Suped

Should the X-originating-IP header be removed for email deliverability and security?

11 Marketer opinions5 Expert opinions4 Technical articles2 Resources

Summary

The general consensus is that removing the X-Originating-IP header has a negligible impact on email deliverability. Modern email systems and spam filters primarily rely on authentication protocols like SPF, DKIM, and DMARC, as well as sender reputation, and engagement metrics. While removing the header might offer a slight privacy or security improvement by obscuring the sender's IP address and potentially limiting information available to attackers, it's not a standard header, and its absence doesn't violate email protocols. Some experts note that in the past, the header might have been used for filtering decisions or to improve reputation on shared IPs, but this is less relevant today. Removing 'received-by' headers is frowned upon, but removing X-Originating-IP is usually harmless.

Key findings

  • Low Deliverability Impact: Removing X-Originating-IP has a very limited impact on deliverability; modern spam filters use more sophisticated methods.
  • Privacy/Security Improvement: Obscuring the originating IP can offer a slight privacy or security benefit.
  • Focus on Authentication: Prioritize SPF, DKIM, and DMARC setup and maintenance for deliverability.
  • Not a Standard Header: X-Originating-IP is not a standardized email header, and its removal doesn't violate email protocols.
  • Shared IP Considerations: Historically, it might have helped in shared IP environments, but this is less relevant now.

Key considerations

  • Authentication is Key: Ensure correct SPF, DKIM, and DMARC configuration as the foundation of your deliverability strategy.
  • Evaluate Privacy Needs: Assess whether the minor privacy gain outweighs any potential (though unlikely) negative impact, especially on very old systems.
  • Consider Shared IP Context: If using shared IPs, understand whether the information provided by the header has any (minor) benefits.
  • Avoid Removing Required Headers: Do not remove required headers. X-Originating-IP is not required and is distinct from 'Received' headers.

What email marketers say
11Marketer opinions

The consensus among email marketers is that removing the X-Originating-IP header has minimal impact on email deliverability. While it may offer a slight privacy or security benefit by obscuring the sender's IP address and potentially limiting information available to attackers, modern spam filters prioritize factors like domain reputation, authentication protocols (SPF, DKIM, DMARC), sender reputation, and engagement metrics. Removing internal 'received-by' headers may be considered for privacy/security reasons but be mindful of potential impacts on bounce-back detection.

Key opinions

  • Minimal Impact on Deliverability: Removing X-Originating-IP doesn't significantly affect deliverability as spam filters rely on more sophisticated methods.
  • Slight Privacy Benefit: Removing the header can obscure the originating IP, offering a minor privacy improvement.
  • Security Concerns: Removing the header might reduce the amount of information available to potential attackers, but offers limited additional security.
  • Focus on Authentication: Proper authentication (SPF, DKIM, DMARC) and domain reputation are more critical for deliverability.

Key considerations

  • Privacy vs. Utility: Weigh the slight privacy benefit of removing the header against its minimal impact on deliverability.
  • Alternative Security Measures: Focus on more robust security measures instead of relying solely on header removal.
  • Bounce Detection: Be aware of any potential impact of removing internal headers on bounce-back detection, especially with systems like Zimbra.
  • Internal Headers: Consider removing internal 'received-by' headers for privacy but assess the impact on internal network topology visibility.
Marketer view

Email marketer from SuperUser explains that removing the X-Originating-IP header might reduce the amount of information available to potential attackers. However, removing the header provides very limited additional security.

November 2023 - SuperUser.com
Marketer view

Email marketer from Reddit suggests that while removing X-Originating-IP might seem like a good idea for privacy, it won't significantly affect deliverability. Spam filters are sophisticated and look at many factors, not just a single header.

October 2021 - Reddit
Marketer view

Email marketer from Mailjet Help Center states that the X-Originating-IP header reveals the sender's IP address, which could potentially expose internal network information. Removing it might slightly improve privacy but has minimal impact on deliverability as modern filters rely on more sophisticated methods.

February 2023 - Mailjet Help Center
Marketer view

Email marketer from MXToolbox support notes that factors like domain reputation, blacklist status, and proper authentication (SPF, DKIM, DMARC) are significantly more important for email deliverability than the presence or absence of the X-Originating-IP header.

August 2024 - MXToolbox
Marketer view

Email marketer from EmailServerForum.net mentioned that he removes the X-Originating-IP as standard practice for enhanced security, however this is more about securing the server rather than improving email deliverability.

June 2022 - EmailServerForum.net
Marketer view

Email marketer from StackExchange explains that removing X-Originating-IP can provide a slight privacy benefit by obscuring the originating IP, but its impact on security and deliverability is limited. Modern email systems use more advanced methods of identifying and filtering spam.

April 2021 - StackExchange
Marketer view

Marketer from Email Geeks shares that removing the X-originating-IP header has no influence on deliverability.

October 2022 - Email Geeks
Marketer view

Email marketer from Sendgrid shares that best practices in email includes ensuring authentication protocols, such as SPF and DKIM, are set up correctly rather than obsessing over the removal of headers such as X-originating-IP.

July 2022 - Sendgrid.com
Marketer view

Marketer from Email Geeks advises not worrying about filters scrutinizing messages based on header removal. Focus on privacy/security concerns related to exposing internal network topology with internal _received-by_ headers, and be aware of Zimbra's expectations regarding certain headers for bounceback detection. Mentions version headers could be disabled.

February 2022 - Email Geeks
Marketer view

Email marketer from EmailVendorSelection.com shares that removing the X-Originating-IP header might offer a marginal privacy improvement but has a negligible impact on email deliverability. Modern spam filters prioritize authentication (SPF, DKIM, DMARC) and engagement metrics.

November 2022 - EmailVendorSelection.com
Marketer view

Email marketer from Quora explains that removing the X-Originating-IP header provides limited security by removing the sender's IP address, it has little impact on the email's deliverability.

August 2023 - Quora.com

What the experts say
5Expert opinions

Experts offer mixed perspectives on removing the X-Originating-IP header. While its presence *can* be used for filtering and potentially improve reputation in shared IP scenarios, especially with older systems, its removal is generally considered harmless for deliverability, aligning with the consensus that modern spam filters prioritize other factors. While some experts frown upon removing *received* headers, X-Originating-IP is not a standard received header and removing it can offer a slight reduction in disclosed information.

Key opinions

  • Limited Deliverability Impact: Removing X-Originating-IP is unlikely to significantly affect deliverability as modern spam filters focus on other factors.
  • Potential for Filtering (Historically): The X-Originating-IP header *could* be used in filtering decisions, particularly by older systems.
  • Reputation Improvement (Shared IPs): In shared IP environments, the header *could* potentially improve sender reputation.
  • Privacy Consideration: Removing the header offers a slight reduction in disclosed information.

Key considerations

  • Modern vs. Legacy Systems: Consider whether recipients are likely to be using older systems that might rely on this header for filtering.
  • Shared IP Reputation: Assess whether you are sending from a shared IP where providing this information could be beneficial.
  • Privacy Trade-off: Balance the potential (slight) privacy gain against any potential (small) negative impact on deliverability.
  • Received Headers vs. X-Originating-IP: Understand the distinction between standard 'Received' headers (which are generally best left intact) and the non-standard X-Originating-IP header.
Expert view

Expert from Email Geeks explains that the X-originating-IP header, when trusted, is used in filtering decisions and can improve reputation from mail coming out of a shared IP. Depending on the implementation, it may be showing corporate or employee IPs.

February 2023 - Email Geeks
Expert view

Expert from Email Geeks, Laura Atkins, agrees with Ken O'Driscoll, stating there's no harm in removing the X-originating-IP header.

January 2024 - Email Geeks
Expert view

Expert from Spam Resource explains that while removing the X-Originating-IP header might offer a slight reduction in disclosed information, it is unlikely to significantly affect deliverability. Modern spam filters focus on other factors.

August 2021 - Spam Resource
Expert view

Expert from Word to the Wise shares that email deliverability depends on many factors, and while removing the X-Originating-IP header can provide a marginal privacy improvement, it will not likely have an impact on deliverability. Senders should focus on their IP reputation and sender authentication practices.

August 2023 - Word to the Wise
Expert view

Expert from Email Geeks shares that it is generally frowned upon to remove received headers.

December 2023 - Email Geeks

What the documentation says
4Technical articles

Technical documentation consistently indicates that the X-Originating-IP header has little to no impact on email deliverability. Modern email systems like Exchange Online Protection (EOP) prioritize authentication protocols (SPF, DKIM, DMARC) and sender reputation. Furthermore, the X-Originating-IP header is not a standardized header according to RFC standards, and its removal does not violate email protocols. DKIM validation is also unaffected by the presence or absence of this header. Email headers, in general, have a small impact on deliverability.

Key findings

  • Minimal Impact on Deliverability: X-Originating-IP header's presence or absence has little impact on email deliverability.
  • Focus on Authentication: Modern email systems prioritize authentication protocols (SPF, DKIM, DMARC) and sender reputation.
  • Not a Standard Header: X-Originating-IP is not a standardized email header.
  • DKIM Unaffected: The presence or absence of the X-Originating-IP header does not affect DKIM validation.

Key considerations

  • Authentication Focus: Ensure proper implementation and maintenance of SPF, DKIM, and DMARC for optimal deliverability.
  • Header Prioritization: Prioritize proper setup of required headers instead of non-standard ones for deliverability.
  • RFC Compliance: Understand which headers are required for email protocol compliance and which are optional.
  • Overall Header Impact: Recognize that email headers, in general, have a small impact on deliverability.
Technical article

Documentation from RFC Editor specifies that while trace headers like Received fields are essential for diagnosing delivery issues, custom headers such as X-Originating-IP are not standardized. Their removal does not violate email protocol standards, and their utility is dependent on specific implementations.

January 2024 - RFC 6854
Technical article

Documentation from DKIM.org details how DKIM (DomainKeys Identified Mail) focuses on verifying the sender's domain and message integrity. The presence or absence of the X-Originating-IP header does not affect DKIM validation and, therefore, has no direct impact on deliverability for DKIM-authenticated emails.

August 2022 - DKIM.org
Technical article

Documentation from SANS Institute details how headers in general are a small impactor in email deliverability. Its a good practice but it doesn't not have a significant impact. X-originating-IP in particular is of little impact.

August 2023 - SANS.org
Technical article

Documentation from Microsoft Docs details that Exchange Online Protection (EOP) primarily focuses on authentication protocols (SPF, DKIM, DMARC) and sender reputation based on various signals rather than relying on IP address information in headers like X-Originating-IP for filtering decisions. Therefore, its removal is unlikely to impact deliverability negatively.

September 2021 - Microsoft Docs

Related resources
2Resources

Remove Exchange Server Names and IPs from Message Headers
Remove Exchange Server Names and IPs from Message Headers

How to remove the names and IP addresses of your internal Exchange servers from the headers of outbound email messages.

Practical 365
Web server sending email - how to set up SPF to hide IP? - DNS ...
Web server sending email - how to set up SPF to hide IP? - DNS ...

I have a VPS that sends out mail from contact form(s). How do we set up SPF records while still masking the ip of the VPS? For example a user visits mysite[.com] and fills out the contact form. In the mailing script I use a TO hardcoded as owner@mysite[.com] and FROM hardcoded as no-reply@WebDevCoName[.com]. WebDevCoName[.com] is otherwise protected by Cloudflare. How do I ensure email delivery from that domain name with SPF, while continuing to mask the VPS’s IP? Related:

Cloudflare Community

Related questions