In this blog post, I will show you 3 ways to find email header in Microsoft 365. Email headers contain the technical routing and authentication details that you need for troubleshooting spam verdicts, delivery delays, redirects, spoofing, and transport rule behavior. In many support cases, Microsoft also asks for the full message header to validate what happened to the message as it traversed Exchange Online Protection and Microsoft Defender.
For example, I encountered an issue where emails sent by a partner company were marked as spam, while others were getting redirected to an internal email address. Analyzing the email message headers can help investigate such issues. I started my investigation by performing a message trace in the Exchange admin center > Mail flow > Message trace.
When you are using message trace to trace the email, you can narrow your search by specifying the sender and recipient email addresses or domain names. Select a time range, delivery status, and direction details, and click on Search. It will display the data on the dashboard, and you can click on each email to access more detailed information about the mail flow.
For instance, clicking on an email with the status FilteredAsSpam may provide further information, such as the message was delivered to the Junk Email folder. However, you cannot view message header information from this interface, which is needed for further analysis. In the next sections of this post, I will show you multiple ways to find email header in Microsoft 365.
Message trace in the Exchange admin center is great for answering, “Was it delivered, and what was the final action?” But when you need to validate authentication results, intermediate hops, or detailed filtering markers, you typically require the raw header.
Note
Contents
Option 1: Retrieve Email Header from Microsoft 365 Defender Portal
If the recipient cannot forward the email as an attachment, or you do not have direct access to their mailbox, the most reliable admin route is Microsoft 365 Defender. The modern experience is the email entity page, which contains the full header in a dedicated tab and lets you copy it cleanly.
To view email message header, follow these steps:
- Sign in to the Microsoft 365 Defender portal (https://security.microsoft.com).
- Email & Collaboration > Explorer.
Please note that you will not see the Explorer option if you have a Microsoft Defender for Office 365 Plan 1 license. In that case, you will see the Real-time detections option instead. If you want to understand the difference between Microsoft Defender for Office 365 Plan 1 and Microsoft Defender for Office 365 Plan 2, you can click here.
Missing Explorer Option?
- Below screenshot shows the Threat Explorer page. Microsoft has since renamed it to Explorer, but the steps to view email headers remain the same. Use the search filters to locate the email for which you want to view the message header.
- Click on the email for more details, then select View header. You can also click on Open email entity page, which allows copying email header information.
- Under the Plain-text email header tab, click Copy message header to copy the email message header information for further investigation.
Option 2: Retrieve Email Message Headers via Outlook on the Web
If you can access the message in Outlook on the web, you can pull the full message details (including headers) directly from the UI.
- Sign in to Outlook on the web client (https://outlook.office365.com/mail/).
- Find the email for which you need the email header information.
- Right-click on the email and click on View > View message details.
- You’ll find message details, which contain the email message header information. Copy all the text from Message details for further investigation and analysis.
Option 3: Retrieve Email Message Headers via Outlook (Classic)
If the user has the email in Outlook desktop (classic), the headers are available in the message properties window.
- Open the Outlook (Classic) app.
- Search for the email for which you require the header.
- Double-click on the email to open it.
- Once the email is open, go to File > Properties.
- Look for Internet headers and copy all the text from this textbox to a notepad. This contains the email header information for that email.
- You can use this email header information for further investigation and analysis to gather more details about the email flow. In the next section, I will show you how to analyze email headers.
How to Analyze Email Headers?
Now that you have obtained the email header information, it may be difficult to interpret the raw internet header data. You can utilize various email header analysis tools (shown below) to analyze email headers effectively. In the email header, look for below information:
- Authentication-Results / ARC-Authentication-Results: SPF, DKIM, DMARC outcomes
- Received chain: hop-by-hop routing, unexpected relays
- Microsoft filtering markers (examples): X-Forefront-Antispam-Report, X-Microsoft-Antispam, X-MS-Exchange-Organization-AuthAs, and similar fields.
1. Use Microsoft Message Header Analyzer
You can paste the email header into Microsoft Message Header Analyzer and click Analyze headers to analyze the email header information. You can also open Microsoft Message Header Analyzer directly from the email entity page or when you click on View Header.
2. Use MXtoolbox Email Header Analyzer
You can also paste the email header into MXToolbox Email Header Analyzer and click Analyze Header to analyze the email header information.
Conclusion
For admins, the most efficient and complete method is Microsoft 365 Defender’s email entity page, where you can copy the full plain-text email header directly from the investigation experience. For end users, Outlook on the web and Outlook desktop (classic or new Outlook) provide built-in “message details/internet headers” views that you can copy into an analyzer to interpret routing and authentication results.
