How to Read Email Headers Like a Pro

May 08, 2026 · 2 min read

Most people never look at email headers. That is a shame, because they tell you the real sender, the path the message took, and whether it passed authentication. This post walks you through reading them like someone who has done it a thousand times.

What headers actually are

Every email has two parts: the body you read, and a block of metadata called headers that the email client hides by default. Headers include the technical breadcrumbs of how the message got from sender to your inbox.

To see them in Gmail: open the message → three dots in the top-right → “Show original.”

To see them in Outlook: open the message → File → Properties → “Internet headers” box.

To see them in Apple Mail: open the message → View → Message → All Headers.

The five lines that actually matter

Skip the noise. Look for these:

  1. Authentication-Results — this single line tells you whether SPF, DKIM, and DMARC passed. If you see spf=fail or dmarc=fail, the message is suspicious. If all three pass, the sender’s domain authenticated correctly.
  2. Received-SPF — names the IP that sent the mail and whether your domain’s SPF policy permits it.
  3. Return-Path — the address bounces would go to. If this differs from the visible “From” address, that’s a yellow flag.
  4. From — the visible sender. Easy to spoof; means little on its own.
  5. Received chain — read bottom to top. The bottom-most Received line is the original sending server.

A worked example

Here’s an Authentication-Results line from a legitimate Mailgun-sent message:

Authentication-Results: mx.google.com;
       dkim=pass header.i=@example.com header.s=k1
       spf=pass smtp.mailfrom=bounces.example.com
       dmarc=pass header.from=example.com

Three passes. Domain alignment is good. The message is from who it claims to be from.

Now an obvious phish:

Authentication-Results: mx.google.com;
       dkim=none
       spf=softfail smtp.mailfrom=spammer.tk
       dmarc=fail header.from=paypal.com

DMARC failed. SPF softfailed. DKIM is missing entirely. This message claims to be from paypal.com but it is sent from spammer.tk. Delete it.

What to do once you’ve read them

If you find a phishing message in headers:

  • Forward to your IT/security team with the full headers visible.
  • Report to the impersonated brand — most have an address like phishing@paypal.com.
  • If you got it through Gmail/Outlook, also use the built-in “Report phishing” button so the platform learns.

Tools that do this for you

If you’d rather not eyeball headers manually, paste them into our free Email Header Analyzer — it parses the whole thing in two seconds and flags every common phishing pattern.

The bigger picture

Headers are the closest thing email has to a forensic record. Spending ten minutes learning to read them protects you from the bulk of phishing, business-email-compromise, and brand-impersonation attempts. The skill stays useful as long as email exists, which is forever.