In the mail header, what does the "received from" ip refer to?
Mail starts at a client, this client sends it to the server. If the server has to hand it over to another server (because itself is not serving mail for the domain where the mail needs to go), it forwards it to the server that does. This server then adds received : from
to the header.
Example:
[email protected] wants to send an email to [email protected].
Bart creates an email and hands it to the mail server for mydomain.com. This server looks at the destination-address and sees it is yourdomain.com
. This server does not provide mail for yourdomain.com
. It has to look up the server that does via the MX Records for yourdomain.com
and then forward the mail to it.
When the mail server for yourdomain.com
has received the mail, he adds received : from mail.mydomain.com
and delivers it to sohaibafifi
's mailbox or gives it to another server if this would be needed.
Example of such a chain:
Received: by 10.42.195.134 with SMTP id ec6csp80279icb;
Tue, 19 Jun 2012 00:45:09 -0700 (PDT)
Received: by 10.180.103.42 with SMTP id ft10mr929660wib.18.1340091908492;
Tue, 19 Jun 2012 00:45:08 -0700 (PDT)
Received: from barracuda2.infraxnet.be (mail2.infraxnet.be. [78.24.168.38])
by mx.google.com with ESMTP id c73si24136496wec.20.2012.06.19.00.45.07;
Tue, 19 Jun 2012 00:45:08 -0700 (PDT)
You should read these bottom to top.
In addition to what @Bart De Vos is saying even the first mail server that receives the message ie the home server of your organization will add a Received: from header indicating the client that is sending the message. In the case of a web interface into mail (webmail) the client sending the message is the server hosting the WebMail application. Usually both the IP address and the name of the client are recorded but it is possible to only record the IP address if the name (DNS) cannot be discovered. For example my server (postfix) records this like this
Received: from [10.16.16.63] (client.inmydomain [10.16.16.63]) .....
Essentially, as a result of the above a message can be traced back to its source this way and the route (relays) that it has traversed. Mind you though that there are ways to modify these records.