Email Header Analysis: A Step-by-Step Tutorial
Email Header Analysis: A Step-by-Step Tutorial
Email headers are the forensic backbone of any phishing investigation. They contain a complete audit trail of every mail server a message passed through, the authentication results at each hop, and metadata that attackers cannot easily forge. Understanding how to read them is a fundamental skill for any security analyst.
What Are Email Headers?
Every email has two parts: the body (what you see) and the headers (the metadata). Headers are generated automatically by mail servers as the message travels from sender to recipient. They are not visible by default in most email clients, but they can be accessed through a "View Source" or "Show Original" option.
A typical email header contains:
- From / To / Subject β the visible envelope fields
- Received β one entry per mail server the message passed through (read bottom-up for chronological order)
- Return-Path β the actual bounce address, often different from
Fromin phishing emails - Reply-To β where replies are directed (attackers redirect this to their own inbox)
- Message-ID β a unique identifier for the message
- Authentication-Results β SPF, DKIM, and DMARC verdicts
- X-Originating-IP β the IP address of the original sender
How to Access Email Headers
| Email Client | Method |
|---|---|
| Gmail | Open email β Three-dot menu β "Show original" |
| Outlook (web) | Open email β Three-dot menu β "View message source" |
| Outlook (desktop) | Open email β File β Properties β Internet headers |
| Apple Mail | View β Message β All Headers |
| Thunderbird | View β Headers β All |
Step 1: Read the Received Chain (Bottom to Top)
The Received headers tell you the journey of the email. Each mail server that handled the message adds a Received header at the top, so the oldest entry is at the bottom and the most recent is at the top.
Received: from mail.example.com (mail.example.com [203.0.113.1])
by mx.google.com with ESMTPS id ...
for <[email protected]>;
Mon, 1 Apr 2026 10:23:45 +1100
Received: from [192.168.1.100] (unknown [203.0.113.1])
by mail.example.com with SMTP id ...
Mon, 1 Apr 2026 10:23:40 +1100
Received: from mail.example.com (mail.example.com [203.0.113.1])
by mx.google.com with ESMTPS id ...
for <[email protected]>;
Mon, 1 Apr 2026 10:23:45 +1100
Received: from [192.168.1.100] (unknown [203.0.113.1])
by mail.example.com with SMTP id ...
Mon, 1 Apr 2026 10:23:40 +1100
What to look for:
- Does the originating IP match the claimed sender's organisation?
- Are there unexpected relay servers in the chain?
- Do the timestamps make geographic sense (e.g., a message claiming to be from Sydney but originating from Eastern Europe)?
Step 2: Verify the From vs Return-Path vs Reply-To
Three fields control where responses go β and attackers frequently manipulate them:
| Field | Purpose | Phishing Red Flag |
|---|---|---|
From | Displayed sender address | Spoofed to look legitimate |
Return-Path | Bounce address | Different domain from From |
Reply-To | Where replies are sent | Attacker's own email address |
A legitimate email from PayPal will have all three pointing to @paypal.com. A phishing email may show From: [email protected] but have Reply-To: [email protected].
Step 3: Check SPF, DKIM, and DMARC Results
The Authentication-Results header shows the verdicts from three email authentication mechanisms:
SPF (Sender Policy Framework)
SPF verifies that the sending mail server is authorised to send email on behalf of the domain.
Received-SPF: pass (google.com: domain of [email protected] designates 66.211.168.0 as permitted sender)
Received-SPF: pass (google.com: domain of [email protected] designates 66.211.168.0 as permitted sender)
A fail result means the sending server is not listed in the domain's SPF record β a strong indicator of spoofing.
DKIM (DomainKeys Identified Mail)
DKIM uses a cryptographic signature to verify the email was not modified in transit and was authorised by the sending domain.
DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-epsilon1; ...
DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-epsilon1; ...
A fail result means the signature is invalid β the email was either modified or forged.
DMARC (Domain-based Message Authentication, Reporting & Conformance)
DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails.
Authentication-Results: mx.google.com;
dkim=pass [email protected];
spf=pass smtp.mailfrom=paypal.com;
dmarc=pass (p=REJECT) header.from=paypal.com
Authentication-Results: mx.google.com;
dkim=pass [email protected];
spf=pass smtp.mailfrom=paypal.com;
dmarc=pass (p=REJECT) header.from=paypal.com
If DMARC shows fail with p=REJECT or p=QUARANTINE, the email should have been blocked or quarantined by the receiving server β its presence in your inbox is suspicious.
Step 4: Analyse the X-Originating-IP
The X-Originating-IP or X-Sender-IP header (if present) reveals the IP address of the original sender's device. You can look this up using:
- AbuseIPDB β check if the IP has been reported for abuse
- Shodan β see what services are running on the IP
- VirusTotal β check the IP against multiple threat intelligence feeds
- Cyber121 Phishing Analyser [blocked] β automated lookup against DNS blacklists and threat feeds
Step 5: Check the Message-ID Format
The Message-ID should follow the format <[email protected]>. If the domain in the Message-ID does not match the claimed sender's domain, this is a red flag.
Message-ID: <[email protected]> β Gmail sending server
Message-ID: <[email protected]> β PayPal sending server
Message-ID: <[email protected]> β Gmail sending server
Message-ID: <[email protected]> β PayPal sending server
Automating Header Analysis
Manual header analysis is valuable for learning, but for production investigations, use automated tools:
- Cyber121 Phishing Analyser [blocked] β paste the sender's email address or raw email content for an instant DNS, blacklist, SPF/DKIM/DMARC, and AI verdict
- MXToolbox Email Header Analyser β visualises the Received chain with timing analysis
- Google Admin Toolbox β parses headers and highlights authentication results
Building a Repeatable Process
If you investigate phishing emails regularly, a structured process saves significant time. The Cyber121 Phishing Investigation Toolkit [blocked] includes a 52-page playbook with a dedicated email header analysis chapter, plus an Excel investigation log with a pre-built IOC tracker for documenting findings.
Published by the Cyber121 team. Cyber121 is a cybersecurity community platform providing free security tools, CVE intelligence, and professional training resources.
The Cyber121 team is a group of cybersecurity practitioners building community tools, training resources, and threat intelligence for security professionals.