Overview of Parsed Mail Headers

Overview of parsed mail headers

The following is a list of a lot of the most popular mail headers, you can use this information to identify the origins and build these into scripts.
General Mail Details

Header Matching RegExExplanation
From|^from:(.*)|miThe From-address, the person who (allegedly) sent this e-mail.
To|^to:(.*)|miThe To-address, to whom the mail was addressed.
Subject|^subject:(.*)|miThe subject of the e-mail, as shown in the mailclient.
Carbon Copy|^cc:(.*)|miCarbon Copy list of e-mail addresses
MIME Version|^mime\-version:(.*)|miMIME
Return Path|^Return\-Path:(.*)|mReturn Path to which mails would bounce
Reply to|^Reply\-To:(.*)|miA reply to this e-mail would be sent to this address, which is not necessarily the same as the From-address.
Originating IP|^X\-Originating\-IP:(.*)|miThe IP address of the computer on which the email originated.
Originating e-mail|^X\-Originating\-Email:(.*)|mi Another representation of the sender of the email. Some mailers add this as a precaution against those who spoof the "From:" line.
Delivered to|^Delivered\-To:(.*)|miThe account to which the e-mail was finally delivered to.
In reply to|^In\-Reply\-To:(.*)|miThis e-mail message was sent as a reply to this address.
Forwarded to|^X\-Forwarded\-To:(.*)|miThis message was forwarded from another account (probably automatic).
Forwarded for|^X\-Forwarded\-For:(.*)|mi The account which forwarded this e-mail.
References|^References:(.*)|mi
Message Id|^Message\-ID:(.*)|miA unique identifier for this e-mail (at least, in the sending MTA).
HeaderMatching RegExExplanation
Received SPF|^received\-spf:(.*)|miThe received SPF record
Authentication Results|^Authentication\-Results:(.*)|miAuthentication Results (usually SPF related)
Spamcheck Version|^X\-Spam\-Checker\-Version:(.*)|mX-Spam-Checker-Version: which software was used
Spam Status|^X\-Spam\-Status:(.*)|miX-Spam-Status: was this spam?
Scanned by|^X\-Scanned\-By:(.*)|miSoftware used to scan this message.
Virus scanned|^X\-Virus\-Scanned:(.*)|miScanned for virusses.
HeaderMatching RegExExplanation
Accept Language|^Accept\-Language:(.*)|miIndicates the preference with regard to language.
Content Language|^Content\-Language:(.*)|miIndicates the language of the content.
Accept Language|^acceptlanguage:(.*)|mSee: 'Accept-Language'

The following can be traced including if they’re using residential proxies.

HeaderMatching RegExExplanation
MailScanner Information|^X\-NUCLEUS\-MailScanner\-Information:(.*)|miAdditional information on the MailScanner.
Mailscanner ID|^X\-NUCLEUS\-MailScanner\-ID:(.*)|miInternal ID used in MailScanner software.
Mailscanner result|^X\-NUCLEUS\-MailScanner:(.*)|mi Result of the MailScanner process, whether it was spam or not.
Mailscanner spamcheck|^X\-NUCLEUS\-MailScanner\-SpamCheck:(.*)|mi
Mailscanner from|^X\-NUCLEUS\-MailScanner\-From:(.*)|miFrom-header received by MailScanner.
Spamscore|^X\-NUCLEUS\-MailScanner\-SpamScore:(.*)|miIf mail was marked as spam, this will hold the spamscore.
HeaderMatching RegExExplanation
Date Sent|^date:(.*)|miDate at which the e-mail was sent.
Original Arrival Time|^X\-OriginalArrivalTime:(.*)|miThis is a time stamp placed on the message when it first passes through a Microsoft Exchange server.
HeaderMatching RegExExplanation
Content Type|^Content\-Type:(.*)|miThe type of content that is being sent via mail.
Transfer Encoding|^Content\-Transfer\-Encoding:(.*)|miThe encoding used to send the message.
Content class|^Content\-class:(.*)|miAnother MIME header, telling MIME-compliant mail programs what type of content to expect in the message.
Content disposition|^Content\-Disposition:(.*)|miHow the content of the mail should be handled (inline, attachment, ...).
HeaderMatching RegExExplanation
Mailer software |^X\-Mailer:(.*)|miThe mailclient or mailing software used to send out the e-mail.
User Agent |^User\-Agent:(.*)|mi The mailing software that the client has identified himself as.
Mail Priority |^X\-Priority:(.*)|miThe priority with which this e-mail was sent.
Sender |^X\-Sender:(.*)|miA custom header, to show the real sender e-mail address.
Microsoft Mail Priority|^X\-Msmail\-Priority:(.*)|miThe priority as entered in Microsoft Mail.
User Agent|^X\-User\-Agent:(.*)|mi User Agent used to send the e-mail.
Header Matching RegExExplanation
Mime OLE|^X\-MimeOLE:(.*)|mi Mime OLE software used by the sender.
Thread index \-Index:(.*)|miIs used for associating multiple messages to a similar thread. For example, in Outlook the conversation view would use this information to find messages in one conversation thread.
TNEF Correlator|^X\-MS\-TNEF\-Correlator:(.*)|miThe Transport Neutral Encapsulation Format is Microsoft Exchange/Outlook specific, used when sending messages formatted as Rich Text Format (RTF).
Has attachment |^X\-MS\-Has\-Attach:(.*)|miInforms that the client is ready to send attachments and it also informs whether or not the e-mail contains any attachments. If the e-mail contains attachments the information header X-MS-Has-Attach: will say "yes" after colon.
Thread topic |^Thread\-Topic:(.*)|miUsually the original subject, used as the readable version of Thread-Index.
     

Additional@ Using Proxies to watch Match of the Day Stream