Email header, how to find it and analyze it

Introduction

Firstly, you should know why it's essential to find an email header, why you should do it and how to analyze it. Indeed, you've encountered some suspicious emails and weren't sure if they were spam. Those emails could look like they came from a legitimate email address, but the content doesn't seem right. It could have grammar and spelling mistakes, ask you to click on suspicious links or leave some private and/or sensitive information. Emails like this are usually phishing attacks that use email address spoofing to make them seem more legitimate.

Email address spoofing

Email address spoofing means the sender wants the email to appear like it was sent from someone else, usually someone or some organization you know. It's traditionally used for phishing attacks to look more believable. This will also help get around some of the spam filters. To check if the email was really sent from where it appears to be, you should find and analyze the email header.

Email header

The email header is a report that contains all the important info about that email, like who sent it, from which server, DKIM, DMARC and SPF checks and much more information. All of this is important so you can check where the email actually came from.

Main part of an email header

From - which email address the email came from
To - which email address the email was sent to
Date - date and time when the email was sent
Subject - subject of the email

Additional parts of an email header

Return-Path - where will the return message be sent in case the email wasn't delivered or rejected
Authentication-Results - results of a DMARC, DKIM and SPF checks
Received - relay information, a log of IP addresses where the email traveled through
Message-ID - unique ID that was given when the email was created
MIME-Version - which MIME (Multipurpose Internet Mail Extensions) version was used to format the email
Content-type - information about the construction of the email, was HTML used, or is it just plain text

Finding and email header

This process can vary from a mail client to mail client, so here are the instructions for a few of the most used mail clients:

Gmail

Locate a three-dot icon on the top-right corner of the email and then select Show Original

Apple

Select View on the panel in the top-left corner and then select Message and then All Headers

Outlook

Open the email and select Properties from the File menu, then scroll down and locate Email Headers in the Internet Headers box

Webmail

Select Show Source from the More menu

Hotmail

Select email and right-click for a drop-down, then select View Message Source

Thunderbird

Open email, click on View, then select Message Source

Every email header starts with Delivered-To: name@example.com, and they can be quite long. The next step would be to read or analyze the email header using any online tool.

Analysis of an email header

For this example, we will analyze the email header from one of the phishing emails that looked like they were sent from SBB (EUnet) using the tool from MXToolBox. After opening this tool, we will paste the email header in the textbox and click on Analyze Header button.

header.png

After the email header was analyzed, we can see if the email passed DMARC, DKIM and SPF checks in the top part. Under that, we can see relay information and if any of those servers are on a blacklist.

deliveryinfo.png
relayinfo.png

Under that, we can see what exactly didn't pass in DMARC, DKIM and SPF checks:

spfdkim.png

Now we got to the chart that shows all of the information from the email header, but it's easier to read:

headerfound.png
headerfound2.png

To check if an email really came from the sender you saw, compare From, Received and Return-Path parts of an email header. If any of those don't align with the other two - that email wasn't sent from the sender you thought it was.

In the example shown above, you can see that even thou it says the email was sent from admin@eunet.co.rs, in the Received-SPF part, you can see that the email wasn't sent from an authorized IP address and how this happened - SPF record wasn't configured properly.


Was this article helpful?

mood_bad Dislike 1
mood Like 1
visibility Views: 1827