What are forensic email headers?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Forensic email headers are the part of a message most people never see. Your inbox shows you From, To, Subject, and a timestamp. The headers behind those four lines carry the receipts: every server that touched the message, when it touched it, what IP it came from, and whether the authentication checks passed or failed.
When someone says "forensic headers," they mean the headers you actually read during an investigation. A phishing report, an abuse complaint, a deliverability problem, a legal hold. Same headers, different job.
Here is what you are looking at and what each one tells you.
Received lines are the trail of servers. Each hop adds a new Received line at the top, so the message reads bottom to top in chronological order. The bottom Received line is usually the first server that accepted the mail from the sender. That one matters most because it shows the real origin IP, not whatever the From address claims. Received headers are defined in RFC 5321 section 4.4.
Authentication-Results is the verdict line. SPF, DKIM, and DMARC results all land here in a structured format defined by RFC 8601. You will see something like spf=pass, dkim=pass, dmarc=pass or, on a spoofed message, spf=fail or dmarc=fail. If you want to understand why these three checks matter, start with how DMARC prevents domain spoofing.
Message-ID is the unique fingerprint for the message, set by the sending server. Two copies of the same email have the same Message-ID. Useful when you are correlating a complaint to a send, or tracing whether a message was forwarded or replayed.
Return-Path is the address bounces go to. It is also the address SPF actually checks, which surprises a lot of people. The From address you see in your client and the Return-Path can be different domains, and that gap is exactly how some spoofing attacks slip through. We cover this in can SPF or DKIM alone stop spoofing.
X-Originating-IP is a non-standard header that some providers add to record the IP the sender connected from. Not every provider sets it. When it is there, it is gold for tracing.
Here is the practical part. When a user forwards you a suspicious email and asks "is this real," the answer is almost always in the headers.
First, read the bottom Received line. Does the IP belong to the company the email claims to be from? A message claiming to be from your bank but originating from a residential IP in another country is a strong signal something is off.
Second, read Authentication-Results. A dmarc=fail on a message claiming to be from a domain that publishes a DMARC policy is a near-certain spoof. For what that actually looks like in raw headers, see what does a spoofed header look like.
Third, check whether Return-Path and From use the same domain. They do not have to, legitimate senders use separate bounce domains all the time, but a mismatch combined with auth failures is a pattern.
Fourth, look at the timestamps across the Received chain. Big gaps between hops can mean the message sat in a queue, which sometimes points to a compromised relay.
None of this requires special tools. Gmail's "Show original," Outlook's "View message source," and Apple Mail's "Raw Source" all hand you the same data. The skill is reading it in order and knowing which lines carry weight.
If you are doing this often enough that copying headers into a text editor is slowing you down, every major provider publishes a header analyzer. Google's message header tool is the one most people land on first.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.