Email Header Analysis: How to Trace an Email's Origin, Verify Authentication, and Spot Spoofing

February 6, 2026 | 16 min read | Security
Home / Blog / Email Header Analysis Guide

$2.77 billion. That's how much Americans reported losing to business email compromise in 2024 alone, according to the FBI's Internet Crime Complaint Center. The median loss per incident was $50,000—and nearly all of those attacks started with an email that looked legitimate but wasn't.

The information needed to detect most of these attacks is sitting right inside every email you receive. It's in the headers—a block of metadata that most people never look at, recording every server the email passed through, whether the sender's identity was verified, and where in the world the message actually originated.

Most "how to read email headers" guides give you a screenshot of Gmail's "Show original" button, define what "Received" means, and stop there. That's like teaching someone to read a map without explaining what the symbols mean or where they're trying to go. This guide goes further: the actual mechanics of email authentication, which providers strip sender IP data (and which don't), why 89% of malicious emails pass SPF/DKIM/DMARC checks, and what header analysis can and cannot reveal.

What Email Headers Actually Are

Every email has two parts: the body (what you read) and the headers (what mail servers read). Headers are metadata lines added by each server that handles the message, forming a chain of custody from sender to recipient. They're defined by RFC 5322 (message format) and RFC 5321 (SMTP protocol), and they've been a core part of email since the early 1980s.

Think of headers like the stamps and routing labels on a physical package. When a letter goes through the postal system, each sorting facility stamps it with a date, location, and forwarding record. Email headers work the same way. Every mail transfer agent (MTA) that touches the message prepends a Received: header recording when it got the message, where it came from, and what protocol it used.

Headers also carry authentication results. Did the sending server have permission to send from that domain? Was the message signed cryptographically? Did it match the domain's published email policy? All of this is recorded in headers before the message reaches your inbox.

Headers are the only part of an email that can't be trivially faked by the sender. While a sender can set any "From" address they want, they can't control what receiving servers write into the Received headers or authentication results.

Anatomy of an Email Header

A typical email contains 15–40 header lines. The critical ones for analysis fall into three categories: routing headers, authentication headers, and identity headers.

How Email Headers Are Built: Server-by-Server Sender's Client Composes email From, To, Subject, Date SMTP Sending MTA Adds Received header DKIM signs message mail.sender.com Internet Relay / Gateway Adds Received header May filter spam mx.gateway.com Receiving MTA Adds Received header Runs SPF/DKIM/DMARC mx.recipient.com Key: Received headers are added top-down. The LAST Received header = the FIRST server hop. Read bottom to top. Each server prepends its Received header above previous ones, so the newest hop is always at the top. Received: from mx.gateway.com by mx.recipient.com ... (3rd — newest, top) Received: from mail.sender.com by mx.gateway.com ... (2nd hop) Received: from [10.0.1.42] by mail.sender.com ... (1st hop — oldest, bottom) ↑ Read from bottom to top to trace the email's path

Routing Headers (Received)

The Received: headers form the email's delivery chain. Each MTA that processes the message prepends one. They record the server hostname, IP address, protocol used (ESMTPS means encrypted, ESMTP means plaintext), and timestamp. Since each server prepends its header above the existing ones, you read them bottom to top to trace the chronological path.

A typical email passes through 3–5 servers. Corporate emails routed through security gateways (Proofpoint, Mimecast, Barracuda) may have 6–8 hops. The bottom-most Received: header usually shows the originating server—though this is where provider IP stripping matters (more on that below).

Authentication Headers

The receiving mail server performs authentication checks and records the results:

Identity Headers

These identify the sender, but they're the easiest to forge:

How to Find Email Headers

Every email client hides headers by default. Here's how to reveal them in the major providers:

Gmail (Desktop)

Open the email → Click the three-dot menu (⋮) in the top-right → Select "Show original". Opens a new tab with raw headers and a summary showing SPF, DKIM, and DMARC results. The summary at the top is Google's own analysis; the raw headers are below.

Microsoft Outlook (Desktop App)

Open the email → FileProperties → Look in the "Internet headers" text box at the bottom. In Outlook for the web (outlook.com): open the email → Click the three-dot menu → View"View message source".

Yahoo Mail

Open the email → Click the three-dot menu (···) → "View raw message". This opens the complete raw message including all headers.

Apple Mail (macOS)

Open the email → View menu → Message"All Headers" (or press ⌘⇧H). This displays headers inline above the message body.

Once you have the raw headers, you can paste them into our Email Header Analyzer to automatically parse the routing chain, verify authentication, and geolocate the sending servers.

Reading Email Headers: Step-by-Step Walkthrough

Here's a real-world header set (sanitized) from a corporate email sent through Microsoft 365. Let's walk through what each section reveals.

/* Authentication results from the receiving server */ Authentication-Results: mx.google.com; dkim=pass [email protected] header.s=selector1; spf=pass (google.com: domain of [email protected] designates 40.107.22.83 as permitted sender) [email protected]; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=contoso.com /* Last hop: Google's MX received from Microsoft's outbound server */ Received: from mail-eopbgr220083.outbound.protection.outlook.com (40.107.22.83) by mx.google.com with ESMTPS id ... for <[email protected]>; Thu, 06 Feb 2026 09:14:32 -0800 /* Microsoft's internal routing */ Received: from DM6PR01MB4562.prod.exchangelabs.com (2603:10b6:5:1f3::17) by BN6PR01MB3341.prod.exchangelabs.com (2603:10b6:404:10a::8) with ESMTP; Thu, 6 Feb 2026 17:14:28 +0000 /* First hop: the sender's Outlook client submitted the message */ Received: from [192.168.1.105] (73.42.118.203) by DM6PR01MB4562.prod.exchangelabs.com via Frontend Transport; Thu, 6 Feb 2026 17:14:26 +0000 X-Originating-IP: [73.42.118.203] From: John Smith <[email protected]> To: [email protected] Subject: Q4 Financial Report Date: Thu, 6 Feb 2026 12:14:25 -0500

Reading bottom to top, here's what the headers tell us:

  1. First hop (bottom Received): The sender's machine at local IP 192.168.1.105 connected from public IP 73.42.118.203 to Microsoft's Exchange Online server. The X-Originating-IP confirms this. This IP could be geolocated to find the sender's approximate location.
  2. Second hop: Microsoft routed the email internally between Exchange Online servers (the IPv6 addresses starting with 2603:10b6 are Microsoft's data center IPs).
  3. Third hop (top Received): Microsoft's outbound server at 40.107.22.83 delivered to Google's MX server using encrypted SMTP (ESMTPS).
  4. Authentication: All three checks passed—DKIM verified the cryptographic signature, SPF confirmed that Microsoft's server was authorized to send for contoso.com, and DMARC passed with a policy of REJECT (meaning unauthenticated emails would be rejected, not just flagged).

This is what a clean, legitimate email looks like. Now let's understand the authentication system that produced those results.

Email Authentication: SPF, DKIM, and DMARC

Email was designed in the 1970s without any sender verification. The SMTP protocol lets anyone claim to be anyone—just like you can write any return address on an envelope. SPF, DKIM, and DMARC were bolted on decades later to fix this.

Email Authentication Check Flow Incoming Email From: [email protected] SPF Check Is this server IP listed in example.com's DNS TXT record? DKIM Check Does the signature in the header match the public key in DNS? DMARC Check Do SPF or DKIM pass AND align with the From domain? DMARC Policy Action none | quarantine | reject PASS (p=none) Deliver normally, report QUARANTINE Move to spam/junk REJECT Bounce the email RFC Standards: SPF (RFC 7208, 2014) — DNS TXT record listing authorized sender IPs. The sending domain publishes which servers may send on its behalf. DKIM (RFC 6376, 2011) — Cryptographic signature over message headers/body. Sending server signs; receiver verifies against DNS public key. DMARC (RFC 7489, 2015) — Policy layer. Requires SPF or DKIM to pass AND align with the From: domain. Tells receivers what to do on failure. ARC (RFC 8617, 2019) — Preserves authentication results across forwarding hops. Solves the "mailing list breaks DKIM" problem.

SPF (Sender Policy Framework)

SPF (RFC 7208) works at the server IP level. The domain owner publishes a DNS TXT record listing which IP addresses and servers are authorized to send email for that domain. When a mail server receives a message claiming to be from @example.com, it looks up example.com's SPF record and checks whether the sending server's IP is on the list.

SPF's limitation: it checks the envelope sender (Return-Path), not the display address (From). An attacker can set a Return-Path of [email protected] (which passes evil.com's SPF) while displaying From: [email protected]. The email passes SPF but the visible sender is spoofed. This is exactly why DMARC was created.

DKIM (DomainKeys Identified Mail)

DKIM (RFC 6376) adds a cryptographic signature. The sending server signs specific headers and the message body with a private key. The corresponding public key is published in DNS. The receiving server retrieves the public key, verifies the signature, and confirms the message wasn't altered in transit.

DKIM's limitation: it verifies integrity (the message wasn't tampered with), but it doesn't verify the visible sender. The DKIM signature can be valid for evil.com while the From: header shows [email protected]. Again, DMARC addresses this.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC (RFC 7489) ties SPF and DKIM together with a critical requirement: alignment. For DMARC to pass, either SPF or DKIM must pass and the authenticated domain must match (or be a subdomain of) the visible From: address. This closes the gap that SPF and DKIM leave open.

DMARC also introduces a policy mechanism. Domain owners publish one of three policies:

ARC and BIMI: The Newer Layers

ARC (Authenticated Received Chain, RFC 8617) was introduced in 2019 to solve a real problem: email forwarding breaks DKIM signatures. When a mailing list modifies a message (adding a footer, changing the Subject line), the DKIM signature becomes invalid. ARC allows intermediate servers to cryptographically attest that authentication was valid when they received the message, preserving the chain of trust even after modification.

BIMI (Brand Indicators for Message Identification) is the latest addition. It lets domains that have deployed DMARC with a reject or quarantine policy display their brand logo next to authenticated emails. Gmail rolled out BIMI support with blue checkmarks in May 2023. It's not an authentication mechanism itself—it's a visual indicator that authentication is already in place.

Why Authentication Fails: The 89% Problem

62%
of phishing emails that reached inboxes had bypassed DMARC checks in the first half of 2024, according to Darktrace's Half-Year Threat Report, which analyzed 17.8 million phishing emails across their customer base.

If SPF, DKIM, and DMARC are supposed to prevent email spoofing, why do the majority of phishing emails still get through? There are four main reasons:

1. Compromised Legitimate Accounts

According to research from Egress, 44% of phishing emails in 2024 were sent from compromised legitimate accounts. When an attacker gains access to a real employee's email account, every email they send passes SPF, DKIM, and DMARC perfectly—because it is coming from an authorized server for that domain. Header analysis still works here: the Received: headers will show the correct sending infrastructure, but the content and behavior will be malicious.

This is the hardest attack to detect through headers alone. The authentication is technically correct. Only behavioral analysis (unusual sending patterns, anomalous content, suspicious links) can catch these.

2. Lookalike Domains

An attacker registers contoso-inc.com (note the hyphen) and sets up proper SPF, DKIM, and DMARC records for it. Emails from [email protected] pass every authentication check because the attacker legitimately controls that domain. The protection only works against impersonation of the exact domain (contoso.com), not visually similar ones.

In headers, you'd spot this by checking whether the From: domain exactly matches what you expect. But in practice, recipients rarely scrutinize the domain—especially on mobile, where email clients often show only the display name ("John Smith, CEO") rather than the full email address.

3. Domains Without DMARC

Despite years of advocacy, many domains still have no DMARC record at all, or run with p=none (monitoring only, no enforcement). Without DMARC enforcement, SPF and DKIM failures don't trigger any blocking action. The email arrives normally, and the authentication failure is silently logged—if anyone is even watching the reports.

4. Forwarding Chain Breakage

Mailing lists, email forwarding rules, and security gateways all modify messages in ways that can break DKIM signatures and change the envelope sender (breaking SPF). ARC was designed to mitigate this, but adoption is still inconsistent. The result: legitimate emails fail authentication, training recipients to ignore authentication warnings.

Email authentication prevents unsophisticated spoofing. It does not prevent sophisticated phishing. The distinction matters: if your company's domain has p=reject, nobody can forge emails from your exact domain. But they can still send from lookalike domains, compromised accounts, or free email services—all with perfect authentication.

Which Email Providers Strip Sender IP Addresses

One of the most common reasons people analyze email headers is to find the sender's IP address. But here's what most guides don't tell you: most major webmail providers strip the sender's IP from outgoing headers. If the email was sent through Gmail, you'll find Google's server IPs—not the sender's home or office IP.

Provider Sender IP Included? What You'll Find Instead
Gmail No Google's internal server IPs only. Sender IP has never been included in Gmail headers.
Outlook.com / Hotmail No Microsoft stripped X-Originating-IP from consumer Outlook.com accounts in 2013.
Office 365 / Exchange Online Yes Includes X-Originating-IP header with sender's public IP. Enterprise accounts retain this for admin use.
Yahoo Mail No Yahoo server IPs only. Sender IP stripped from consumer webmail.
ProtonMail No By design. ProtonMail headers show only ProtonMail server IPs. This is a core privacy feature.
Fastmail Yes Includes sender IP in X-Spam-source header.
Self-hosted / Corporate SMTP Yes The sender's connecting IP is typically recorded in the first Received header by default.
Apple iCloud Mail No Apple's server IPs only. Sender IP not included.
Provider IP disclosure as of February 2026. Policies may change.

The practical implication: if someone sends you a phishing email from a Gmail account, header analysis will tell you it came from Google's servers. You'll see the authentication results and the delivery path between Google and your mail server, but you won't get the attacker's IP from the headers — capturing it directly would mean getting the sender to click a link from an IP Logger tool. For emails from Office 365 corporate accounts or self-hosted mail servers, the sender's IP is usually available and can be geolocated to city-level accuracy.

Important: Even when a sender's IP is present in headers, it shows where the email was sent from, not necessarily who sent it. The IP might belong to a coffee shop's Wi-Fi, a VPN exit node, a corporate office shared by hundreds of employees, or a compromised machine in a botnet. IP geolocation provides city-level location, not identity. Courts in multiple jurisdictions have ruled that an IP address alone does not identify a person.

Tracing an Email's Origin: What's Actually Possible

With the limitations above in mind, here's what email header analysis can and cannot tell you, depending on the scenario:

Scenario 1: Phishing email from a free webmail provider

Headers will show: which provider sent it (Gmail, Yahoo, etc.), authentication results, delivery timestamps, receiving server chain. Headers won't show: the sender's IP address, physical location, or identity. Your best investigative move: report to the provider's abuse team and analyze the email's links/attachments, not the headers.

Scenario 2: Suspicious email from a corporate/business domain

Headers will show: the full delivery chain including sender IP (if using Exchange/O365), complete authentication results, whether the domain's DMARC policy is enforced, any relay servers the message passed through. This is where header analysis is most valuable. If SPF or DKIM fail while DMARC shows p=none, the domain owner isn't enforcing authentication—and the email might be spoofed.

Scenario 3: BEC (Business Email Compromise) investigation

$2.77B
lost to business email compromise in 2024, with 21,442 complaints filed with the FBI IC3. The median loss per incident: $50,000. BEC is the single most expensive category of internet crime by total losses. Source

In a BEC investigation, headers are critical evidence. Compare the headers of the suspicious email with known-good emails from the same sender. Look for:

Scenario 4: Tracing harassing or threatening emails

If the sender used a free webmail provider (Gmail, Outlook.com, Yahoo), the headers alone won't identify them. The provider has the sender's IP in their internal logs but won't disclose it without a legal process (subpoena or court order). Document the headers and the email content, report to the provider's abuse department, and if the threats are credible, provide the full headers to law enforcement—they can compel the provider to disclose the sender's IP through legal channels.

For any of these scenarios, our Email Header Analyzer will automatically parse the routing chain, geolocate visible IPs, and display authentication results in a readable format.

Frequently Asked Questions

Can you trace the sender's IP address from an email header?

It depends on the provider. Corporate email (Office 365, self-hosted SMTP) and some webmail providers like Fastmail include the sender's IP. Gmail, Outlook.com, Yahoo, and ProtonMail strip it. You can still identify the sending mail server and trace the delivery path, but the sender's actual IP won't be in the headers from these providers.

What do SPF, DKIM, and DMARC results mean?

SPF checks if the sending server is authorized for the domain. DKIM verifies a cryptographic signature proving the email wasn't modified. DMARC combines both and adds a policy (none, quarantine, reject). A pass on all three means the email came from an authorized server and wasn't tampered with. A fail suggests potential spoofing or misconfiguration.

Why do some legitimate emails fail SPF or DKIM?

Common reasons: misconfigured DNS records, email forwarded through a mailing list or relay not in the SPF record, message body modified by a security gateway (breaking DKIM), or the domain recently migrated email providers. ARC (RFC 8617) was created specifically to preserve authentication results across legitimate forwarding.

How do I find email headers in Gmail?

Open the email, click the three-dot menu (⋮) in the top-right, and select "Show original." This opens a new tab with raw headers and Gmail's authentication summary. The mobile app doesn't support header access—use the desktop web interface.

Can email authentication prevent phishing?

It reduces but doesn't prevent phishing. Darktrace's 2024 report found 62% of phishing emails had bypassed DMARC. Attackers use compromised accounts (which pass all checks), register lookalike domains with valid authentication records, or exploit forwarding chains. Authentication prevents direct domain spoofing but can't stop an attacker who controls a properly-configured sending domain.

Analyze Email Headers Instantly

Paste any email header into our free analyzer to trace the delivery path, verify SPF/DKIM/DMARC authentication, and geolocate sender IPs.

Open Email Header Analyzer

Sources: Statistics cited in this article are sourced from FBI IC3 2024 Annual Report, Darktrace Half-Year Threat Report 2024 (via KnowBe4), Egress Email Security Report, RFC 7208 (SPF), RFC 6376 (DKIM), RFC 7489 (DMARC), and RFC 8617 (ARC).

Need more lookups? View Pricing