Every email carries a set of headers — metadata fields that trace the path the message took from sender to your inbox. Email headers are the closest thing email has to a forensic audit log. You don’t need to be a sysadmin to read them; you need to know five fields. Here they are.
Getting to the raw headers
First, find them. Your email client hides them by default:
- Gmail: open the message, click the three-dot menu (top right), choose “Show original.”
- Outlook (desktop): File → Properties → the “Internet headers” box at the bottom.
- Outlook (web): open message → three-dot menu → View → View message details.
- Apple Mail: View → Message → All Headers, then Command+Shift+H.
You’ll see 50-100 lines of text. Most of it is noise. Skim for the five fields below.
1. Authentication-Results
The most important header. Looks like:
Authentication-Results: mx.google.com;
spf=pass smtp.mailfrom=yourdomain.com;
dkim=pass header.d=yourdomain.com;
dmarc=pass header.from=yourdomain.comThree verdicts: SPF, DKIM, DMARC. Any “fail” is a strong signal something is wrong. “pass” across all three is necessary but not sufficient — it means the message was correctly authenticated by SOMEONE, not necessarily the claimed sender.
2. Return-Path
The “envelope sender” — where bounce messages go if delivery fails. Should match or align with the visible From address for legitimate mail. Scam mail often has a Return-Path at a throwaway domain while the From says “ceo@yourcompany.com.”
3. From vs. Reply-To
The From address is what you see in your client. The Reply-To is where your response goes. In Business Email Compromise scams, these often diverge: From says ceo@yourcompany.com while Reply-To points to ceo@y0urcompany.com (the lookalike). Your reply goes to the attacker.
4. Received chain
Each mail server that touched the message adds a “Received” line. The most recent server is at the top; the original sender at the bottom. Read from the bottom up.
Look for:
- Unexpected countries. An email claiming to be from your US vendor, with the first Received line from Nigeria or Russia, is suspicious.
- Suspicious hostnames. Mail from a legit company goes through their well-known mail servers (google.com, outlook.com, mimecast.com). Mail from a compromised mailbox or a scam shop goes through random or residential-ISP hostnames.
- Time-zone jumps. Unusual if mail routes through a server in a country the sender never mentions.
5. Message-ID
A unique identifier for this specific email. Usually ends in the sender’s mail server domain: <abc123@mail-server.yourdomain.com>. If missing entirely, or if the domain doesn’t match the sender, that’s a red flag. Scammers sometimes forget to include it; sometimes include a generic one.
The 30-second triage
Paste the whole header block into our Email Header Analyzer. It parses all five fields, flags the red flags, and gives you a verdict: critical, high, medium, or low risk.
Do it for any email that asks for money, credentials, or urgent action. Before you reply. Before you click. Before you do anything.
What headers can’t tell you
Headers prove who signed the message and what path it took. They don’t prove what’s in the body is true. A legitimately authenticated email from a compromised mailbox will pass every header check — because it really did come from that mailbox. The attacker just has the password.
For any high-stakes request (wire transfer, password change, credential share), use out-of-band verification: call the sender on a known phone number. Headers are a necessary check, not a sufficient one.
FAQ
Can the attacker forge the headers?
They can forge some fields (From is trivially forgeable). They cannot forge Authentication-Results because those are added by the receiving server, not the sender. SPF and DMARC checks are honest.
What if Authentication-Results is missing entirely?
That’s unusual for major email providers (Gmail, Outlook all add it). Missing Authentication-Results often means the message was routed through an unusual server or relayed in a way that bypasses standard checks. Treat with suspicion.
Should I forward suspicious emails to anyone?
For business: forward to your IT security team or security@yourcompany.com alias. For consumer phishing: report to reportphishing@apwg.org (industry anti-phishing group). For attacks impersonating a specific brand, report to that brand’s security team — they’ll issue takedowns.