Every email message has two parts: the body you read and the headers you usually never see. Receiving mail servers and spam filters read the headers carefully and decide inbox vs spam mostly based on what they find there. Understanding headers is the fastest way to debug a deliverability problem.
How to view raw headers
In Gmail: open a message, click the three-dot menu, "Show original". In Outlook: open a message, File → Properties → Internet Headers. In Apple Mail: View → Message → Raw Source.
You will see a few dozen lines of Header-Name: value. Most are noise. A handful are critical.
The headers that matter most
Authentication-Results
The receiving server's summary of SPF, DKIM, and DMARC checks.
Authentication-Results: mx.google.com;
dkim=pass header.i=@yourdomain.com header.s=selector1 header.b=abc123;
spf=pass (google.com: domain of you@yourdomain.com designates 1.2.3.4 as permitted sender)
smtp.mailfrom=you@yourdomain.com;
dmarc=pass (p=quarantine sp=quarantine dis=none)
header.from=yourdomain.comYou want all three to say pass. Any fail is a deliverability problem.
Received
The path the message took from sender to receiver. Read bottom-up. Each hop shows server, IP, time.
For deliverability debugging: look at the IP in the first received hop. Run it through MXToolbox to confirm it is not blocklisted.
From, Reply-To, Return-Path
- From: what the user sees.
- Reply-To: where replies go (optional).
- Return-Path: where bounces go.
Mismatch between From and Return-Path is a soft spam signal. Modern ESPs handle this correctly by default.
List-Unsubscribe and List-Unsubscribe-Post
Required by Gmail and Yahoo for bulk senders. Provides the one-click unsubscribe header. Missing? Your mail is more likely to spam.
List-Unsubscribe: <mailto:unsubscribe@yourdomain.com>, <https://yourdomain.com/unsub/abc123>
List-Unsubscribe-Post: List-Unsubscribe=One-ClickX-Spam-Score
Some receiving servers add their internal spam scoring as a header. Not visible from the outside but useful if your IT runs SpamAssassin or a similar engine.
The spam filter's checklist
A typical receiving filter looks at headers and asks:
- Does SPF pass?
- Does DKIM pass?
- Does DMARC pass?
- Is the sending IP on a blocklist?
- Is the sending domain on a domain blocklist?
- Does the From align with DKIM signing domain?
- Are List-Unsubscribe headers present (for bulk volume)?
- Is the content unusual for this sender?
Every "no" subtracts trust. Enough "no" and you land in spam.
Common header problems
- SPF fails for a forwarded message. SPF checks the source IP; forwarding rewrites that. Use ARC (Authenticated Received Chain) if you forward heavily.
- DKIM signature broken by ESP modification. Some ESPs change the body for personalization after signing. Sign after personalization, not before.
- DMARC fails because From and DKIM domain do not align. Common when sending from a subdomain. Adjust SPF and DKIM to match the From domain exactly.
- Missing List-Unsubscribe. If you send bulk, this is mandatory in 2024+.
FAQ
Can a receiver fake the Authentication-Results header?
The receiving server adds the header on receipt, so it cannot be faked by the sender. Trust the recipient's auth result over your own.
Do I need to read every message's headers?
No. Sample a few when investigating a deliverability problem. Use Postmaster Tools or DMARC reports for aggregate visibility.
Headers tell you why you bounced
When a message lands in spam, the receiver's Authentication-Results header tells you what failed. Fix that one thing. List hygiene handles the bounce-rate factor independently.