Forward an email to a friend and they see the message, the sender, and the date. Right-click that same email, hit “View source” or “Show original”, and you get something else entirely: forty or fifty lines of metadata that quietly tagged along with your message. Most people never look at this part. Most people would be uncomfortable with what is in there.
Email headers are the envelope of email. They are also the most reliable source of accidental information leakage in modern digital communication, because nobody designs around them and most users never see them.
This guide walks through what is actually in your headers, what a stranger can piece together from a single email you sent, and what you can do about it without becoming paranoid.
What Email Headers Are
Every email message is split into two parts: the body, which is what you typed, and the headers, which are everything else. Headers are key-value pairs that the mail servers along the route use to do their job. From, To, Subject, Date, and Reply-To are the ones most users recognize. The interesting ones are the others.
A typical message header runs 30 to 80 lines. Some are written by your mail client when you hit send. Some are added by your mail server. Some are added by every mail server the message passes through on its way to the recipient. Each line is a small piece of forensic evidence.
A simplified example of what a recipient might see:
Return-Path: <jane.doe@example.com>
Received: from mail.example.com (mail.example.com [203.0.113.42])
by mx.recipient.com with ESMTPS;
Wed, 04 Mar 2026 09:14:22 +0100 (CET)
Received: from MacBook-Pro.local (cust-abc.broadband-isp.net [198.51.100.27])
by mail.example.com with ESMTPSA;
Wed, 04 Mar 2026 09:14:21 +0100 (CET)
Message-ID: <a1b2c3d4@example.com>
Date: Wed, 04 Mar 2026 09:14:20 +0100
From: Jane Doe <jane.doe@example.com>
To: alice@bigcorp.com
Cc: bob@bigcorp.com, charlie@partner.io
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0)
Gecko/20100101 Thunderbird/128.5.0
X-Originating-IP: [198.51.100.27]From those few lines, a curious recipient can extract a surprising amount.
What Actually Leaks
Your IP address
The most sensitive single piece of information in an email header is the IP address of the device that sent it. With the IP, anyone can run a WHOIS lookup, identify the broadband provider, and pinpoint the city. In dense urban areas, that is often accurate to within a few kilometers. Paired with public WiFi databases, it can be tighter than that.
When does your IP leak?
- You use a desktop mail client (Apple Mail, Outlook desktop, Thunderbird, Mailspring) and your mail provider does not strip the originating IP. Many do not.
- You use Outlook on the web with a Microsoft 365 account. Microsoft still writes an originating IP into outgoing headers as
x-eip(encoded since 2012, but recoverable and visible enough to flag the rough origin). - You use a small mail provider, a self-hosted server, or a corporate mail relay that does not consider header stripping a priority.
When does your IP not leak?
- You use Gmail through the web interface. Google has never written client IPs into outgoing headers, and only their own server IPs appear in the Received chain.
- You use ProtonMail, Tuta, or similar privacy-focused providers that strip originating IPs by policy.
Your time zone
Every Date and Received header includes a UTC offset like +0100 or -0500. That puts you in a strip of the world about 1,500 kilometers wide. Combine the time zone with the time you sent the email, and a recipient can often guess whether you were at home, at work, or awake at unusual hours.
Your mail client and its version
The User-Agent and X-Mailer headers tell the recipient exactly what software you used. Examples from real headers:
X-Mailer: Apple Mail (2.3774.500.171.1.1)
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Thunderbird/128.5.0
X-Mailer: Microsoft Outlook 16.0These reveal your operating system, your mail client, and often the exact version. Version numbers matter because they indicate whether you have applied recent security updates. For a targeted attacker, that is the first piece of reconnaissance.
The internal name of your machine
Look at the second Received header in the example above. The hostname MacBook-Pro.local was added by the sender’s mail server when it accepted the connection. That hostname is whatever the sending machine reports as its local name. Most macOS users never change the default, so the OS leaks through twice: once in the User-Agent, once in the hostname.
When you actually wrote the email
The Date header reflects when your mail client stamped the message. If you schedule an email to send at 9:00 AM but actually wrote it at 1:30 AM, some clients use the original composition time. Others use the send time. Either reveals something.
Everyone you cc’d
This one catches people out constantly. Recipients on the To and Cc fields are visible to every other recipient. Only Bcc entries are hidden. If you cc your boss and your boss’s boss on a sensitive thread, every recipient sees that you did.
Auth and routing breadcrumbs
The Received headers form a chain from sender to recipient. Each line shows a mail server IP, a hostname, and a timestamp. A clean corporate chain looks tidy. A residential chain leaks the broadband provider. A spam chain often shows hops through random hosting providers, which is exactly how phishing investigators identify suspicious mail.
How to View Your Own Headers
It is worth looking at a few of your own sent emails to see what you have been broadcasting.
- Gmail (web): Open the message, click the three dots in the top right, choose “Show original”.
- Outlook (web): Open the message, click the three dots, choose “View” then “View message source”.
- Apple Mail: Open the message, then View → Message → All Headers (or
⌥⌘U). - Thunderbird: Open the message, then View → Message Source (or
Ctrl+U). - YouniqMail: Open the message and choose “Show source” from the message menu.
Send yourself an email from each device and client you use, then read what comes through. The result is usually a small shock.
What You Can Actually Do About It
You cannot strip every header without breaking email entirely. Some are required for the message to reach its destination. But you can reduce the surface meaningfully.
Choose your sending provider deliberately. If header privacy matters to you, Gmail, ProtonMail, Tuta, and Fastmail all strip originating IPs by default. Outlook.com and Microsoft 365 do not.
Be wary of desktop clients sending through small or self-hosted SMTP servers. A desktop client connecting through a privacy-conscious provider is fine. A desktop client connecting through a generic VPS with no header policy will leak your IP every time.
Use a VPN if you must use a leaking provider. This hides your home IP, but it shifts your trust to the VPN provider, who now sees the same outbound connections. It also does nothing about the User-Agent, hostname, or time zone leaks.
Disable or minimize identifying headers in your client. Most clients do not let you control the User-Agent, but some power-user clients (Thunderbird with the right config, command-line tools like mutt) let you suppress or override it.
Set your machine’s hostname to something generic. “John-MacBook-Pro” leaks more than “host”. This is a small change with disproportionate privacy benefit.
Use Bcc properly. When sending to a group that does not need to see each other, every address goes in Bcc, not To or Cc.
When Headers Actually Protect You
The same headers that leak information also do real security work, and stripping them indiscriminately is a bad idea.
SPF, DKIM, and DMARC results live in headers. They are how the receiving mail server proves a message came from where it claims to come from. Without them, phishing becomes much easier.
The Received chain is what abuse investigators use to trace phishing campaigns back to their source. If your account ever gets compromised, those breadcrumbs are how you reconstruct what happened.
Authentication headers also unlock features like BIMI, which displays your verified brand logo next to legitimate messages and helps recipients spot impersonation attempts.
The goal is not to nuke headers wholesale. The goal is to understand what is in them and decide consciously which leaks are acceptable.
FAQ
Can I delete the headers from my outgoing emails?
You can edit some of them through your mail client’s settings, but most are added by mail servers along the route, not by your client. The User-Agent and a few others are within your control. The Received chain and Date are not.
Does a VPN hide everything in my headers?
No. A VPN changes the IP address that appears in the Received headers and in X-Originating-IP if your provider adds one. It does not change your time zone, your User-Agent, your machine’s hostname, or your recipient list.
Is Gmail private because it strips the IP?
Gmail is better than Microsoft 365 for IP privacy in headers. It is not private in any broader sense. Google still processes message content and metadata for product purposes. Header behavior is one privacy dimension, not the whole picture.
Why does Microsoft still include the originating IP when other providers do not?
Microsoft treats the originating IP as useful forensic data for abuse investigations and account recovery. The header is encoded (renamed x-eip and base64-encoded since 2012) but the information is still in there. You can disable it through Exchange mail flow rules on Microsoft 365 business accounts.
Can someone find my home address from an email I sent?
From the IP alone, usually no. Most residential IPs geolocate to a city or postal area, not a street address. Law enforcement can request precise subscriber data from the ISP, but ordinary recipients cannot. The risk is more about pattern matching: knowing you are at home versus at work, knowing your rough region, knowing the times you work.
Do encrypted emails (PGP, S/MIME) hide the headers?
No. End-to-end encryption protects the message body. The envelope, including headers, has to remain readable so mail servers can route the message. This is the same reason a sealed envelope still has a return address.