The structure of a Received: header is
The elements in bold are the literal words in the header. Items in italics are the bits that change from header to header. The underlined elements are the ones that can be manipulated by spammers and scammers.
Received: headers are recorded any time a message is handed between two computers. So, for any pair of Received headers, the sending computer of the first line should always match the receiving computer of the second line. The newest Received: header is always added to the top of the headers, so reading headers from top to bottom traces the message from you back to the sender.
Let's look at an example. Here's a message being sent from someone's iPhone, through their Gmail account, to a Pobox Mailstore account. (Note: Normal Received headers are not numbered. I added those to help in tracing the message.)
1. Received: from maroon.pobox.com (maroon.pobox.com [126.96.36.199]) by mailstore.pobox.com
(Postfix) with ESMTP id 847989746 for <address>; Wed, 15 Jun 2011 10:42:09 -0400 (EDT)
2. Received: from maroon.pobox.com (localhost [127.0.0.1]) by maroon.pobox.com (Postfix) with
ESMTP id EA14340A31F; Wed, 15 Jun 2011 10:42:35 -0400 (EDT)
3. Received: from mail-qw0-f46.google.com (mail-qw0-f46.google.com [188.8.131.52]) by
maroon.pobox.com (Postfix) with ESMTPS id 70BCC40A1DB for <address>; Wed, 15 Jun 2011
10:42:13 -0400 (EDT)
4. Received: by qwk3 with SMTP id 3so281681qwk.33 for <address>; Wed, 15 Jun 2011
07:42:11 -0700 (PDT)
5. Received: by 10.229.78.96 with SMTP id j32mr509819qck.121.1308148929825; Wed, 15
Jun 2011 07:42:09 -0700 (PDT)
6. Received: from [10.231.252.223] (79.sub-174-252-72.myvzw.com [184.108.40.206]) by
mx.google.com with ESMTPS id m16sm345129qck.28.2011.06.15.07.42.02
(version=TLSv1/SSLv3 cipher=OTHER); Wed, 15 Jun 2011 07:42:08 -0700 (PDT)
Starting at the top:
So, the message starts at Verizon, proceeds through various internal processes at Google and Pobox, then ends up in my Inbox at mailstore!
A note about encryption and the protocols mentioned in the Received: header:
Finally, Received: headers can themselves be tampered with so we can only be really certain of the protocol with which mails are delivered to Pobox, rather than its whole journey.