A-to-Z Index

Computing Homepage


Information Technology Help Desk

Operational Hours and Exceptions



Forwarding a message as an Attachment to include Email Headers

To handle complaints about email, it is often necessary to obtain detailed information about a particular message. Messages must be forwarded in a particular way for such information to be included. Here is how.


Student Dukes@jmu.edu email (Office 365 read in a browser)

  • Click new to open a new email message window.
  • Drag the message you want to forward into the body of the new message.
  • Fill out the subject line and send to abuse@jmu.edu.

Outlook Web Access (Employee Exchange email read in a browser)

  • Click new to open a new email message.
  • Click the icon in the top right corner of the message window to open the message in a separate window.separate window icon
  • Drag the message you want to forward into the body of the new message.
  • Fill out the subject line and send to abuse@jmu.edu.

Outlook 2010 or later (Employee Exchange email read in the Outlook Windows client)

  • Highlight message, click More in the Respond ribbon, then click Forward as Attachment

Macintosh Mail in Mountain Lion

  • Right-click message then click Forward as Attachment

Outlook for Macintosh 2011

  • Right-click message, click Forward Special, then click As Attachment


  • Highlight message, click Message menu, then click Forward as Attachment

Other email clients

  • Use Help or Google to find instructions


Background information on email headers

The lines preceded by "Received:"  are supposed to show the systems through which the message traveled. The last "Received" line should show the IP address of the originating computer. This is useful to find the true sender. An example message is shown below.

The apparent (faked) address seen by the recipient is in green.

The true sending computer's address is in RED. This is the address you want to plug into one of the Internet registry sites to determine what ISP hosts this infected computer.

If the mail system authenticates sending users, there may be a field that contains the true sending email address. There is one in this message in blue.


Return-Path: <JMUeID@jmu.edu>
Received: from heron.jmu.edu (heron2.jmu.edu [])
by roc.jmu.edu (8.8.8/8.8.8) with ESMTP id IAA07219
for <flynngn@mail.jmu.edu>; Thu, 8 Aug 2002 08:50:32 -0400 (EDT)
Received: from kiwi.jmu.edu (kiwi.jmu.edu [])
by heron.jmu.edu (Switch-2.1.0/Switch-2.1.0) with ESMTP id g78CoJ508749
for <flynngn@jmu.edu>; Thu, 8 Aug 2002 08:50:19 -0400 (EDT)
Received: from jmu.edu (sslmail.jmu.edu [])
by kiwi.jmu.edu (8.11.6/8.11.0) with ESMTP id g78Cnep07891
for <JMUeID@jmu.edu>; Thu, 8 Aug 2002 08:49:40 -0400
Message-ID: <3D526976.D4EBAA34@jmu.edu>
Date: Thu, 08 Aug 2002 08:52:06 -0400
From: Santa Claus@isp.com
X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: flynngn@jmu.edu
Subject: Test Message
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Blah. Blah. Blah. SPAM. SPAM. SPAM. Virus. Virus. Virus.


Note that almost all the information in the headers, and thus all the information normally displayed in the message, can be forged in one way or another.

To locate a computer with a particular IP address, type the IP address into one of the Internet Number registry web pages below. This will typically tell you the Internet Service Provider and often the originating organization. If the address is associated with viruses or spam, an email message drafted to the ISP (typically to abuse@isp) may prompt them to disable the account or to contact the owner of the sending computer and encourage them to R.U.N.S.A.F.E or cease inappropriate behavior. Start with the ARIN registry. It will tell you if the IP address is registered somewhere else and where you need to go.

ARIN ( North and South America, Caribbean, and sub-Saharan Africa )

RIPE ( Europe )

APNIC ( Asia Pacific)

AfriNIC ( Africa )

LACNIC (Latin America and Caribbean)

KRNIC ( Korea )


Many organizations maintain a mailbox for complaints named "abuse". So, for example, if you find the IP address belongs to America Online (AOL), you can send the information to abuse@aol.com. Make sure you include the full headers or they will not be able to determine the actual sender.