Why do email headers contain private IP addresses?
Because that is how SMTP is designed, and how the sending email system has been configured.
There are ways to suppress this information, but the sending mail system needs to be explicitly configured to do this.
Received: from [172.16.1.2] (some.public.ip.address)"
As you mentioned in the comments, the private IP in this particular location is because it was sent as the clients hostname in the HELO
command.
For proper mail servers, the HELO
command should include their fully qualified hostname, which should also match with DNS. For inbound email, many servers actually verify the HELO hostname to make sure it's valid and the DNS matches. For sending email, servers will normally accept anything as long as you are authenticated (you can't expect end users to all have real, valid hostnames configured on their machines).
For SMTP clients like Outlook, they could send your machine name, but that isn't fully qualified and might not be desirable depending on what the machine is called. For example you often see headers like the following:
Received: from DESKTOP9U6J0BC (unknown)
Using the IP address probably provides a bit more privacy as some people may argue seeing 172.1.2.3
in the headers is better than MIKES-MACBOOK
or CEO-WORKSTATION
.
At the end of the day the client just needs to provide something reasonable in the HELO command, and some clients choose the IP address.
This is slightly different to what other answers have discussed, which are related to actual SMTP servers using private addresses to transport email inside an organisation.
It is not the mail client that adds a Received
header, but each SMTP mail server in the path an SMTP message follows from the first outgoing mail server (mail relay) the sender uses, to the final destination of the recipient’s mailbox.
If the first mail server is in the sender’s internal network it can (and unless otherwise configured, will) record the sender’s internal IP address in the first Received
header.