Email Message P1 and P2 headers
In this blog post, I will be talking about email message headers, and email message P1 and P2 headers. Understanding the structure of the message header can help a lot in understanding email message routing and anti-spam protection logic. This become handy when trying to learn how Exchange Online Protection works, and what role they play as part of the Exchange Online Protection Architecture. Please check the EOP Exchange Online Protection Architecture post for more information
How regular physical messages are sent?
Before talking about email message P1 and P2 headers, let us take a moment and think about the normal paper messages and how they are actually being sent out.
You are the manager of University of Harvard (John Harvard), and you want to address the manager of Washington DC hostel (Bob). You start by bringing up a piece of paper, and officially addressing Bob. At the end of the piece of paper, you will sign with your name “John Harvard”.
After that, you will bring an envelope, and write down the following. MAIL FROM: University of Harvard, and RCPT or recipient is Washington DC hostel. The envelope information here is used by the delivery guy to route the message from Harvard university to Washington DC hostel. This is all what the delivery guy need to know. He does not know what is inside the message. In other words, the delivery guy only sees P1 envelope header.
In case he cannot deliver the message, the Returned-Path [Bounced Address] would be the envelop MAIL FROM which is University of Harvard. Simply because the delivery guy did not open the envelop and he only can see what is written in the envelop itself. The delivery guy in our case is all the SMTP servers contributing to the delivery of the message.
Things to notice here:
- The delivery guy only sees the envelope and he does not care much about the paper inside (P2 Header).
- Bob the recipient in this case, might not see the envelop at all. The guy responsible of checking the hostel mail, would open the envelope, and look at the paper inside. He noticed it is addressed to Bob, see he took the paper inside and hand it to Bob directly. Bob in this case is the recipient email client like Outlook.
- When any party in between wants to verify the authenticity of the message, they would look at the envelope MAIL FROM, and they will verify the message is from University of Harvard. They will not open the message itself to read the paper inside. In other words, SPF checks happen on the MAIL FROM P1 Envelope.
Now, we can move and talk about email message P1 and P2 headers.
Email Message P1 header
P1 header is what is used to deliver the message (routing information). SPF checks happen on the MAIL FROM P1 header. P1 headers include:
- MAIL FROM
P1 Headers are described in the RFC 5321.
The envelope can have multiple recipients. For example, if there is a recipient that is part of the BCC, then that recipient information is included in the P1 RCPT. This is how BCC works.
In normal operations, P1 MAIL FROM = P2 FROM. This is not the case always. Suppose you have a third party who is sending mail campaign emails on your behalf. To do that, they will send messages with P1 MAIL FROM = news@ExternalParty.com, while the P2 FROM = email@example.com.
This way, the recipient of the email campaign will see that the sender is firstname.lastname@example.org as the recipient email program (Outlook) displays the P2 FROM header and not the P1 MAIL FROM.
In this way, the bounce messages will be sent to the third party marketing system to report on the number of bounces and give you a nice report after each campaign. Also, Contoso should make sure that the public IPs of the third party marketing system are added to Contoso SPF record. This is needed because the recipient email system will perform SPF check for Contoso.com domain on the MAIL FROM P1 envelope header, which is the third party IPs, not yours.
Email Message P2 header
P2 header is used to display information on the recipient email client. This header is even optional and does not participate in how the message is delivered. P2 headers include:
P2 Headers are described in the RFC 5322. This is what Outlook user sees.
P1, P2 and Outlook Safe Senders
Reference to this blog post from Microsoft, When a user adds a sender to the Safe Sender List or Blocked Sender List, the P2 FROM address is the address which is being added and synced to Exchange Online Protection.
“Senders placed in the Safe Senders list will never be marked as spam by the Outlook client and senders placed in the Blocked Senders list will always be moved to your Junk Mail folder” – Microsoft Blog Post
EOP will look at the P2 header and P1 header and compare it to the recipient safe sender list and blocked sender list, so that it can make a decision to skip spam filtering or not.
Previously, EOP used to look at P1 address only when comparing to the recipient safe sender list and blocked sender list, which does not make sense.
P1, P2 Diagram
Email Message P1 and P2 headers can be illustrated in a nice diagram.
I call P1 as PI Envelope because it is like the outer shell envelope, while I call P2 as the P2 header, as it is like the inner message greeting header. I usually print the below diagram out and give it to the anti-spam team in my company, so that they always remember what is different between the two type of headers.
The P1 address is what’s seen on the outside of the envelope, where the P2 address is what we see on the paper inside. Often these are the same, but they don’t have to be.