially as the email passes through various mail servers, with the most recent headers (from the final receiving server) appearing at the top and the oldest headers (from the originating server) at the bottom.

The most crucial header for identifying the sending platform is the Received header. Every time a mail server receives an email, it prepends a Received header, noting the sender, recipient, date, time, and crucially, the IP address and hostname of the previous server it received the email from. To trace the origin, you should read these headers from bottom to top, as the very first Received header (at the very bottom of the full headers) typically points to the server that initially sent the email.

Other valuable headers include Return-Path, which indicates where bounce messages should be sent, and Message-ID, a unique identifier for the email often generated by the sending system. Less common but still helpful are X-Mailer or X-Originating-IP headers, which sometimes explicitly name the sending software or initial client IP address. However, these X- headers are non-standard and their presence and content vary widely.

The List-Unsubscribe header can also be a strong indicator. Many email service providers (ESPs) and marketing automation platforms implement this header with a specific format or domain, which can often reveal the platform being used. This is especially true for transactional emails or newsletters where a standardized unsubscribe mechanism is expected.

Example email headers (simplified)text

Received: from mail-pj1-f67.google.com (mail-pj1-f67.google.com [209.85.216.67])
        by mx.google.com with SMTPS id a1sf12345678qkf.123.2023.10.26.12.34.56
        for <recipient@example.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 26 Oct 2023 12:34:56 -0700 (PDT)
Received: from sending-platform.example.net (sending-platform.example.net [192.0.2.100])
        by mail-pj1-f67.google.com with ESMTPS id xyz.123.456
        for <recipient@example.com>;
        Thu, 26 Oct 2023 12:34:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.net; s=s1;
        h=from:to:subject:date:message-id:mime-version:content-type:content-transfer-encoding;
        bh=HASHSTRINGHERE;
        b=SIGNATURESTRINGHERE

How to access full email headers

The method for viewing full email headers varies depending on your email client. Here are common ways to access them:

Gmail: Open the email, click the three dots next to the reply arrow, and select Show original. You can read more in the Gmail Help Center.
Outlook: Double-click the email to open it in a new window. Go to File > Properties, then view the Internet headers section. Microsoft provides a guide on viewing internet message headers in Outlook.
Other Clients: Look for options like View Source, Show Original, or Message Options in the email's menu or properties.

Utilizing server information and DNS records

While email headers offer initial insights, combining this with server information can paint a clearer picture of the sending infrastructure. The IP addresses found in the Received headers are a key starting point. Performing a reverse DNS lookup (PTR record query) on these IPs can reveal the hostname associated with the IP, which sometimes explicitly names the service provider.

Reverse DNS lookup examplebash

nslookup -type=ptr 209.85.216.67

67.216.85.209.in-addr.arpa	name = mail-pj1-f67.google.com.

Another powerful technique involves querying the Mail Exchanger (MX) records for the sender's domain. MX records specify which mail servers are responsible for accepting email messages on behalf of a domain. While this doesn't directly tell you the sending platform for outbound email, it can indicate the primary email infrastructure a domain uses. For example, if a domain's MX records point to Google Mail Exchange (GMX), it suggests they are likely using

Google Workspace or

Microsoft 365. You can learn more about how to identify the SMTP provider from an MX record in our knowledge base.

For self-hosted or less common setups, a direct telnet connection to the IP address on port 25 can reveal the SMTP banner. This banner often explicitly states the Mail Transfer Agent (MTA) software, such as Postfix, Exim, or PowerMTA, giving you direct insight into the underlying sending technology.

Telnet example to identify SMTP serverbash

telnet alt3.aspmx.l.google.com 25
Trying 173.194.66.26...
Connected to alt3.aspmx.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP d4si87894qkf.248 - gsmtp
ehlo alt3.aspmx.l.google.com
250-mx.google.com at your service, [138.68.229.164]
250-SIZE 157286400
250-8BITMIME
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-CHUNKING
250 SMTPUTF8
quit
221 2.0.0 closing connection d4si87894qkf.248 - gsmtp

Challenges in identification

Obfuscated headers: Some platforms or malicious senders may intentionally remove or alter headers to hide their origin.
Shared IPs: Many ESPs use shared IP addresses, meaning multiple clients send from the same IP. This makes it harder to pinpoint a specific client within that platform. You can check which companies are sharing your IP address.
Generic hostnames: Some servers may use generic hostnames that don't immediately reveal the provider.
Intermediate servers: Emails might pass through several intermediate servers or proxies before reaching the recipient, complicating the trace back to the original sender. The reputation implications of intermediate sending platform IPs are important.

Solutions and best practices

Cross-referencing: Compare information from multiple headers and external lookups to build a more complete picture.
WHOIS lookup: Use WHOIS tools on IP addresses or domains to find registration details that might hint at the provider.
Asking the client: Sometimes the simplest solution is to ask the client directly about their sending infrastructure. This is often the quickest and most accurate way to identify all company mail streams.

Common clues and advanced techniques

Beyond technical headers and server lookups, several common clues can point to specific email sending platforms. Many ESPs inject proprietary headers, specific List-Unsubscribe formats, or unique Message-ID patterns. For instance, a List-Unsubscribe header containing .mktg.email might suggest a specific marketing automation platform, or @sendgrid.net in the Received header would clearly indicate

SendGrid.

Authentication headers, particularly Authentication-Results, also offer clues. This header details the results of SPF, DKIM, and DMARC checks. For example, a DKIM signature with a d= tag pointing to a specific ESP's domain, like d=mailgun.org, can confirm the use of

Mailgun, even if the Received headers show generic IPs. Understanding these authentication mechanisms is key to identifying email sending vendors for DMARC enforcement.

It is also worth noting that some email sending platforms, especially large commercial ones, may have their IP ranges listed on public blocklists or blacklists (or DNSBLs). While being on a blacklist is generally a negative indicator for deliverability, it can sometimes inadvertently confirm the use of a particular ESP if their shared IP ranges are widely known to be associated with them. Familiarity with common types of email blocklists can aid in this deduction.

Best practices for identifying email platforms

Layer your analysis: Don't rely on a single header. Combine information from Received, Return-Path, Message-ID, and authentication headers.
IP reputation and WHOIS: Perform WHOIS lookups on IP addresses to identify their owning organization. Often, large ESPs own specific IP blocks.
Observe patterns: Over time, you'll recognize common header structures and IP ranges associated with popular email platforms. This can help you understand why Cheetah Digital emails have different headers, for example.

Many email service providers have distinct patterns in their email headers that can give away their identity. While these are not always definitive, they serve as strong indicators. Here's a brief table outlining some common clues you might find:

Platform	Common header clues	Example IP ranges / Hostnames
SendGrid	X-SG-EID, X-SG-ID, Received: by ismtpd.sendgrid.net	o1.sgx.sendgrid.net, 167.89.x.x, 149.72.x.x
Mailgun	X-Mailgun-*, Received: by mxa.mailgun.org (or similar)	mxa.mailgun.org, 192.237.x.x, 166.78.x.x
AWS SES	X-SES-*, Received: from email-smtp.amazonaws.com	email-smtp.amazonaws.com, 54.240.x.x, 54.240.x.x
Microsoft 365	Authentication-Results: spf=pass (sender IP is X.X.X.X) smtp.mailfrom=domain.com; Received: from NAMPRX.PROD.OUTLOOK.COM	*.prod.outlook.com, IP ranges often vary by region

By understanding these header patterns and combining them with IP and DNS lookups, you can often identify the email sending platform even when it's not immediately obvious.

Views from the trenches

Best practices

Always retrieve the full, raw email headers for the most comprehensive data.

Read "Received" headers from bottom-up to trace the email's true origin.

Perform reverse DNS lookups on source IP addresses from the "Received" headers.

Analyze DKIM signatures for domain alignment to identify the signing entity.

Common pitfalls

Relying only on the visible "From" address which can be easily forged.

Misinterpreting intermediate mail server headers as the originating sender.

Overlooking generic IP addresses or hostnames that hide larger providers.

Ignoring the "Return-Path" header, which can reveal the bounce handling system.

Expert tips

Use online email header analyzers to parse and simplify complex headers.

Keep a log of known ESP IP ranges and header patterns for quick identification.

Combine header analysis with a quick web search for obscure hostnames or domains.

If possible, send a test email from the suspected platform to confirm its headers.

Marketer view

A marketer from Email Geeks says that to identify the client's terrible email platform, looking at the full headers is crucial because partial headers are rarely sufficient for a complete analysis.

2018-12-21 - Email Geeks

Expert view

An expert from Email Geeks says that mail servers typically identify themselves when you connect to them via telnet on port 25, which is a traditional way to test an SMTP server and often reveals the MTA software.

2018-12-23 - Email Geeks

Uncovering the email's origin

Identifying an email sending platform from its headers and server information is a skill that blends technical knowledge with investigative techniques. While no single clue provides a definitive answer every time, a methodical approach combining header analysis, DNS lookups, and SMTP banner queries will significantly improve your ability to pinpoint the origin of an email. This expertise is vital for maintaining good sender reputation, mitigating security risks, and ensuring your messages reach their intended recipients.

Understanding where an email comes from can help you debug deliverability issues, identify spam sources, or even confirm if a legitimate sender is using the correct infrastructure. The more you practice reading these hidden parts of an email, the quicker you will become at uncovering the platform behind the message.