Email Header Analysis: Tracing the Origin of Suspicious Messages

Why Email Headers Matter

The email body shows what the sender wants you to see. The email headers show the truth. Headers contain the complete routing path of an email, authentication results, sender IP addresses, and server identities. When investigating a suspicious email, header analysis is your most powerful forensic tool.

Key Headers to Examine

The Received headers show every mail server the message passed through, from origin to destination. Read them bottom-to-top to trace the message path. The Return-Path header shows the actual sender address used for bounces, which may differ from the displayed From address. Authentication-Results shows whether SPF, DKIM, and DMARC checks passed or failed. The X-Originating-IP header (when present) reveals the sender's IP address.

Identifying Spoofed Emails

A spoofed email typically fails SPF and DKIM authentication. The displayed From address may say "[email protected]" but the Return-Path points to a completely different domain. The originating IP address resolves to a hosting provider in a different country than the claimed sender. Received headers show the message passed through servers that have no association with the sender's organization.

Automating Header Analysis

Manually reading headers is tedious for high volumes of suspicious emails. Use automated analysis tools that extract key indicators, perform IP geolocation, check domain reputation, and flag authentication failures. True Protection's email analysis feature automatically examines headers of reported suspicious emails and provides a risk assessment with highlighted anomalies, saving analysts significant investigation time.