Email Header Analysis and Forensics: Investigating Suspicious Emails
Email header analysis is a critical skill for security investigations. Headers reveal the true origin of emails, authentication status, and path through mail servers. This guide teaches you to analyze headers for phishing detection, spoofing identification, and incident response.
Email Header Structure
┌─────────────────────────────────────────────────────────────────────────────┐
│ EMAIL HEADER ANATOMY │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ ENVELOPE (Routing Information) │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ Return-Path: <[email protected]> ← Where bounces go │ │
│ │ │ │
│ │ Received: from mx2.recipient.com (mx2.recipient.com [198.51.100.20]) │ │
│ │ by mx1.recipient.com with ESMTPS id abc123 │ │
│ │ for <[email protected]>; Mon, 8 Jan 2025 10:00:00 -0500 │ │
│ │ │ │
│ │ Received: from mail.example.com (mail.example.com [203.0.113.10]) │ │
│ │ by mx2.recipient.com with ESMTPS id xyz789 │ │
│ │ for <[email protected]>; Mon, 8 Jan 2025 09:59:58 -0500 │ │
│ │ ↑ │ │
│ │ READ BOTTOM-TO-TOP! │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
│ AUTHENTICATION RESULTS (Added by Receiving Server) │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ Authentication-Results: mx1.recipient.com; │ │
│ │ dkim=pass [email protected] header.s=selector1; │ │
│ │ spf=pass (google.com: domain of [email protected] designates │ │
│ │ 203.0.113.10 as permitted sender) smtp.mailfrom=example.com; │ │
│ │ dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=example.com │ │
│ │ │ │
│ │ Received-SPF: pass (google.com: domain of...) │ │
│ │ DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
│ MESSAGE METADATA │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ Message-ID: <[email protected]> ← Unique identifier │ │
│ │ Date: Mon, 8 Jan 2025 14:59:55 +0000 ← Sender's claimed time │ │
│ │ MIME-Version: 1.0 │ │
│ │ Content-Type: multipart/alternative; boundary="---=_Part_123" │ │
│ │ X-Mailer: Microsoft Outlook 16.0 │ │
│ │ X-Originating-IP: [192.0.2.50] ← Sender's client IP │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
│ USER-VISIBLE HEADERS │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ From: "John Smith" <[email protected]> ← Display name + address │ │
│ │ To: [email protected] │ │
│ │ Subject: Important Document │ │
│ │ Reply-To: [email protected] ← Where replies go │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
│ EMAIL BODY (not headers) │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ Hello, │ │
│ │ Please find attached... │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
How to View Email Headers
Gmail
Web:
- Open the email
- Click the three dots (⋮) in the top-right corner
- Select "Show original"
- Headers display in a new tab with analysis
Via API:
# Using Gmail API
curl -H "Authorization: Bearer $TOKEN" \
"https://gmail.googleapis.com/gmail/v1/users/me/messages/$MESSAGE_ID?format=raw" | \
jq -r '.raw' | base64 -d
Microsoft Outlook
Outlook Web:
- Open the email
- Click the three dots (...)
- Select "View" → "View message details"
Outlook Desktop:
- Double-click to open email in new window
- File → Properties
- "Internet headers" box at bottom
PowerShell:
# Export email with headers
$outlook = New-Object -ComObject Outlook.Application
$email = $outlook.Session.GetDefaultFolder(6).Items | Where-Object {$_.Subject -eq "Subject"}
$email.SaveAs("C:\temp\email.msg")
Apple Mail
- Open the email
- View → Message → Raw Source (⌥⌘U)
Command Line
# View headers from .eml file
head -100 email.eml
# Parse headers with formail (procmail)
formail -x "Received:" < email.eml
# Pretty print headers
cat email.eml | grep -E "^(From|To|Subject|Date|Received|Authentication-Results):"
Analyzing Received Headers
The Received headers trace the email's journey. Read them from bottom to top (oldest first).
Received Header Anatomy
┌─────────────────────────────────────────────────────────────────────────────┐
│ RECEIVED HEADER BREAKDOWN │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ Received: from mail.sender.com (mail.sender.com [203.0.113.10]) │
│ └─┬─────────────────┘ └─────────────────┘ └────────────┘ │
│ │ EHLO/HELO hostname Actual IP │
│ └── Claimed server name │
│ │
│ by mx.recipient.com (Postfix) with ESMTPS id ABC123DEF │
│ └─────────────────┘ └──────┘ └─────┘ └──────┘ └──────────┘ │
│ Receiving server Software Protocol Encryption Unique ID │
│ SMTP/ESMTP SMTPS=TLS │
│ │
│ for <[email protected]>; │
│ └─────────────────────┘ │
│ Recipient (envelope) │
│ │
│ Mon, 8 Jan 2025 10:00:00 -0500 (EST) │
│ └────────────────────────────────────┘ │
│ Timestamp when this server received it │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Tracing Email Path
┌─────────────────────────────────────────────────────────────────────────────┐
│ EMAIL PATH ANALYSIS │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ EXAMPLE HEADERS (read bottom to top): │
│ │
│ 4. Received: from mx2.company.com (mx2.company.com [10.0.0.2]) │
│ by mailbox.company.com; Mon, 8 Jan 2025 10:00:03 -0500 │
│ ↑ Internal delivery to mailbox │
│ │
│ 3. Received: from mx1.company.com (mx1.company.com [198.51.100.20]) │
│ by mx2.company.com with ESMTPS; Mon, 8 Jan 2025 10:00:02 -0500 │
│ ↑ Internal hop between MX servers │
│ │
│ 2. Received: from mail.sender.com (mail.sender.com [203.0.113.10]) │
│ by mx1.company.com with ESMTPS; Mon, 8 Jan 2025 10:00:01 -0500 │
│ ↑ INBOUND from sender's mail server (FIRST EXTERNAL HOP) │
│ │
│ 1. Received: from [192.168.1.100] (unknown [192.0.2.50]) │
│ by mail.sender.com with ESMTPSA; Mon, 8 Jan 2025 10:00:00 -0500 │
│ ↑ ORIGIN - client submitted to sender's mail server │
│ [192.168.1.100] = client's local IP │
│ [192.0.2.50] = client's public IP (NAT) │
│ │
│ VISUAL PATH: │
│ │
│ [Sender PC] [Sender MTA] [Recipient MX1] [MX2] [Mailbox] │
│ 192.0.2.50 ──▶ 203.0.113.10 ──▶ 198.51.100.20 ──▶ 10.0.0.2 ──▶ Inbox │
│ │
│ Step 1 Step 2 Step 3 Step 4 │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Identifying Suspicious Received Headers
┌─────────────────────────────────────────────────────────────────────────────┐
│ RED FLAGS IN RECEIVED HEADERS │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ 1. HOSTNAME/IP MISMATCH │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ Received: from mail.google.com (unknown [185.143.172.0]) │ │
│ │ └────────────┘ └──────┘ └──────────────┘ │ │
│ │ Claims Google Can't resolve Not a Google IP │ │
│ │ │ │
│ │ ⚠️ SUSPICIOUS: Claims to be Google but IP doesn't match │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
│ 2. TIMESTAMP INCONSISTENCIES │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ Received: ... Mon, 8 Jan 2025 10:00:00 -0500 ← Later │ │
│ │ Received: ... Mon, 8 Jan 2025 10:05:00 -0500 ← Earlier (impossible!) │ │
│ │ │ │
│ │ ⚠️ FORGED: Timestamps should increase as you read up │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
│ 3. SUSPICIOUS ORIGIN COUNTRIES │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ Received: from mail.legitimate-company.com (host.ru [185.x.x.x]) │ │
│ │ │ │
│ │ ⚠️ Claims US company but originates from suspicious region │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
│ 4. EXTRA RECEIVED HEADERS (Forgery Attempt) │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ Received: from internal.company.com (internal.company.com [10.0.0.1])│ │
│ │ Received: from mx.company.com (mx.company.com [198.51.100.1]) │ │
│ │ Received: from "mail.google.com" (fake-server.bad [185.143.x.x]) │ │
│ │ └────── This was ADDED by attacker, not real Gmail ───────┘ │ │
│ │ │ │
│ │ ⚠️ Bottom headers can be forged - trust receiving server's headers │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Authentication-Results Analysis
The most important header for determining email legitimacy:
┌─────────────────────────────────────────────────────────────────────────────┐
│ AUTHENTICATION-RESULTS BREAKDOWN │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ Authentication-Results: mx.google.com; │
│ └── Server that performed the checks │
│ │
│ dkim=pass [email protected] header.s=selector1 header.b=abc123; │
│ └────┘ └─────────────────────┘ └─────────────────┘ └───────────┘ │
│ Result Signing domain Selector used Sig prefix │
│ │
│ spf=pass (google.com: domain of [email protected] designates │
│ └──┘ 203.0.113.10 as permitted sender) │
│ Result smtp.mailfrom=example.com; │
│ └── Envelope from domain │
│ │
│ dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=example.com │
│ └────┘ └──────┘ └───────┘ └───────┘ └────────────────────────┘ │
│ Result Policy Subdomain Disposition RFC5322.From domain │
│ policy (action taken) │
│ │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ RESULT INTERPRETATION: │
│ │
│ ┌────────────┬───────────────────────────────────────────────────────────┐│
│ │ Result │ Meaning ││
│ ├────────────┼───────────────────────────────────────────────────────────┤│
│ │ pass │ Authentication successful ✓ ││
│ │ fail │ Authentication failed (definite forgery) ✗ ││
│ │ softfail │ Likely forgery (SPF ~all) ⚠ ││
│ │ neutral │ No assertion made (SPF ?all) ││
│ │ none │ No authentication record found ││
│ │ temperror │ Temporary failure (DNS timeout) ││
│ │ permerror │ Permanent error (malformed record) ││
│ └────────────┴───────────────────────────────────────────────────────────┘│
│ │
└─────────────────────────────────────────────────────────────────────────────┘
What Each Authentication Result Tells You
| Check | Pass Means | Fail Means |
|---|---|---|
| SPF | Sending IP is authorized by sender's domain | IP not authorized - possible spoofing |
| DKIM | Message cryptographically signed by domain, unmodified | Signature invalid - forged or modified |
| DMARC | SPF or DKIM passed AND aligned with From domain | Likely spoofed From address |
Detecting Email Spoofing
Spoofing Detection Checklist
┌─────────────────────────────────────────────────────────────────────────────┐
│ SPOOFING DETECTION CHECKLIST │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ 1. AUTHENTICATION STATUS │
│ [ ] SPF = pass? │
│ [ ] DKIM = pass? │
│ [ ] DMARC = pass? │
│ ⚠️ Any "fail" is a strong indicator of spoofing │
│ │
│ 2. DOMAIN ALIGNMENT │
│ [ ] From domain matches Return-Path domain? │
│ [ ] From domain matches DKIM d= domain? │
│ [ ] From domain matches Message-ID domain? │
│ ⚠️ Mismatches may indicate forwarding OR spoofing │
│ │
│ 3. FROM ADDRESS INSPECTION │
│ [ ] Display name matches email address? │
│ [ ] Domain is not a lookalike? (goog1e.com, rnicrosoft.com) │
│ [ ] Domain is not a free email service for "corporate" sender? │
│ ⚠️ "IT Support <[email protected]>" is suspicious │
│ │
│ 4. RECEIVED HEADERS │
│ [ ] Origin IP matches expected sender region? │
│ [ ] No impossible timestamp sequences? │
│ [ ] First external hop is legitimate? │
│ ⚠️ Check GeoIP of origin IPs │
│ │
│ 5. CONTENT INDICATORS │
│ [ ] URLs domain matches sender's organization? │
│ [ ] No URL shorteners hiding destinations? │
│ [ ] Attachment names are not suspicious? │
│ ⚠️ Hover over links to see actual URLs │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Common Spoofing Patterns
Pattern 1: Display Name Spoofing
From: "CEO John Smith" <[email protected]>
└──────────────┘ └──────────────────────┘
Looks legitimate Actual address is different
Pattern 2: Domain Lookalike
From: [email protected] ← "rn" looks like "m"
From: [email protected] ← "rn" instead of "m"
From: [email protected] ← "1" instead of "l"
Pattern 3: Subdomain Abuse
From: [email protected]
└─── Actual domain
└─────────────────────┘ Just a subdomain
Pattern 4: Unicode Homograph
From: admin@аpple.com ← Cyrillic "а" (U+0430)
└── Looks identical to Latin "a" but different character
Forensic Analysis Workflow
┌─────────────────────────────────────────────────────────────────────────────┐
│ EMAIL FORENSICS WORKFLOW │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ STEP 1: PRESERVE EVIDENCE │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ • Export email as .eml file (preserves all headers) │ │
│ │ • Screenshot "Show Original" / "View Source" │ │
│ │ • Document timestamp of discovery │ │
│ │ • Note who reported and when │ │
│ │ • Hash the .eml file: sha256sum suspicious_email.eml │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
│ STEP 2: INITIAL TRIAGE │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ • Check Authentication-Results (SPF, DKIM, DMARC) │ │
│ │ • Identify From address and Return-Path │ │
│ │ • Note any obvious red flags │ │
│ │ • Classify: spam, phishing, BEC, malware delivery │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
│ STEP 3: HEADER ANALYSIS │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ • Trace Received headers (bottom to top) │ │
│ │ • Identify originating IP address │ │
│ │ • Perform GeoIP lookup on origin │ │
│ │ • Check IP reputation (AbuseIPDB, VirusTotal) │ │
│ │ • Look for X-Originating-IP header │ │
│ │ • Analyze Message-ID format and domain │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
│ STEP 4: CONTENT ANALYSIS │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ • Extract and defang URLs: https://evil[.]com │ │
│ │ • Check URLs on VirusTotal, URLhaus │ │
│ │ • Identify attached files │ │
│ │ • Hash attachments (DO NOT EXECUTE) │ │
│ │ • Submit hashes to VirusTotal │ │
│ │ • Analyze any Office macros (safely) │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
│ STEP 5: INFRASTRUCTURE INVESTIGATION │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ • WHOIS lookup on sender domain │ │
│ │ • DNS records (MX, SPF, DKIM, DMARC) │ │
│ │ • Check domain age (newly registered = suspicious) │ │
│ │ • Investigate hosting infrastructure │ │
│ │ • Look for related domains/IPs │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
│ STEP 6: DOCUMENT FINDINGS │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ • Create incident report with timeline │ │
│ │ • Document all IOCs (IPs, domains, hashes, email addresses) │ │
│ │ • Determine scope (who else received this?) │ │
│ │ • Recommend actions (block sender, update filters) │ │
│ │ • Preserve evidence chain of custody │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Useful Header Fields Reference
Standard Headers
| Header | Purpose | Forgeable? |
|---|---|---|
From | Display sender address | YES - easily spoofed |
To | Display recipient address | YES |
Subject | Email subject line | YES |
Date | Claimed send time | YES |
Reply-To | Where replies go | YES |
Return-Path | Bounce address (envelope) | Harder - set by server |
Message-ID | Unique message identifier | YES but unusual format suspicious |
Authentication Headers
| Header | Purpose | Trustworthy? |
|---|---|---|
Authentication-Results | SPF/DKIM/DMARC results | YES - added by receiving server |
Received-SPF | SPF check result | YES - added by receiving server |
DKIM-Signature | DKIM signature | Cryptographically verifiable |
ARC-* | Authenticated Received Chain | For forwarded mail |
Routing Headers
| Header | Purpose | Trustworthy? |
|---|---|---|
Received | Mail server hop | PARTIAL - newest are trustworthy |
X-Originating-IP | Client's IP | Depends on provider |
X-Sender-IP | Similar to above | Depends on provider |
Informational Headers
| Header | Purpose | Notes |
|---|---|---|
X-Mailer | Sending software | Can reveal attacker's tools |
User-Agent | Client software | Can reveal attacker's platform |
X-Priority | Message priority | High priority on phishing common |
X-Spam-Status | Spam filter result | Shows what filters detected |
Command-Line Analysis Tools
Extract Headers with grep
# Extract key headers
cat email.eml | grep -E "^(From|To|Subject|Date|Return-Path|Message-ID|Received|Authentication-Results):" | head -50
# Extract just Received headers
grep "^Received:" email.eml
# Extract authentication results
grep -A5 "^Authentication-Results:" email.eml
IP Analysis
# Extract IPs from headers
grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" email.eml | sort -u
# GeoIP lookup (with geoiplookup)
for ip in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" email.eml | sort -u); do
echo "$ip: $(geoiplookup $ip)"
done
# Check IP reputation
curl -s "https://api.abuseipdb.com/api/v2/check?ipAddress=203.0.113.10" \
-H "Key: YOUR_API_KEY" -H "Accept: application/json" | jq
URL Extraction
# Extract URLs from email body (decode first if base64)
cat email.eml | base64 -d 2>/dev/null | grep -oE "https?://[^\"' >]+" | sort -u
# Defang URLs for safe sharing
cat urls.txt | sed 's/\./[.]/g' | sed 's/http/hxxp/'
Python Header Parser
#!/usr/bin/env python3
"""Email header analyzer for forensics"""
import email
import re
from email import policy
from email.parser import BytesParser
def analyze_email(file_path):
with open(file_path, 'rb') as f:
msg = BytesParser(policy=policy.default).parse(f)
print("=" * 60)
print("EMAIL HEADER ANALYSIS")
print("=" * 60)
# Basic headers
print(f"\nFrom: {msg['from']}")
print(f"To: {msg['to']}")
print(f"Subject: {msg['subject']}")
print(f"Date: {msg['date']}")
print(f"Return-Path: {msg['return-path']}")
print(f"Message-ID: {msg['message-id']}")
# Authentication results
auth_results = msg['authentication-results']
if auth_results:
print(f"\n--- Authentication Results ---")
print(auth_results)
# Parse results
if 'spf=pass' in auth_results.lower():
print("✓ SPF: PASS")
elif 'spf=fail' in auth_results.lower():
print("✗ SPF: FAIL - Possible spoofing!")
else:
print("? SPF: Unknown or not checked")
if 'dkim=pass' in auth_results.lower():
print("✓ DKIM: PASS")
elif 'dkim=fail' in auth_results.lower():
print("✗ DKIM: FAIL - Possible spoofing!")
else:
print("? DKIM: Unknown or not checked")
if 'dmarc=pass' in auth_results.lower():
print("✓ DMARC: PASS")
elif 'dmarc=fail' in auth_results.lower():
print("✗ DMARC: FAIL - Likely spoofed!")
else:
print("? DMARC: Unknown or not checked")
# Received headers (reversed for chronological order)
received_headers = msg.get_all('received', [])
print(f"\n--- Received Headers ({len(received_headers)} hops) ---")
for i, received in enumerate(reversed(received_headers), 1):
print(f"\n{i}. {received[:100]}...")
# Extract IPs
print("\n--- IP Addresses Found ---")
all_headers = str(msg)
ips = set(re.findall(r'\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b', all_headers))
for ip in sorted(ips):
if not ip.startswith(('10.', '192.168.', '127.')):
print(f" {ip}")
if __name__ == '__main__':
import sys
if len(sys.argv) != 2:
print(f"Usage: {sys.argv[0]} <email.eml>")
sys.exit(1)
analyze_email(sys.argv[1])
Indicators of Compromise (IOCs)
When analyzing suspicious emails, document these IOCs:
┌─────────────────────────────────────────────────────────────────────────────┐
│ IOC EXTRACTION TEMPLATE │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ EMAIL IOCs │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ Sender Email: [email protected] │ │
│ │ Reply-To: [email protected] │ │
│ │ Return-Path: [email protected] │ │
│ │ Message-ID: <[email protected]> │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
│ NETWORK IOCs │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ Sending IP: 203.0.113.10 │ │
│ │ X-Originating-IP: 192.0.2.50 │ │
│ │ URLs in Body: hxxps://malicious[.]com/phish │ │
│ │ Domains: malicious-domain[.]com │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
│ FILE IOCs │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ Attachment: Invoice_2025.pdf.exe │ │
│ │ SHA256: a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0... │ │
│ │ File Size: 45,312 bytes │ │
│ │ File Type: PE32 executable (disguised as PDF) │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
│ BEHAVIORAL IOCs │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ Urgency Language: "Immediate action required" │ │
│ │ Impersonation: CEO name in display name │ │
│ │ Financial Request: Wire transfer, gift card purchase │ │
│ │ Credential Phish: Login page lookalike │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Related Resources
- Email Authentication Complete Guide - Hub article
- Authentication-Results Header Explained - Deep dive
- SPF, DKIM, DMARC Overview - Basics
- Email Delivery Troubleshooting - Fix issues
Tools
- Email Header Analyzer - Visual header analysis
- DNS Lookup - Check sender DNS records
- WHOIS Lookup - Investigate domains
