email message p1 and p2 headers
TRANSCRIPT
Email Message P1 and P2 headers blog.ahasayen.com /email-message-p1-and-p2-headers/
Ammar Hasayen
In this blog post, I will be talking about email message headers, and email message P1 and P2 headers.Understanding the structure of the message header can help a lot in understanding email message routing and anti-spam protection logic. This become handy when trying to learn how Exchange Online Protection works, and whatrole they play as part of the Exchange Online Protection Architecture.
How regular physical messages are sent?Before talking about email message P1 and P2 headers, let us take a moment and think about the normal papermessages and how they are actually being sent out.
You are the manager of University of Harvard (John Harvard), and you want to address the manager of WashingtonDC hostel (Bob). You start by bringing up a piece of paper, and officially addressing Bob. At the end of the piece ofpaper, you will sign with your name “John Harvard”.
After that, you will bring an envelope, and write down the following. MAIL FROM: University of Harvard, and RCPTor recipient is Washington DC hostel. The envelope information here is used by the delivery guy to route themessage from Harvard university to Washington DC hostel. This is all what the delivery guy need to know. He doesnot know what is inside the message. In other words, the delivery guy only sees P1 envelope header.
1/5
In case he cannot deliver the message, the Returned-Path [Bounced Address ] would be the envelop MAIL FROMwhich is University of Harvard. Simply because the delivery guy did not open the envelop and he only can see whatis written in the envelop itself. The delivery guy in our case is all the SMTP servers contributing to the delivery of themessage.
Things to notice here:
The delivery guy only sees the envelope and he does not care much about the paper inside (P2 Header).
Bob the recipient in this case, might not see the envelop at all. The guy responsible of checking the hostelmail, would open the envelope, and look at the paper inside. He noticed it is addressed to Bob, see he tookthe paper inside and hand it to Bob directly. Bob in this case is the recipient email client like Outlook.
When any party in between wants to verify the authenticity of the message, they would look at the envelopeMAIL FROM, and they will verify the message is from University of Harvard. They will not open the messageitself to read the paper inside. In other words, SPF checks happen on the MAIL FROM P1 Envelope.
Now, we can move and talk about email message P1 and P2 headers.
Email Message P1 headerP1 header is what is used to deliver the message (routing information). SPF checks happen on the MAIL FROM P1header. P1 headers include:
MAIL FROM
RCPT
P1 Headers are described in the RFC 5321.
The envelope can have multiple recipients. For example, if there is a recipient that is part of the BCC, then thatrecipient information is included in the P1 RCPT. This is how BCC works.
In normal operations, P1 MAIL FROM = P2 FROM. This is not the case always. Suppose you have a third party who
2/5
is sending mail campaign emails on your behalf. To do that, they will send messages with P1 MAIL FROM [email protected], while the P2 FROM = [email protected].
This way, the recipient of the email campaign will see that the sender is [email protected] as the recipient emailprogram (Outlook) displays the P2 FROM header and not the P1 MAIL FROM.
In this way, the bounce messages will be sent to the third party marketing system to report on the number ofbounces and give you a nice report after each campaign. Also, Contoso should make sure that the public IPs of thethird party marketing system are added to Contoso SPF record. This is needed because the recipient email systemwill perform SPF check for Contoso.com domain on the MAIL FROM P1 envelope header, which is the third partyIPs, not yours.
Email Message P2 headerP2 header is used to display information on the recipient email client. This header is even optional and does notparticipate in how the message is delivered. P2 headers include:
FROM
3/5
TO
P2 Headers are described in the RFC 5322. This is what Outlook user sees.
P1, P2 and Outlook Safe SendersReference to this blog post from Microsoft, When a user adds a sender to the Safe Sender List or Blocked SenderList, the P2 FROM address is the address which is being added and synced to Exchange Online Protection.
“Senders placed in the Safe Senders list will never be marked as spam by the Outlook client andsenders placed in the Blocked Senders list will always be moved to your Junk Mail folder” – MicrosoftBlog Post
EOP will look at the P2 header and P1 header and compare it to the recipient safe sender list and blocked senderlist, so that it can make a decision to skip spam filtering or not.
Previously, EOP used to look at P1 address only when comparing to the recipient safe sender list and blockedsender list, which does not make sense.
P1, P2 DiagramEmail Message P1 and P2 headers can be illustrated in a nice diagram.
I call P1 as PI Envelope because it is like the outer shell envelope, while I call P2 as the P2 header, as it is like theinner message greeting header. I usually print the below diagram out and give it to the anti-spam team in mycompany, so that they always remember what is different between the two type of headers.
The P1 address is what’s seen on the outside of the envelope, where the P2 address is what we see on the paperinside. Often these are the same, but they don’t have to be.
4/5
5/5