What does a spoofed header look like?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You get an email from your bank. The name looks right, the logo looks right, but something feels off. If you pull up the full headers, that's usually where the truth hides.
A spoofed email is designed to look like it came from a trusted sender. The From header is the easiest thing to fake, so that's where attackers usually start. But the rest of the headers tell a different story.
Here's what a spoofed header typically looks like compared to a clean one:
Legitimate email headers (simplified):
From: alerts@firstharbor.bank
Return-Path: alerts@firstharbor.bank
Received: from mail.firstharbor.bank (mail.firstharbor.bank [203.0.113.10])
Authentication-Results: mx.google.com;
spf=pass (sender IP is 203.0.113.10)
dkim=pass header.d=firstharbor.bank
dmarc=pass (p=reject)
Spoofed email headers (simplified):
From: alerts@firstharbor.bank
Return-Path: bounce@randommailer99.net
Received: from smtp.randommailer99.net (unknown [45.77.88.12])
Authentication-Results: mx.google.com;
spf=fail (45.77.88.12 is not authorized to send for firstharbor.bank)
dkim=fail (no signature found for firstharbor.bank)
dmarc=fail (p=reject)
See what's happening? The From address looks identical in both. That's the whole trick. But the Return-Path, the Received chain, and the Authentication-Results all give it away.
The four red flags to look for:
- Return-Path mismatch: The domain in the Return-Path doesn't match the From address. Legitimate senders almost always keep these aligned.
- SPF fail: The sending server's IP isn't listed in the domain's SPF record. The message came from somewhere the domain never authorized.
- DKIM fail: No valid signature from the claimed sending domain. Spoofed messages can't sign with a key they don't own.
- DMARC fail: When SPF and DKIM both fail alignment, DMARC fails too. If the domain has a reject policy, a good mailbox provider should have blocked it before it reached you at all.
But you can view full headers in most email clients. In Gmail, open the email, click the three-dot menu, and choose "Show original". In Outlook, open the message, go to File, then Properties. Apple Mail has it under View, then Message, then All Headers.
If you want a faster way to read through those headers, our free Email Header Analyzer parses the raw output and highlights the parts that matter. Paste it in and the red flags jump out.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.