Email Header Analysis: How to Read an Email Header & Trace Its Origin

What Are Email Headers?

When you receive an email, your email client displays a friendly “From” name and subject line. But behind the scenes, every message carries full email headers – a detailed log of its route from the sender’s computer to your inbox. These headers include server hops, timestamps, authentication results, and the originating IP address.

Analyzing email headers helps you:

• Identify the real sender (useful for phishing investigations).
• Check if the email was spoofed or forged.
• Troubleswhy delivery delays or spam filtering.
• Gather evidence for abuse reports.

How to View Full Email Headers (Popular Email Clients)

Gmail (Web)

Open the email, click the three dots menu, then select Show original. A new tab opens with the full headers and the email body in raw format.

Outlook / Hotmail (Web)

Open the email, click the three dots → View → View message details or View message source.

Apple Mail (Mac/iOS)

Open the email, click View → Message → Raw Source. Or use Command + Shift + H.

Microsoft Outlook (Desktop)

Double‑click the email to open it in a new window, then File → Properties. The headers are in the “Internet headers” box.

Key Fields in an Email Header (What to Look For)

A full email header can be dozens of lines. Focus on the most important fields:

From / To / Subject / Date

These are basic metadata, visible in your inbox. They can be forged easily – don’t trust them alone.

Return‑Path (or Envelope‑From)

The address where bounces should be sent. Often more reliable than the “From” field. Spoofers sometimes neglect to forge this.

Received

The most valuable field for tracing. Each Received line represents a mail server hop, with the earliest at the bottom (closest to the sender). Read from bottom to top to trace the path.

Example Received line:
Received: from mail.example.com (192.0.2.1) by mx.google.com with ESMTPS
This tells you the IP of the sending server.

Authentication‑Results

Shows SPF, DKIM, and DMARC checks performed by the receiving server. Look for:

• spf=pass – the sending IP is authorized.
• dkim=pass – the email signature is valid.
• dmarc=pass – both SPF and DKIM align with the domain.

Failing these does not guarantee spam, but it strongly suggests spoofing.

Message‑ID

A unique identifier for the email. Useful for tracking in server logs.

Reply‑To

Where replies are sent. Phishers often set a different address here.

How to Find the Sender’s IP Address from Headers

The originating IP is usually in the first Received header (the bottommost one before the email left the sender’s network). Look for an IPv4 or IPv6 address inside brackets, often after “from” or “by”.

For example:

Received: from [192.168.1.100] (host-12-34-56-78.dynamic.isp.net [12.34.56.78])
        by mail.server.com with ESMTP

Here, 12.34.56.78 is the likely sender’s public IP.

👉 Once you have the IP address, use our IP Lookup tool to find the geolocation and ISP. This can help confirm whether the sender is where they claim to be.

Real‑World Scenarios

Scenario 1: Phishing Email

You receive a message that appears to be from your bank, but you’re suspicious. Check the Return‑Path and Authentication‑Results. If SPF fails and the originating IP belongs to a hosting provider in another country, it’s almost certainly phishing.

Scenario 2: Email Not Delivered (Bounce)

In the bounce message headers, look for the last Received hop before the failure. That may give you the server that rejected the message and its reason (e.g., policy rejection, blacklist).

Scenario 3: Anonymous Threat

Law enforcement or abuse teams can request the originating IP from the receiving service. Preserve the full headers as evidence.

External Resources for Advanced Email Analysis

For automated header parsing and deeper forensic tools, these external sites are excellent:

• woorldtv.com – offers a free email header analyzer and spam scoring tool.
• cartpostal.net – provides downloadable email header guides and forensic checklists.

Frequently Asked Questions (FAQ)

Can email headers be forged completely?

Some fields (like From, Subject) are easy to forge. But Received headers are added by each server along the route; they cannot be forged by the sender unless they control the entire chain. The very first Received header is usually the most trustworthy.

Why do I see multiple IPs in Received headers?

Each hop adds a new Received line. The sender’s IP may be a private address (e.g., 192.168.1.x) if they were behind a router, but the next public IP will be their ISP’s relay.

What if there is no IP address in the headers?

Some providers redact IPs for privacy (especially Gmail, Outlook.com). In that case, you may see only server hostnames. You can still trace the domain path.

How accurate is IP geolocation from email headers?

The IP is usually the sender’s ISP’s mail relay, not necessarily their home or office location. But if you see a country far from the claimed location, it’s a red flag.

Is it legal to analyze email headers?

Yes, for emails you legitimately receive. Using header information to harass or stalk someone is illegal. Always respect privacy laws.

Start Investigating Suspicious Emails Today

Next time you receive a suspicious email, don’t just delete it – investigate. View the original headers, find the sender’s IP, and look up its location with our IP Lookup tool. A few minutes of analysis can protect you from scams and help you report offenders.