What is header anomaly detection?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Every email carries a paper trail. Before a message ever reaches your inbox, it picks up a series of email headers that record where it came from, which servers handled it along the way, when each hop happened, and whether it passed authentication checks. Header anomaly detection is the process of reading that trail and flagging anything that looks off.

A normal header tells a clean, consistent story. The sending IP matches the claimed domain. The timestamps follow a logical sequence. The From address in the header matches what the envelope says. Authentication results (SPF, DKIM, DMARC) all pass. Everything lines up.

A suspicious header doesn't. Here's what anomaly detection looks for:

  • Forged timestamps: A message that claims to have been sent before the sending server even existed, or that shows time gaps that make no physical sense across hops.
  • Unusual routing: A legitimate email from a UK company that somehow routes through three servers in countries it has no relationship with before arriving.
  • Envelope vs. header mismatch: The address your mail client displays as "From" is different from the actual envelope sender address buried in the headers. This is a classic spoofing tell.
  • Authentication failures at odds with sender claims: The email says it's from a major bank, but the DMARC check fails, or the DKIM signature is missing entirely.
  • Received header chain breaks: The chain of Received: headers should connect every hop cleanly. Gaps, duplicates, or entries that reference non-existent servers are red flags.

Security gateways do this automatically at scale, scoring incoming messages against these patterns before they reach a user's inbox. But you can also read headers yourself. In Gmail, open any email, click the three-dot menu, and select "Show original." In Outlook, open the message, go to File, then Properties, and look at the internet headers box. It looks messy at first, but once you know what to look for, the story becomes readable quickly.

Our free Email Header Analyzer can parse those raw headers for you and surface the anomalies without making you decode every line by hand. Paste them in and you'll see authentication results, routing hops, and any flags worth investigating. If something looks genuinely wrong with email reaching your domain, our SOS hotline is free to use.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Break down a header example for me

I want to understand header anomaly detection with a real example. Can you show me what a clean, normal email header looks like side by side with a suspicious one? Walk me through the specific red flags, like forged timestamps, envelope mismatches, and authentication failures, so I know exactly what to look for when I pull up raw headers myself.

Edit the yellow boxes, then send to the AI of your choice.