How to detect spoofing from headers?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You get an email from "Amazon Support" or "Your Bank" and something feels off. The display name looks right, but your gut says otherwise. That's exactly when you open the full headers and start checking. Here's what to look for.

If you haven't pulled up headers before, don't worry. Every email client buries them somewhere. Once you know how to find the full headers, the checks below take about two minutes.

Start with Authentication-Results. This is the most telling header in the whole email. Your receiving mail server ran SPF, DKIM, and DMARC checks and logged the results here. A legitimate email from a real sender will typically show all three passing. If you see dkim=fail, spf=fail, or dmarc=fail, that's a serious red flag. A spoofed email often has no DKIM signature at all, which shows up as dkim=none.

Check the From address against the Return-Path. The From header is what your email client shows you. The Return-Path is where bounces actually go. These can legitimately differ (ESPs often use their own bounce-handling domain), but a wild mismatch tells a different story. If the From says your-bank.com and the Return-Path says random-domain.xyz, that email didn't come from your bank.

Trace the Received headers from the bottom up. Every server that handled the email adds a Received header, and they stack up in reverse order. The bottom-most Received header is where the email actually originated. The IP address and hostname there should make sense for whoever claims to have sent it. An email claiming to be from a major corporation shouldn't be originating from a residential broadband IP on the other side of the world.

Look at the display name trick. This one is subtle. Email clients often show only the display name, not the actual address. In the headers you'll see the full picture. Something like From: "Amazon Support" <noreply123@sketchy-domain.net> is a classic spoofing move. The display name is familiar, the actual address is not.

Watch for header anomalies. Legitimate mail servers produce consistent, well-formed headers. Spoofed or spam emails often show missing standard headers, oddly formatted Message-IDs, inconsistent date formats, or a suspicious number of X-headers from tools you wouldn't expect a real company to use.

Check the originating IP's reputation. Copy the IP from the bottom-most Received header and run it through a blocklist checker. Known spam sources and compromised sending infrastructure show up quickly. You can do this free at our blocklist checker, no signup needed.

If you're already staring at a suspicious email and want to walk through the headers step by step, our Email Header Analyzer does the heavy lifting for you. Paste the raw headers and it flags the problems plainly.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Paste your headers and ask the question

I have a suspicious email claiming to be from sender name or company. I've pulled up the full headers. Can you walk me through what I'm seeing? Here are the key parts I can share: [paste Authentication-Results, From/Return-Path, and the bottom Received header]. Please tell me whether this looks spoofed, what the specific red flags are, and whether I should be concerned.

Edit the yellow boxes, then send to the AI of your choice.