Email Header Analysis for Phishing Investigation
Email headers record every server that handled a message. When investigating a phishing email, the headers tell you where it really came from, regardless of what the From field says. SPF, DKIM, and DMARC results in the headers reveal whether the sending domain actually authorized the message.
Try it now
Email Headers
Runs in your browser, nothing leaves your device.
Received headers are added by each mail server, bottom to top. The bottommost Received header is the first server that handled the message, closest to the true sender. Read upward to trace the message path. Compare the originating IP to the claimed sender domain. If a 'PayPal' email originates from a random VPS IP rather than PayPal's mail servers, it's spoofed.
Modern email uses three authentication mechanisms. SPF checks if the sending IP is authorized by the domain's DNS records. DKIM verifies a cryptographic signature on the message body and headers. DMARC ties SPF and DKIM together with a policy for handling failures. Look for the Authentication-Results header: pass means the check succeeded, fail means it didn't, and none means the domain has no policy.
Examples
Spoofed email indicators
From: [email protected]
Received: from mail.cheap-vps.xyz [185.x.x.x]
Authentication-Results: spf=fail; dkim=none; dmarc=fail
Spoofed sender. All three authentication checks failed. Not from PayPal.
Security context
The From field in an email is trivially fakeable. Never trust it alone. The headers are where the truth lives. For any suspicious email, raw header analysis is the first step in determining whether it's legitimate or a phishing attempt.
Frequently asked
In Gmail: Open the email, click the three dots, select 'Show original'. In Outlook: Open the email, click File > Properties > Internet Headers. In Apple Mail: View > Message > All Headers. Copy the full headers into an email header analyzer tool.
Go deeper
Continue in the Web Security Academy
Related techniques
Detecting Phishing URLs: Indicators and Techniques
Analyze URLs for phishing indicators: typosquatting, homoglyph attacks, suspicious subdomains, URL shortener abuse, and credential harvesting parameters.
Homoglyph and IDN Homograph Attack Detection
Detect Unicode homoglyph attacks in domain names and text. Identify Cyrillic, Greek, and other look-alike characters used for phishing and impersonation.