Email Header Analysis

Email headers are structured metadata fields prepended to a message as defined by RFC 5322. They record the routing path through mail servers via Received headers, carry authentication results (SPF, DKIM, DMARC, ARC), and expose envelope-level information such as the originating IP, message ID, and timestamps. Analyzing these headers is the foundational step in any phishing or email fraud investigation.

Headers cannot be suppressed by the sender and reveal the true origination point of a message, even when the visible From address is forged. Discrepancies between header fields—such as timezone inconsistencies, unexpected relay hops, or mismatched Message-IDs—are reliable indicators of spoofing, compromised infrastructure, or malicious forwarding.

Each MTA prepends its Received header to the top of the existing headers as the message passes through. Reading them top-to-bottom shows the path from final destination back to origin (newest hop first); reading bottom-to-top traces the path from origin to destination. Authentication headers such as Authentication-Results are added by receiving servers and record the outcome of SPF, DKIM, and DMARC checks. Analysts cross-reference the envelope sender (Return-Path), the header From address, and Reply-To to detect alignment failures. IP addresses extracted from Received headers can be queried against reputation databases and geolocated. Timestamps across Received headers are checked for inconsistencies that may indicate header injection or forgery.