How to Track the Origin of Email Using Its Headers

Track the Source of Email Using Its Headers

Ever wondered where an email has come from—and by which path? Suspecting an email is not from what it pretends as its source? Find out here how to track the origin of an email using its headers (and check SPF records to boot).

First, an Englishman Takes the Same Picture Three Times

Following a suggestions made by physicist James Clerk Maxwell, pioneering photographer Thomas Sutton took great care to make the same image three times in 1861. Under conditions as identical as possible, he took three black-and-white snapshots of a colorful ribbon with the same lens and camera.

The images differed, however, and they all looked wrong: the first was distorted by a “green” black-and-white hue, the second by a “blue” and the third by a “red” one. All the distortion was intentional, of course, for the three images superimposed as projections with filters of the same colors, produced an image that had the original’s colors.

This elaborate process is the source, of course, of the first color photograph known.

How to Track the Origin of Email Using Its Headers

Time needed: 4 minutes

To track and identify the likely source server, service and IP address of an email message (such as spam):

  1. Open the source or full header display for the message in your email program or service.

    Here’s how: You can open the full header lines in most email programs and services.

  2. Start from the top and stop only when you get to the first empty line.

    Viewing headers: When you look not at the full message source code but only all header lines, start from the very bottom of the header.

  3. Work your way back up and look for the first line that begins with Received: from.

    Search and find: You can use the browser, email program or text viewer’s search function to find the previous Received: from (or ^Received:\ from as a regular expression).

  4. Examine the Received: from lines, in succession from bottom to top for information in chronological order.

    Why bottom to top: As one email server accepts an email from another (or an email program) for further delivery, it adds at least a line that starts with Received: to the top.
    What you will learn: The Received: lines include
    – which server received the message ( by )
    – from which other server ( from )
    – addressed to which email address ( for )
    – followed by the  date and time .
    Interpreting the Received header lines for an email

You can now use the server’s name and IP address to look up information about the server or original sender, for example using a tool like IP Info. A tool like the Gajin Header Analyzer can format the email’s header lines in a manner easy to read.

Fakes and Trustworthiness

Note that it is possible to insert faked Received: lines in an attempt to obfuscate the source of an email. These will always be the earliest (so farthest to the bottom in the email source).

While Received: lines are inserted from bottom to top. you should trust them in the reverse direction. The most recent and topmost entry is from the last server that received the message—your email provider’s. It should be trusted most.

Use SPF (Sender Policy Framework) to Validate the Origin

Using SPF, specific IP addresses can be specified for sending mail using email address using the domain name. Usually, your email server (or one before) will already have verified whether the message came from such an authorized source.

You will typically find this information in a header line that starts with Received-SPF:, but you can also check yourself. (Since domains can—and sometimes practically have to—be set up to all mail to come from senders others than those specified in the SPF records, you may receive emails where the SPF check has failed.)

To check origin servers against the SPF record for an email’s sender using its headers:

  1. Identify the SMTP From sender of the email.
  2. Find and interpret the SPF record for the sender’s domain.
    Sender domain: SPF checks against the SMTP MAIL FROM sender address, not the email address you can find in the From: header line (and usually shown as the email’s sender in an email program).
  3. Identify the sending server’s IP address.
    Here’s how: Look for the first non-local Received: line from the bottom; often, the first from server will the localhost, for instance, or the sending server handing the message around internally.

How to Track the Origin of Email Using Its Headers: FAQ

A “Received: from” entry has two different host names; which should I believe?

When it submits an email, the sending host identifies itself by name. This name will usually but need not be the sending agent’s true host name. The receiving server notes the sending server’s IP address and the host name associated with it.

  • Immediately following from in the Received: line is the stated hostname; and
  • after that (typically in parentheses) follows the derived hostname, usually together with the IP address.
    Example: from mx4.messagingengine.com (localhost [127.0.0.1]); the sending host identified as “mx4.messagingengine.com”, but the email was transferred internally on the same machine using the localhost IP address 127.0.0.1.

(How to track the origin of email using its headers first published October 2023, last updated April 2024)

Home » Email Tips and Resources » How to Track the Origin of Email Using Its Headers