What’s the difference between header and body analysis?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You get a suspicious email. It looks exactly like it came from PayPal. The logo's right, the language sounds official, and there's an urgent message about verifying your account. So what do you look at first?

This is where header analysis and body analysis come in. They answer two completely different questions, and you need both to understand what's really going on.

Header analysis is about technical origin. Email headers carry metadata that the sender can't easily fake: the routing path the message took, timestamps, IP addresses, and authentication results like SPF, DKIM, and DMARC. Headers answer the question "where did this actually come from?" regardless of what the visible "From" name says.

In the PayPal example, headers might show you that the message came from a server in a country PayPal doesn't operate in, that SPF failed, or that the "Reply-To" address points somewhere completely different from the claimed sender. That's your first red flag, before you've even looked at the message itself.

Body analysis is about intent and technique. Once you've looked at the routing, you look at what the email is actually trying to do. That means examining the text, the links (where do they really go?), any attachments, and the formatting. Body analysis reveals the social engineering at play: fake urgency, impersonation tactics, malicious links dressed up as legitimate ones, and anything designed to push the reader into a quick, unconsidered action.

In the PayPal example, body analysis might show you that the "verify your account" button links to a domain like paypa1-secure.com instead of paypal.com. The header told you the origin was suspicious. The body shows you the trap that was set.

Neither one is enough on its own. A message with perfect authentication can still contain a phishing link (a Compromised Address sending from a real domain). A message with broken authentication might be a misconfigured legitimate sender, not a threat. You need both layers to draw an accurate conclusion.

A simple way to think about it: headers are the paper trail, body is the crime scene. Investigators look at both.

And if you want to practice reading headers yourself, our free Email Header Analyzer breaks them down into plain English. Drop in a suspicious message and see what the routing actually says.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Paste your details and get a breakdown of what headers vs body would reveal in your specific case.

I'm looking at a suspicious email and want to know what to check first. Based on my situation below, tell me: (1) what the headers are likely to reveal about origin and authentication, (2) what to look for in the body for social engineering or malicious links, and (3) what conclusion I can draw when both layers are combined. My situation: - Suspected sender or impersonated brand: e.g. PayPal, my bank, IT department - What the email is asking me to do: e.g. verify account, click a link, open an attachment - Any red flags I've already noticed: [e.g. wrong reply-to address, urgent language, suspicious link] - My role: e.g. security team, email admin, end user

Edit the yellow boxes, then send to the AI of your choice.