How to perform header forensics?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Email headers are a record of where a message has been. Every server that handled the message adds its own Received header, and authentication results stack up as the message passes through infrastructure. Reading them tells you exactly how an email got to your inbox and whether anything suspicious happened along the way.

Step 1 is getting the full headers. In Gmail, open the email, click the three-dot menu, select "Show original." In Outlook, open the message properties and look for "Internet Headers." In Apple Mail, go to View > Message > All Headers. You want the raw text, not the summarized view.

Step 2 is reading the routing chain. Headers read from bottom to top chronologically. The bottom Received header is where the message started. Each subsequent header above represents the next server in the chain. Work upward to trace the message's path from origin to delivery. Unusual hops (through servers in unexpected regions, through multiple intermediaries with long delays) are worth investigating.

Step 3 is checking authentication results. Look for the Authentication-Results header near the top of the chain. It shows whether SPF, DKIM, and DMARC passed or failed, and what identifiers were verified. If a message claims to be from paypal.com but SPF failed or DKIM is signed by a different domain, that's your forensic finding.

Step 4 is checking the From address versus the Return-Path (envelope sender). A mismatch between these two is a common indicator of spoofing or mail forwarding configuration issues.

Our free Review My Emails email header analyzer automates steps 2-4 and flags anomalies in a readable format. Useful when you're doing quick triage on a suspicious message. For more systematic investigation, reading authentication results headers goes deeper on what each field means.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Help me analyze this email's headers

I have a suspicious email I want to analyze using header forensics. Here's what I have: - Email client I'm using: Gmail / Outlook / Apple Mail / other - The concerning indicators I've noticed: describe what seems suspicious - Whether I can access the full raw headers: yes / no / not sure how - My goal: [confirm it's phishing / find the sending infrastructure / document for reporting] Walk me through reading the headers of this specific email and tell me what to look for given my concerns.

Edit the yellow boxes, then send to the AI of your choice.