3 ways to Find Email Header Information in Office 365

Email message headers can be a valuable source of information when troubleshooting email delivery issues. For instance, I encountered a situation where emails sent by a partner company were marked as spam, while others were redirected to an internal email address. Analyzing the email message headers can help investigate these issues.

I investigated the issue by performing a Message trace from the Exchange admin center. If you are an Exchange administrator or Global Administrator, you can perform a message trace by following the below steps:

To narrow your search, specify the sender and recipient email addresses or domain names. Select a time range, delivery status, and direction details, and click on Search. This will display the data on the dashboard, and you can click on each email to access more detailed information about the mail flow.

For instance, clicking on an email with the status FilteredAsSpam may provide further information, such as The message was delivered to the Junk Email folder. However, you cannot view message header information from this interface, which is needed for further analysis. Let’s explore how to access email header information.

Message Trace results on Exchange online admin center
Message Trace results on Exchange online admin center

Option 1 – Retrieve Email Message Headers via Microsoft 365 Defender Portal

What if the recipient cannot send the email as an attachment, and you do not have this option to retrieve email header information? In such cases, you can still view the email header information directly from the Microsoft 365 Defender portal.

To view email message header information, please follow these steps:

  1. Sign in to the Microsoft 365 Defender portal (https://security.microsoft.com).
  2. Email & Collaboration > Explorer.
  3. When you click on Explorer, it will open the Threat Explorer page.
  4. Search for the email using the filters.

Please note that you will not see the Explorer option if you have a Microsoft Defender for Office 365 Plan 1 license. In that case, you will see the Real-time detections option instead. If you want to understand the difference between Microsoft Defender for Office 365 Plan 1 and Microsoft Defender for Office 365 Plan 2, you can click here.

Missing Explorer Option
Retrieve Email Message Headers via Microsoft 365 Defender Portal
Retrieve Email Message Headers via Microsoft 365 Defender Portal
  1. Click on the email for more details, then select View header.
Retrieve Email Message Headers via Microsoft 365 Defender Portal
Retrieve Email Message Headers via Microsoft 365 Defender Portal
  1. Under the Plain-text email header tab, click Copy message header to copy the email message header information for further investigation.
Retrieve Email Message Headers via Microsoft 365 Defender Portal
Retrieve Email Message Headers via Microsoft 365 Defender Portal

Option 2 – Retrieve Email Message Headers via Outlook Web Client (OWA)

You can obtain the email message header information if you have a copy of an email saved or sent as an attachment or access to the Outlook Web client where the email was delivered. Follow these steps to retrieve email header information from the Outlook Web Access client:

  • Sign in to Outlook on the web client (https://Outlook.office365.com/owa)
  • Find the email for which you need the email header information.
  • Right-click on the email and click on View > View message details.
Retrieve Email Message Headers via Outlook Web Client
Retrieve Email Message Headers via Outlook Web Client
  • You’ll find “Message details,” which contains the email message header information. Copy all the text from Message details for further investigation and analysis.
Retrieve Email Message Headers via Outlook Web Client
Retrieve Email Message Headers via Outlook Web Client

Option 3 – Retrieve Email Message Headers via Outlook Desktop Client

If you have the email in your Outlook Inbox then you can follow below steps to get the message headers from that email using outlook desktop client.

  1. Open the Outlook Desktop client.
  2. Search for the email for which you need the header.
  3. Double-click on the email to open it.
  4. Once the email is open, go to File > Properties.
  5. Look for Internet headers and copy all the text from this textbox to a notepad. This contains the email header information for that email.
  6. You can now use this email header information for further investigation and analysis to gather more details about the email flow.
Retrieve email header information from Outlook Desktop Client
Retrieve email header information from Outlook Desktop Client

How to analyze Email Headers?

We have obtained the email header information, but it may be challenging to interpret the raw internet header data. You can utilize various email header analysis tools to analyze email headers effectively. Here are some options:

1. Use Microsoft Message header analyzer

You can paste the email header into Microsoft Message Header Analyzer and click “Analyze headers” to assess the email header information.

Use Microsoft Message header analyzer
Use Microsoft Message header analyzer

2. Use MXtoolbox Email Header Analyzer

You can also paste the email header into MXToolbox Email Header Analyzer and click “Analyze header” to evaluate the email header information.

Use MXtoolbox Email Header Analyzer
Use MXtoolbox Email Header Analyzer

Conclusion

In this blog post, we’ve explored various methods for obtaining email header information, which is crucial for analyzing email delivery issues. When dealing with email-related problems and opening a support ticket with Microsoft, you might be required to provide this information. Therefore, knowing how to retrieve it from the user and the Microsoft 365 Defender portal is essential.

Remember that if your users are assigned Microsoft Defender for Office 365 Plan 1 licenses, you won’t be able to obtain email header information from the Microsoft 365 Defender portal. In such cases, you’ll need to have access to either the email sent as an attachment or use Outlook for the web or Outlook desktop client where the email was delivered.

Leave a Comment