Email Header Analysis for Phishing Detection

Email headers contain the forensic trail of every message — where it originated, which servers it passed through, and whether it passed authentication checks. Learning to read headers transforms a suspicious email from a guessing game into a technical analysis with a clear verdict.

Why Headers Matter

The visible “From” field in an email can display any name or address the sender chooses. The headers behind it, however, record what actually happened during delivery. Authentication results (SPF, DKIM, DMARC) in the headers tell you whether the sending server was authorized to send on behalf of the claimed domain. A phishing email claiming to be from your bank will almost always fail at least one of these checks.

CISA’s phishing guidance specifically recommends header analysis as a frontline detection technique, and NIST SP 800-177 details the technical standards that make this analysis possible.

How to View Email Headers

Gmail

Click the three-dot menu on the message, select “Show original.” The full headers appear in a new tab, with Google’s authentication summary at the top.

Outlook (Desktop)

Open the message, go to File > Properties. The “Internet headers” box shows the raw headers.

Outlook (Web)

Click the three-dot menu, select “View” > “View message source.”

Apple Mail

Select the message, go to View > Message > All Headers.

Key Header Fields to Examine

Return-Path and From

The Return-Path header shows the actual envelope sender — the address that receives bounce notifications. Compare it to the From header. In legitimate email, these should share the same domain. A mismatch is a strong phishing indicator.

Return-Path: <[email protected]>
From: "Your Bank" <[email protected]>

In this example, the message claims to be from yourbank.com but the return path points to a different domain entirely.

Received Headers

Received headers are added by each mail server that handles the message, in reverse chronological order (newest at the top). Trace the chain from top to bottom to see the message’s actual origin. Look for:

IP addresses that don’t belong to the claimed sender’s infrastructure
Server names from free hosting providers or unfamiliar countries
Inconsistencies in the chain suggesting header forgery

Authentication-Results

This is the most important header for phishing detection. It contains the results of SPF, DKIM, and DMARC checks performed by your mail server.

Authentication-Results: mx.google.com;
       dkim=pass header.d=example.com;
       spf=pass (google.com: domain of [email protected] designates 192.0.2.1 as permitted sender);
       dmarc=pass (p=REJECT) header.from=example.com

What each result means:

Check	Pass	Fail	Implication
SPF	Sending IP is authorized	IP not in domain’s SPF record	Possible spoofing
DKIM	Message signature valid	Signature invalid or missing	Message may be altered or forged
DMARC	Passes SPF or DKIM with alignment	Domain alignment fails	Domain owner has not authorized this message

A dmarc=fail result on a message claiming to be from a major brand (Microsoft, Google, Amazon) is a near-certain phishing indicator, since these organizations publish strict DMARC policies.

X-Mailer and Message-ID

The X-Mailer header reveals the software used to send the message. Phishing campaigns often use mass-mailing tools that leave distinctive signatures. The Message-ID header should contain the sending domain — if it contains a random or unrelated domain, the message may be spoofed.

Practical Analysis Workflow

Open headers using the method for your email client
Check Authentication-Results first — if SPF, DKIM, and DMARC all pass with alignment to the From domain, the message is likely legitimate (though compromised accounts can still send authenticated phishing)
Compare Return-Path to From — domain mismatch is a red flag
Trace Received headers bottom to top to identify the originating server
Check the originating IP against the organization’s known infrastructure using WHOIS or DNS lookups
Examine X-Mailer and Message-ID for anomalies

Tools for Header Analysis

Several free tools parse headers automatically:

Google Admin Toolbox (Messageheader) — paste headers for a visual trace
MXToolbox Header Analyzer — identifies authentication failures and suspicious hops
Mail Header Analyzer (whatismyipaddress.com) — simplified breakdown

These tools highlight failures and anomalies that would take minutes to find manually. For organizational use, email filtering solutions perform this analysis automatically on every inbound message.

Common Phishing Header Patterns

Pattern 1: Total authentication failure. SPF fail, DKIM fail, DMARC fail. The sender has no authorization to use the claimed domain. This is bulk spoofing.

Pattern 2: SPF pass, DKIM fail, DMARC fail. The attacker sent from a server listed in some SPF record, but the message is not signed by the claimed domain. Common with compromised third-party services.

Pattern 3: All checks pass, but the domain is a lookalike. micros0ft-security.com passes all checks because the attacker controls the domain and configured authentication properly. This requires URL inspection and brand impersonation detection techniques rather than header analysis alone.

Pattern 4: Legitimate domain, compromised account. All authentication passes because the message genuinely came from the claimed domain — but the account was taken over. This is the hardest to detect via headers alone and requires content analysis and behavioral signals.

Limitations of Header Analysis

Header analysis is powerful but not infallible. Attackers who register lookalike domains and properly configure SPF, DKIM, and DMARC will pass all authentication checks. Compromised legitimate accounts also pass authentication. Header analysis works best as one layer in a defense-in-depth strategy that includes MFA, security awareness training, and zero trust architecture.

Key Takeaways

Email headers reveal authentication results that the visible “From” field hides
Authentication-Results is the single most valuable header field for phishing detection
SPF, DKIM, and DMARC failures on messages from major brands are near-certain phishing indicators
Free tools like MXToolbox and Google Messageheader automate header parsing
Header analysis should be combined with URL inspection and content analysis for comprehensive detection

For the full phishing defense framework, see our phishing recognition and reporting guide.

Sources

Security education disclaimer: This article discusses email analysis techniques for defensive purposes only. Understanding how to read email headers helps defenders identify phishing. Do not use this information for unauthorized access or interception of others’ communications.