How can you tell if an email is spoofed?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You get an email that looks like it's from your bank, your CEO, or a shipping company you use. But something feels off. How do you actually check whether it's legit or spoofed?
There are three places to look: the authentication results, the actual sender address, and the routing path. Each one tells you something different.
1. Check the Authentication-Results header
This is your fastest signal. Every major inbox adds an Authentication-Results line to incoming mail showing how the email performed against SPF, DKIM, and DMARC.
Here's what you're looking for:
- spf=pass means the sending server is authorized to send on behalf of that domain. spf=fail means it isn't.
- dkim=pass means the message content was cryptographically signed and wasn't tampered with. dkim=fail means the signature is broken or missing.
- dmarc=pass means the domain in the From header aligns with a passing SPF or DKIM result. dmarc=fail is the clearest sign of spoofing.
A genuine email from a well-run domain will usually show all three passing. If DMARC fails, that means the From address doesn't match the actual sending infrastructure. That's the red flag you're looking for. (SPF or DKIM failing alone isn't always spoofing. Forwarded emails often break SPF. A newsletter sent through a third-party tool might fail DKIM if the sender set it up sloppily. Context matters.)
To access headers in Gmail, open the email, click the three-dot menu, and choose "Show original." In Outlook, open the message, go to File and then Properties. In Apple Mail, go to View and then Message and then All Headers.
2. Check the actual From address, not just the display name
But most email clients on mobile show you only the sender's friendly name, like "PayPal Support" or "Your IT Team." The actual address is hidden until you tap or click it.
Spoofed emails often use a convincing display name but a completely unrelated sending address underneath. You might see "Apple Support" with an address like no-reply@secure-appleID-verify.net. That's not Apple. Check the domain after the @ sign, and make sure it's the real organization's domain, not a lookalike.
3. Look at the Received headers (the routing path)
The Received headers trace every server the email passed through, from the original sender to your inbox. They read bottom to top, so the first server the message touched is at the bottom.
So if an email claims to be from a large company like a bank or retailer, you'd expect to see servers belonging to that company (or their known ESP) near the bottom of the chain. If the trail starts in an unrelated data center or a generic hosting provider with no obvious connection to the claimed sender, that's suspicious.
It's worth noting that many legitimate senders use third-party ESPs, so a sending server that isn't literally company.com isn't automatically a problem. What you're watching for is a mismatch between the claim ("this is from BigBank") and the reality (sent from a server with zero affiliation to BigBank).
Putting it together
One failing check doesn't always mean spoofing. But if DMARC fails AND the From address looks suspicious AND the routing makes no sense, you've got a pretty clear picture. Don't click any links in that email. If it's impersonating a company you actually use, report it to that company's security or abuse team.
Want to analyze headers on an email you're unsure about? Our free Email Header Analyzer breaks down the authentication results and routing in plain language. Paste the raw headers and it'll flag what's off.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.