Need clarification around source IP in O365 email headers

Copper Contributor

I want to understand how O365 shows the source IP and originating country in its email headers. I see two similar headers in the email source - X-MS-Exchange-Organization-OriginalClientIPAddress and X-MS-Exchange-Organization-ConnectingIP. Both contain the same values. What is the difference between them and why is Microsoft sharing the same information in both places ?


For originating country, O365 is showing this header - X-MS-Exchange-Organization-Originating-Country. Which of the above two IPs is it referring to while showing the originating country - is it the OriginalClientIPAddress or ConnectingIP ? There is also CTRY inside X-Forefront-Antispam-Report, is it the same data that is spread across multiple headers ?


A follow-up question - How do I find the reverse DNS of the source IP ? Can I use the header X-MS-Exchange-Organization-PtrDomains ? Or PTR: inside X-Forefront-Antispam-Report ?




3 Replies


X-MS-Exchange-Organization-OriginalClientIPAddress is for identifying and tracking the origin of a message,
and X-MS-Exchange-Organization-ConnectingIP is for indicating the IP address used while the message is traveling between servers.

Thanks for your swift response.
Could you explain when can they be different ? From what I see, it's the same IP in both the headers in all cases.

Also could you help on my other two questions on the Originating country and reverse DNS lookup ?
Although their intended purpose requires the two headers to contain different information, in certain Exchange configurations these settings can be configured to return the same IP address.

For example, if your mail server is configured through a firewall, proxy server, or load balancer, the IP address of the incoming connections to the mail server and the mail delivery connection may be the same.

you can use the following command in a command prompt.
nslookup -type=PTR <IP address>