How to read email headers: Learn how to spot phishing attempts
Knowing how to read email headers helps uncover a message’s real origin and path, revealing signs of spoofing or phishing. Email headers contain key authentication data like SPF, DKIM, and DMARC results.
Instantly validate email headers with Sendmarc’s advanced analyzer How to read email headers: Understanding the basics
What are email headers?
Email headers are lines of metadata attached to every message that record its routing, sender and recipient details, timestamps, and authentication results. While hidden by default, they can be viewed to confirm an email’s legitimacy and trace its delivery path.
The role of email headers in cybersecurity
Email headers reveal where a message was sent from through the Received fields, mapping each server it passed through. This routing data, combined with the authentication results of Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC), helps expose fraudulent emails and verify sender legitimacy.
How to read email headers: Key components explained
Main fields in an email header
- From: The sender’s email address.
- To: The recipient’s address.
- Date: The date and time the message was sent.
- Subject: The email’s subject line.
- Received: Lists the email servers that relayed the message.
- Message-ID: A unique identifier for that email.
- Return-Path: The address used for bounces or delivery failures.
How to read email headers: Step-by-step process
Decoding key fields: From, Date, and more
Start by locating the header you want to analyze. Then check whether the From field matches the original Received line, review the Date for unusual timestamps, and confirm SPF, DKIM, and DMARC have passed.
Understanding Received lines and email hops
Each Received line records a server that handled the message. Reading them from bottom to top shows the full delivery path.
How to read email headers and interpret raw data
Viewing raw email headers
A raw email header reveals the full, unformatted metadata – including routing hops, authentication outcomes, and server details – enabling a precise analysis of the message’s path and integrity.
Best practices for accurate interpretation
- Validate the legitimacy of each IP address
- Review SPF, DKIM, and DMARC authentication results
- Look for anomalies in routing paths or timestamps
Ready to analyze your own headers?
Use Sendmarc’s email header analyzer to validate email headers in seconds – no manual parsing required.
How to read email headers: Real-world examples
Example 1: Legitimate email header breakdown
- Return-Path:
0101019a6e25344-863a0ee4-797e-498c-8dfb-1a9cfad6abce-000000@mail.example.com - From:
[email protected] - To:
[email protected] - Subject:
Meeting Reminder - Date:
Tue, 11 Nov 2025 09:00:00 +0000 - Message-ID:
<[email protected]> - Authentication-Results:
spf=pass (sender IP is 2b00:1450:4884:20::602) smtp.mailfrom=example.com; dkim=pass (signature was verified) header.d=example.com;dmarc=pass action=none header.from=example.com;compauth=pass reason=100
Explanation:
- The Return-Path matches the From domain, showing proper bounce handling.
- SPF and DKIM both pass, confirming the sender’s legitimacy and message integrity.
- DMARC passes, verifying alignment.
This header represents a trustworthy, authenticated email.
Example 2: Phishing email header analysis
- Return-Path:
0101019a6e25344-863a0ee4-797e-498c-8dfb-1a9cfad6abce-000000@mail.phishyexample.com - From:
[email protected] - To:
[email protected] - Subject: Urgent: Account Suspension Notice
- Date:
Tue, 11 Nov 2025 09:00:00 +0000 - Message-ID:
<[email protected]> - Authentication-Results:
spf=fail (sender IP is 192.0.2.123) smtp.mailfrom=trustedbank.com; dkim=none (no signature) header.d=trustedbank.com; dmarc=fail action=reject header.from=trustedbank.com
Explanation:
- The Return-Path domain doesn’t match the From
- SPF fails because the IP isn’t authorized to send emails for that domain.
- DKIM is missing, and DMARC fails, signaling the email should be rejected.
These inconsistencies point to a phishing attempt.
Identifying suspicious patterns and red flags
- IP addresses missing from SPF records
- Absent or failing DKIM signatures
- Failed DMARC results
- Mismatched From and Return-Path domains
- Out-of-sequence timestamps
How to read email headers instantly
Sendmarc’s email header analyzer automatically decodes raw header data, clarifies hop details, and displays clear SPF, DKIM, and DMARC results. It simplifies header analysis, helping security teams detect threats faster and with greater accuracy.Boost your security with Sendmarc
Combining email header analysis with SPF, DKIM, and DMARC builds a stronger defense against impersonation and phishing. Regularly reviewing headers and authentication results helps your organization detect threats early and prevent domain spoofing.
Protect your domain now – book a demo to see how Sendmarc’s enterprise DMARC solution can secure your inbox and strengthen your email environment.
How to read email headers: FAQs
How do I check the source of an email?
To check the source of an email, inspect the Received lines in the header and find the last trusted “hop”. This helps confirm whether the message originated from a legitimate server.
What does “Received” mean in a header?
The Received field in an email header lists every email server that handled the message on its journey. Each entry helps trace where the email was relayed.
How do I read email “hops”?
To read email hops, review the Received lines from bottom to top. The first line at the bottom shows the original sending server, revealing the complete route to your inbox.
How do I read raw email data?
To read raw email data, open the full header in your email client and examine fields such as From, Return-Path, and Authentication-Results.
How do I read email headers to detect phishing?
To detect phishing through email headers, look for failed SPF, DKIM, or DMARC results, suspicious IP addresses, unknown relays, and mismatched From and Return-Path domains. These red flags often indicate impersonation or spoofing attempts.