Why do email headers contain private IP addresses?

Some email have a header like "Received: from [172.16.1.2] (some.public.ip.address)" Why is that? why does the sender's client of someone behind NAT reveal the private address?


Because that is how SMTP is designed, and how the sending email system has been configured.

There are ways to suppress this information, but the sending mail system needs to be explicitly configured to do this.


Received: from [172.16.1.2] (some.public.ip.address)"

As you mentioned in the comments, the private IP in this particular location is because it was sent as the clients hostname in the HELO command.

For proper mail servers, the HELO command should include their fully qualified hostname, which should also match with DNS. For inbound email, many servers actually verify the HELO hostname to make sure it's valid and the DNS matches. For sending email, servers will normally accept anything as long as you are authenticated (you can't expect end users to all have real, valid hostnames configured on their machines).

For SMTP clients like Outlook, they could send your machine name, but that isn't fully qualified and might not be desirable depending on what the machine is called. For example you often see headers like the following:

Received: from DESKTOP9U6J0BC (unknown)

Using the IP address probably provides a bit more privacy as some people may argue seeing 172.1.2.3 in the headers is better than MIKES-MACBOOK or CEO-WORKSTATION.

At the end of the day the client just needs to provide something reasonable in the HELO command, and some clients choose the IP address.

This is slightly different to what other answers have discussed, which are related to actual SMTP servers using private addresses to transport email inside an organisation.