Table of Contents
What Email Headers Contain
Every email you receive carries a set of headers that record the message's journey from sender to your inbox. While most email clients hide these headers by default, they contain valuable information for verifying whether an email is legitimate or fraudulent.
Email headers are like a postmark on a physical letter, but far more detailed. They record each server the message passed through, the timestamps at each hop, the sender's claimed identity, authentication results, and technical details about how the message was processed. Understanding how to read these headers gives you a powerful tool for identifying phishing attempts, spoofed senders, and suspicious messages.
Headers are added by each mail server that handles the message, with each server prepending its information at the top. This means the most recent headers appear first, and the original sending information appears at the bottom of the header block.
How to View Email Headers
Gmail
Open the email, click the three-dot menu icon in the upper right corner of the message, and select "Show original." Gmail displays the full headers along with a summary showing SPF, DKIM, and DMARC authentication results.
Outlook (Web)
Open the email, click the three-dot menu, and select "View message details" or "View message source." The full headers appear in a new window.
Apple Mail
Open the email, go to the View menu, and select "Message, All Headers." Alternatively, use the keyboard shortcut Command+Shift+H.
Thunderbird
Open the email, go to the View menu, select Headers, and then All. For the raw source including headers, use View, then Message Source.
Reading the Key Header Fields
The From and Return-Path Fields
The "From" field shows the sender's display name and email address as it appears in your inbox. However, this field is trivially easy to forge. An attacker can set the From field to any email address they choose. The "Return-Path" (or "Envelope-From") indicates where bounced messages should go and is set during the initial server connection. Compare these two fields: if they show different domains, the message warrants additional scrutiny.
Received Headers
Received headers are the most important fields for tracing an email's origin. Each mail server that processes the message adds a Received header recording its own identity, the server it received the message from, and a timestamp. Reading Received headers from bottom to top shows you the message's path from origin to your inbox.
The bottommost Received header shows the originating server. Check whether this server's domain matches the claimed sender. If an email claims to be from your bank but the originating server is in an unexpected country or belongs to an unrelated domain, the message is likely fraudulent.
Authentication Results
Modern email systems include authentication headers that verify the sender's identity through three complementary mechanisms.
SPF (Sender Policy Framework) checks whether the sending server is authorized to send email for the claimed domain. An SPF pass means the sending server is listed in the domain's DNS records as an authorized sender. An SPF fail suggests the message was sent from an unauthorized server.
DKIM (DomainKeys Identified Mail) uses cryptographic signatures to verify that the message content was not altered in transit and that it originated from the claimed domain. A DKIM pass means the message's digital signature matches the domain's published public key. A DKIM fail indicates either tampering or a forged sender.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on SPF and DKIM by defining what should happen when authentication fails. A DMARC pass means both SPF and DKIM passed and align with the From domain.
When all three show "pass," the email has strong authentication. When any show "fail," treat the message with heightened suspicion.
Identifying Spoofed Emails
Email spoofing occurs when an attacker forges the From address to impersonate a trusted sender. Here is a systematic approach to identifying spoofed emails using header analysis.
First, check the authentication results. If SPF, DKIM, or DMARC show "fail," the message likely did not originate from the claimed sender. Legitimate organizations configure these authentication mechanisms properly.
Second, examine the Received headers from bottom to top. The originating server should belong to or be associated with the sender's domain. An email claiming to be from microsoft.com but originating from a server named mail.random-server-xyz.com is suspicious.
Third, look for inconsistencies in timestamps. The Received headers should show a logical progression of times from origin to delivery. Large time gaps or timestamps that do not follow chronological order can indicate message manipulation.
Fourth, check the Message-ID header. Legitimate emails have Message-IDs that match the sender's domain (for example, a message from Google will have a Message-ID ending in @google.com). A mismatched Message-ID is a red flag.
Practical Tips for Email Safety
Header analysis is a valuable investigative tool, but you do not need to analyze every email you receive. Reserve header analysis for messages that trigger suspicion: unexpected requests for sensitive information, messages creating urgency, emails with unexpected attachments, or communications that seem slightly off.
For everyday email safety, focus on these habits. Verify the sender's actual email address rather than trusting only the display name. Be skeptical of links in emails and hover over them to preview the URL before clicking. Never provide passwords, financial information, or personal data in response to an email request. When in doubt, contact the supposed sender through a known, independent channel (not by replying to the suspicious email).
If you identify a phishing email through header analysis, report it to the impersonated organization and to your email provider. Most email clients provide a "Report phishing" option that helps train spam filters and protects other users.
For those who frequently need to analyze email authenticity, combine header analysis with other security practices. Use a password generator to protect your email account with a strong password, enable multi-factor authentication, and use our text encryption tools when sending sensitive content through email.
Understanding email headers transforms you from a passive email recipient into someone who can verify the authenticity of any message. This skill is particularly valuable for anyone who handles sensitive information, manages financial transactions, or is targeted by phishing campaigns.
Share this article
Raimundo Coelho
Cybersecurity specialist and technology professor with over 20 years of experience in IT. Graduated from Universidade Estácio de Sá. Writing practical guides to help you protect your data and stay safe in the digital world.
