Email Header Analysis

When analyzing an email header, the goal is to trace the path the message took, verify its authenticity, and identify signs of spoofing or phishing. Here are the key things to look for:

1. Received Lines (Message Path)

  • What it is: Each mail server that handles the message adds a Received line.
  • What to look for:
  • Sequence: Read from bottom to top — the earliest server listed at the bottom is usually the sender’s mail server.
  • IP Addresses: Check if the IPs are consistent with the supposed sender. Look up unknown IPs (using WHOIS or geolocation services).
  • Time Stamps: Verify if the timestamps make sense and are in chronological order.
  • Suspicious Jumps: A sudden change in domains or IP ranges might suggest spoofing or relaying through suspicious networks.

2. Return-Path

  • What it is: The address that would receive any message bounces (SMTP Envelope From).
  • What to look for:
  • Should typically match or relate to From, Sender, or the legitimate sending domain.
  • If it points to a different/unrelated domain, it may indicate spoofing.

3. From / Reply-To

  • What it is: Displayed to the user as the sender.
  • What to look for:
  • Compare the domain with Return-Path and Received lines.
  • Reply-To addresses that differ from From may be used to trick recipients into replying to attackers.

4. Authentication Results

  • Includes: SPF, DKIM, and DMARC.
  • What to look for:
  • SPF (Sender Policy Framework): Confirms whether the sender’s IP is authorized to send for that domain. Look for “pass”, “fail”, “softfail”, or “none”.
  • DKIM (DomainKeys Identified Mail): Checks if the email’s content was signed by the domain and hasn’t been altered. Look for “pass”.
  • DMARC (Domain-based Message Authentication, Reporting & Conformance): Enforces sender domain policies. Look for alignment and “pass”.

5. Message-ID

  • What it is: A unique identifier for the email, typically generated by the sender’s mail server.
  • What to look for:
  • Usually includes the sending domain’s name.
  • A missing, malformed, or mismatched Message-ID can signal a fake or auto-generated spam message.

6. MIME-Version / Content-Type

  • What it is: Defines the message format.
  • What to look for:
  • Unusual or malformed MIME declarations might suggest a poorly crafted phishing or malware email.

7. Subject / Date Discrepancies

  • What it is: Metadata defining how the email appears.
  • What to look for:
  • Check if the Date matches the Received timestamps — mismatches can indicate tampering or incorrect timezone settings.
  • Unusual formatting or character sets can also raise red flags.

8. X-Headers (Custom or Proprietary Headers)

  • What it is: Extra headers added by email systems (e.g., X-Originating-IP, X-Mailer).
  • What to look for:
  • X-Originating-IP can reveal the original sender’s IP.
  • Check mail client versions or automated systems (e.g., “X-Mailer: Microsoft Outlook 16.0”).

In practice, you’ll typically:

  1. Start at the bottom Received line to find the original sender.
  2. Verify authentication results (SPF/DKIM/DMARC).
  3. Cross-check From, Return-Path, and Reply-To for consistency.
  4. Use IP lookups to confirm location and legitimacy.
  5. Watch for spoofing signs, forged headers, or relay mismatches.

Authentication & Verification

  • SPF, DKIM, DMARC records – Verify sender legitimacy
  • Authentication-Results – Shows pass/fail status
  • Sender Policy Framework alignment – Does domain match?

Routing Information

  • Received headers – Trace the email’s path (read bottom to top)
  • Timestamps – Look for unusual delays or inconsistencies
  • Mail server IPs – Check against known sender domains
  • Hop count – Too many hops may indicate forwarding/spoofing

Sender Identification

  • From, Reply-To, Return-Path – Should align logically
  • Discrepancies – Different domains in these fields = red flag
  • Display name vs. email address – Common phishing tactic

Suspicious Indicators

  • Forged headers – Claims to be from legitimate company but routing doesn’t match
  • Obfuscated IPs – Encoded or unusual formatting
  • Generic greetings – “Dear User” vs. personalized
  • Mismatched domains – Official-looking but slightly off

Technical Details

  • Message-ID – Legitimate emails have unique identifiers
  • X-headers – Custom headers (often added by security tools or spam filters)
  • MIME version – Should be present in legitimate mail

Red Flags Summary

Phishing/spoofed emails often show mismatched authentication, routing from unexpected servers, or headers that don’t align with claimed sender.