What tools and techniques do I need to extract and analyze email headers?

Why Email Header Analysis Matters

Email header analysis is a critical skill for security professionals, IT administrators, and anyone investigating suspicious emails. Headers contain forensic information about how a message was routed, where it originated, whether it passed authentication checks, and whether it was modified in transit. However, email headers are notoriously difficult to read—they're often hidden by email clients, presented in a confusing format, and contain technical jargon that obscures their meaning.

The difference between a security professional who can quickly identify a phishing email from raw headers and someone who's stumped by them comes down to having the right tools and understanding the techniques for extracting, parsing, and interpreting header data. This guide covers both the manual techniques security professionals use and the specialized tools that automate header analysis.

Manually Extracting Email Headers

Email Client Methods

The first step in header analysis is getting access to the full headers. Different email clients store headers in different locations:

Gmail/Google Workspace

1. Open the email
2. Click the three-dot menu (More options)
3. Select "Show original"
4. Copy the entire content including headers and body
5. Paste into a text editor or analysis tool

Outlook/Microsoft 365

1. Open the email
2. Click "File" > "Properties" (Outlook desktop)
3. Look for "Internet Headers" field
4. Copy and paste full headers

Apple Mail

1. Open the email
2. Choose View menu > Message > Show All Headers
3. Copy headers from the displayed text

Thunderbird

1. Open the email
2. Click View > Message Body As > Plain Text
3. Scroll to see full headers

Exporting Raw Email Files

For more complete forensic analysis, export the email in its native format:

EML Format: Stores complete email including headers, body, and attachments

• Gmail: Use Google Takeout to export emails
• Outlook: Save as file, then rename .msg to .eml for text parsing
• Thunderbird: Right-click email, select "Save As"

PST/OST Format: Outlook's proprietary format

• Contains multiple emails and folder structure
• Requires Outlook or specialized PST readers to parse
• Can be analyzed with tools like RecoveryTools PST Viewer

MBOX Format: Standard format used by many email systems

• Contains one or more emails in text format
• Each email separated by "From " line
• Can be opened with text editors

Manual Header Parsing Technique

For critical investigations, manually reading headers teaches you to spot patterns:

1. Scroll to the bottom of the headers (the oldest entries)
2. Read Received headers upward (reverse chronological order of hops)
3. Extract IP addresses from each Received header
4. Note timestamps and compare for consistency
5. Look for suspicious patterns:
   • Unexpected mail server names
   • Unusual IP addresses
   • Time gaps between hops
   • DNS mismatches
6. Check authentication results: SPF, DKIM, DMARC, Authentication-Results
7. Compare properties: Sender domains, return paths, envelope senders

Specialized Email Header Analysis Tools

Online Header Analyzers

Email Header Analyzer (Inventive HQ)

A free, specialized tool that parses email headers and provides:

• Automatic SPF/DKIM/DMARC result interpretation
• IP geolocation with map visualization
• Mail server routing diagram
• Authentication result details
• Red flag highlighting for suspicious patterns
• Clear visual presentation of complex data

Simply paste raw headers and instantly get a comprehensive analysis with visual representations.

MXToolbox Email Header Analysis

MXToolbox offers several header analysis features:

• SPF record validation and explanation
• Received header parsing
• Authentication result interpretation
• Blacklist checking
• Simple, web-based interface
• No account required

Google Admin Toolbox - Messageheader

Google's free tool specifically for analyzing Gmail and Google Workspace headers:

• Visualizes mail flow path
• Shows timestamps and delays
• Highlights suspicious patterns
• Specifically designed for Google infrastructure

Phishtool

Browser extension and online service that helps analyze suspected phishing emails:

• Integrates with Gmail
• Extracts headers automatically
• Analyzes URLs and attachments
• Provides phishing indicators
• Links to threat intelligence databases

Enterprise Email Security Solutions

Proofpoint: Advanced threat detection with header analysis

• Scans headers for suspicious patterns
• Integrates with email systems
• Provides forensic details on compromised accounts
• Large-scale analysis of email traffic

Mimecast: Email security platform with header-based threat detection

• Advanced analytics on email flows
• Threat intelligence integration
• User awareness training
• Integrates with major email providers

Cisco Ironport: Email gateway with deep header analysis

• Gateway-level header inspection
• Authentication enforcement
• Threat reputation lookups
• Large-scale deployments

Manual Techniques for Different Investigation Types

Investigation: Phishing Email Detection

Steps:

1. Extract headers from the suspected phishing email
2. Check Authentication-Results for SPF/DKIM/DMARC status:
   • All failures = strong phishing indicator
   • Passes for unexpected domain = domain spoofing
   • Alignment fails = impersonation
3. Look at Received headers for suspicious mail servers
4. Extract URLs from email body and analyze
5. Check Received-SPF header for domain matching
6. Review Return-Path vs. From: header mismatch
7. Check X-Originating-IP for unexpected location

Red Flags:

• SPF fail, DKIM fail, DMARC fail
• X-Originating-IP in unexpected country
• Mail server domains don't match claimed organization
• Timestamp inconsistencies
• URLs showing different domain than email claims

Investigation: Business Email Compromise

Steps:

1. Compare current email headers to baseline of legitimate emails from sender
2. Look for new/unusual X-Originating-IP addresses
3. Check for unusual DKIM signatures if account compromised
4. Look at Received timestamps - does timing match normal work hours?
5. Check timezone consistency in headers vs. employee location
6. Review forwarding rules added to mailbox
7. Check for unusual Authentication-Results patterns

Red Flags:

• New IP addresses not in baseline
• Emails sent outside normal work hours
• Different timezone than employee location
• New Mail-From addresses
• Changed DKIM selectors

Investigation: Account Compromise

Steps:

1. Extract headers from all recent emails from the account
2. Create baseline: Document normal Received headers, IPs, authentication
3. Compare recent emails to baseline
4. Look for new X-Originating-IP addresses
5. Check for new User-Agent entries (different email clients)
6. Review Received-From patterns for anomalies
7. Check for login location changes in mailbox logs
8. Analyze SPF alignment changes

Red Flags:

• New IP addresses sending emails
• Email clients from unexpected platforms
• Unusual Received header chains
• Modified forwarding rules
• New application authorizations

Automated Analysis Techniques

Email Log Analysis

For organizations with email logs, automated analysis can detect patterns:

Create alerts for:

• Emails failing all authentication checks
• Emails from unexpected geographic regions
• Sudden spike in emails from specific accounts
• Authentication failures followed by successful sends
• Emails with modified Return-Path domains
• Unusual Received header patterns

Tools for log analysis:

• Splunk: Creates custom dashboards and alerts from email logs
• ELK Stack (Elasticsearch): Free alternative for log analysis
• Sumo Logic: Cloud-based log management
• Cloud provider tools: Google Cloud Logging, Azure Monitor

Regex Patterns for Header Parsing

For developers and advanced analysts, regular expressions can extract specific information:

Extract all IP addresses from Received headers:

(?:[0-9]{1,3}\.){3}[0-9]{1,3}

Extract domain names from Received headers:

(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z]{2,}

Extract Authentication-Results status:

Authentication-Results:.*?(spf|dkim|dmarc)=(pass|fail|softfail|neutral|none|temperror|permerror)

These patterns can be used with tools like grep, sed, or in custom Python/PowerShell scripts.

Python for Header Analysis

Security professionals often write Python scripts for custom analysis:

import email
import re
from email.parser import Parser

# Parse email file
with open('email.eml', 'r') as f:
    msg = email.message_from_file(f)

# Extract headers
headers = msg.items()
for header, value in headers:
    if header == 'Received':
        print(f"Received: {value}")
    elif header == 'Authentication-Results':
        print(f"Auth-Results: {value}")
    elif header == 'X-Originating-IP':
        print(f"Originating IP: {value}")

# Extract IP addresses
received_headers = msg.get_all('Received', [])
ip_pattern = r'\[?(?:[0-9]{1,3}\.){3}[0-9]{1,3}\]?'
for received in received_headers:
    ips = re.findall(ip_pattern, received)
    for ip in ips:
        print(f"Found IP: {ip}")

Scripts like this can:

• Parse multiple emails at once
• Extract specific headers automatically
• Format results for further analysis
• Generate statistics across many emails
• Integrate with WHOIS and geolocation APIs

Building a Header Analysis Workflow

For Security Professionals

Quick Analysis (2-5 minutes):

1. Use Email Header Analyzer tool - paste headers
2. Look at authentication results
3. Check IP geolocation
4. Scan for red flags in the tool's output
5. Make pass/fail decision

Deep Dive Analysis (15-30 minutes):

1. Extract raw headers to text file
2. Manually parse Received headers
3. Create IP list and geolocate each
4. Do WHOIS lookups on suspicious IPs
5. Check SPF records for sending domain
6. Review DKIM records and selectors
7. Analyze complete routing path
8. Compare to baseline if account-related
9. Document findings

For IT Administrators

Email System Monitoring:

1. Configure email server logging (enable verbose headers)
2. Use email security appliance dashboard (Proofpoint, Mimecast, etc.)
3. Set up alerts for authentication failures
4. Create reports on DMARC alignment
5. Monitor for new/suspicious mail routes
6. Alert on emails from geographic anomalies
7. Review unusual SPF/DKIM changes

For Incident Response Teams

Systematic Investigation:

1. Collect all emails from incident
2. Export in EML format
3. Parse headers automatically with script
4. Create timeline visualization
5. Map IP addresses to locations
6. Identify email chains and forwarding
7. Preserve evidence in proper format
8. Document findings with screenshots
9. Present timeline to stakeholders

Conclusion

Effective email header analysis requires a combination of tools and techniques. For quick analysis, free online tools like Email Header Analyzer provide instant insights. For deeper investigations, manual header parsing combined with WHOIS lookups, geolocation tools, and DNS analysis reveals detailed forensic information. For large-scale monitoring, automated log analysis and alert systems detect suspicious patterns across thousands of emails.

The most effective security organizations combine all these approaches: they empower individual analysts with easy-to-use tools for quick decisions, invest in specialized tools for deep investigations, and deploy automated systems for continuous monitoring. By mastering both manual header analysis and modern analytical tools, security professionals can quickly identify phishing attempts, detect account compromises, and investigate email-based security incidents before they cause significant damage.