// What are Email Headers?
Email headers are metadata prepended to every email. They contain the complete delivery path, sender information, authentication results, timestamps, and technical details about the message. The email client hides them by default � but for security analysis, they are essential.
Headers are added at each hop as the email travels from the sender's mail client ? sender's mail server ? intermediate relays ? recipient's mail server ? recipient's inbox. Each server prepends its own Received: header, building a chain from destination back to origin.
How to view headers
| Client | How to access headers |
|---|---|
| Outlook (desktop) | File ? Properties ? Internet headers |
| Outlook (web) | More actions (�) ? View message source |
| Gmail | Three dots menu ? Show original |
| Apple Mail | View ? Message ? All Headers |
| Thunderbird | View ? Message Source (Ctrl+U) |
// The Received Chain
The most important part of the header for tracing email origin. Each mail server adds a Received: header at the top as the message passes through. Because each new header is prepended, the chain reads bottom to top � the bottom entry is where the email originated, the top entry is where it was delivered.
Received headers can be forged � but only up to the first server your organisation controls. The topmost Received: header added by your own mail gateway is trustworthy; everything below it could have been injected by the sender.
Anatomy of a Received header
Received: from mail.evil.com (mail.evil.com [185.220.101.42])
by mx.victim.org (Postfix) with ESMTP id A3F2B1C4D5
for <user@victim.org>; Mon, 15 Jan 2024 09:32:11 +0000 (UTC)| Part | Meaning |
|---|---|
from mail.evil.com | Hostname the sending server announced (HELO/EHLO) � can be faked |
(mail.evil.com [185.220.101.42]) | Reverse DNS lookup of the connecting IP � more reliable than the announced name |
[185.220.101.42] | The actual connecting IP � this is what to check against threat intel |
by mx.victim.org | The receiving server � in this case, your organisation's MX server |
| Timestamp | When this hop occurred � compare across hops to identify unusual delays |
// Key Header Fields
| Header | What it contains | Notes |
|---|---|---|
From: | Display name and address the sender chose � what the user sees in their email client | Easily faked � this is the primary spoofing vector |
Reply-To: | Address replies will be sent to if different from From | Phishers use this to redirect replies to attacker-controlled inbox |
Return-Path: | Address for bounce messages (envelope sender) | Should match the From domain in legitimate email; mismatch = spoofing signal |
Envelope-From (MAIL FROM) | The sender address declared in the SMTP envelope � not a message header itself, but visible as Return-Path: in delivered mail | What SPF validates against � can differ from the From: header |
Message-ID: | Unique identifier for the message, assigned by the sending server | Format is <random@sending-domain> � domain should match sender |
X-Originating-IP: | IP address of the user who submitted the email to the mail server | Added by some providers (Outlook, Yahoo) � reveals sender's real IP |
X-Mailer: | Email client or library used to send the message | Phishing tools and malware often leave identifiable strings here |
MIME-Version: | MIME protocol version � always 1.0 | Check Content-Type for attachments and multipart structures |
Date: | Timestamp the sender's client set | Compare against Received timestamps � large discrepancies are suspicious |
// SPF � Sender Policy Framework
SPF is a DNS TXT record that lists the IP addresses and mail servers authorised to send email on behalf of a domain. When a receiving server gets an email, it checks whether the sending IP is listed in the sender domain's SPF record.
SPF record example
v=spf1 include:_spf.google.com include:mailgun.org ip4:203.0.113.10 -all| Mechanism | Meaning |
|---|---|
v=spf1 | SPF version � always starts with this |
include:_spf.google.com | Authorise all IPs listed in Google's SPF record (for G Suite users) |
ip4:203.0.113.10 | Explicitly authorise this specific IP |
-all | Hard fail � any IP not listed should be rejected. ~all = soft fail (mark as spam), ?all = neutral |
SPF results
| Result | Meaning |
|---|---|
pass | Sending IP is authorised � legitimate |
fail | Sending IP is explicitly not authorised � spoofing likely |
softfail | Not authorised but domain policy says to accept and mark |
neutral | Domain makes no assertion � treat as unauthenticated |
none | No SPF record found for the domain |
temperror | DNS lookup failed temporarily � retry |
permerror | SPF record is malformed |
// DKIM � DomainKeys Identified Mail
DKIM adds a cryptographic signature to outgoing emails. The sending server signs the email headers and body with a private key. The public key is published in DNS, and receiving servers use it to verify the signature � proving the email was sent by a server with access to the domain's private key and hasn't been modified in transit.
DKIM-Signature header
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=example.com; s=selector1;
h=from:to:subject:date:message-id;
bh=2jUSOH9NhtIezdxbLPkV5MrHqkRs8/4+MNaJ2SY6TdU=;
b=AuUoFEfDxTDkHlLXSZEpZj79LICEpsvy98LdGvqD...| Tag | Meaning |
|---|---|
d=example.com | The signing domain � should match or align with the From: domain |
s=selector1 | Selector � identifies which public key in DNS to use (selector1._domainkey.example.com) |
h=from:to:subject... | Headers that were signed � if these are modified in transit, verification fails |
bh=... | Hash of the email body � body tampering detected here |
b=... | The actual cryptographic signature |
DKIM pass means the email was signed by the stated domain and hasn't been modified. However, it does not mean the From: address is legitimate � an attacker can register evil.com, set up DKIM for it, and send spoofed-looking emails that pass DKIM. This is where DMARC comes in.
// DMARC � Domain-based Message Authentication
DMARC ties SPF and DKIM together and adds a policy telling receiving servers what to do if checks fail. It requires alignment � the domain in the From: header must align with the domain used in SPF and/or DKIM. This closes the gap where SPF and DKIM could pass even for spoofed From: addresses.
DMARC record example
v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-fail@example.com; pct=100; adkim=s; aspf=s| Tag | Meaning |
|---|---|
p=reject | Policy: what to do when DMARC fails. none = monitor only, quarantine = junk folder, reject = block |
rua=mailto:... | Where to send aggregate reports (daily summary of pass/fail stats) |
ruf=mailto:... | Where to send forensic reports (per-email failure reports) |
pct=100 | Percentage of failing mail to apply the policy to � 100% means all |
adkim=s | DKIM alignment mode: s=strict (exact domain match), r=relaxed (subdomain allowed) |
aspf=s | SPF alignment mode: same options as adkim |
// Authentication-Results Header
The receiving mail server writes the results of SPF, DKIM, and DMARC checks into an Authentication-Results: header. This is the quickest way to see the authentication verdict at a glance.
Authentication-Results: mx.victim.org;
dkim=pass header.i=@example.com header.s=selector1;
spf=pass (mx.victim.org: domain of sender@example.com designates 203.0.113.10 as permitted sender) smtp.mailfrom=sender@example.com;
dmarc=pass action=none header.from=example.comAuthentication-Results: mx.victim.org;
dkim=none;
spf=fail (mx.victim.org: domain of noreply@paypal.com does not designate 185.220.101.42 as permitted sender) smtp.mailfrom=noreply@paypal.com;
dmarc=fail action=reject header.from=paypal.comThe Authentication-Results: header added by your own mail server is trustworthy. However, a malicious sender can include a fake Authentication-Results: header in the email body. Only trust the one added by the first receiving server you control (the topmost one).
// Identifying Spoofing & Phishing
Once you can read headers, here is what to look for when investigating a suspicious email.
| Red flag | What to check |
|---|---|
| SPF / DKIM / DMARC fail | Authentication-Results � any fail is suspicious, especially for well-known brands |
| From / Return-Path mismatch | From: shows paypal.com but Return-Path: shows random-domain.ru |
| Message-ID domain mismatch | From: shows paypal.com but Message-ID shows @amazon-support.biz |
| Received IP reputation | Extract the sending IP from Received headers and check on AbuseIPDB, VirusTotal, Shodan |
| Unusual X-Originating-IP | If present, this is the sender's actual IP � check its location and reputation |
| Domain lookalike | paypa1.com, pay-pal.com, microsoft-support.net � compare carefully against the real domain |
| Recently registered domain | Check WHOIS for registration date � phishing domains are often days or weeks old |
| Excessive hops | Legitimate email rarely passes through more than 4-5 hops � a long Received chain may indicate relaying through compromised servers |
| Time zone anomalies | Date header in one timezone, Received timestamps in another � may indicate header manipulation |
// Extracting IOCs
From a suspicious email, these are the IOCs to extract for further investigation and threat intel lookups.
IP Addresses
Sending IPs from Received headers, X-Originating-IP. Check: AbuseIPDB, VirusTotal, Shodan, Talos Intelligence.
Domains
From domain, Return-Path domain, Message-ID domain, links in the body. Check: VirusTotal, URLscan.io, WHOIS, MXToolbox.
URLs
Links in the email body � do not click directly. Check: URLscan.io, VirusTotal URL, Any.run (sandbox). Use URL defanging: hxxp://evil[.]com
Attachments
Hash the file (MD5, SHA256) and submit to VirusTotal or Any.run. Never open directly � use a sandbox.
Defang your IOCs. When sharing or documenting IOCs, defang URLs and IPs to prevent accidental clicks: replace http with hxxp, wrap dots in brackets (evil[.]com), and replace @ in email addresses with [@]. This is standard practice in SOC reporting.
// Analysis Tools
| Tool | Use case |
|---|---|
| Google Admin Toolbox � Message Header Analyser | Paste raw headers for a visual, parsed breakdown of the Received chain and authentication results |
| MXToolbox Header Analyser | Parses headers and highlights delays, flags SPF/DKIM/DMARC issues, shows hop-by-hop timing |
| MXToolbox SPF / DKIM checker | Look up and validate the SPF / DKIM DNS records for any domain |
| AbuseIPDB | Check sending IPs against a crowdsourced database of reported malicious addresses |
| VirusTotal | Check IPs, domains, URLs, and file hashes against 70+ security vendor databases |
| URLscan.io | Submit URLs for sandboxed rendering � shows what the page looks like and any redirects/scripts |
| Cisco Talos Intelligence | IP and domain reputation, email sender reputation, threat intelligence context |
| PhishTool | Automated email header parsing, attachment analysis, and IOC extraction purpose-built for phishing triage |