What are email headers and why are they important for security?

Understanding Email Headers

Email headers are metadata about how a message traveled from sender to recipient. While the email body contains the message, headers contain critical information about origin, routing, authentication, and potential spoofing. Understanding headers is essential for identifying phishing, spoofing, and fraud.

What Email Headers Contain

Essential Header Fields

From (Visible to User):

From: John Smith <[email protected]>

What it shows: Who the email appears to be from
Security note: Can be spoofed without authentication

To (Visible to User):

To: [email protected]

What it shows: Intended recipient

Subject (Visible to User):

Subject: Urgent Action Required

What it shows: Email topic

Date:

Date: Wed, 15 Jan 2025 14:32:00 -0500

What it shows: When email was sent
Useful for: Identifying delays, authentication

Routing Information

Received-from (Hidden, but critical for security):

Received: from mail.example.com ([192.0.2.1])
  by mx.recipient.com with SMTP id abc123
  for <[email protected]>;
  Wed, 15 Jan 2025 14:32:10 -0500

What it shows:
- Which server relayed the message
- Server's IP address
- Timestamp
- Recipient at that hop

Reading multiple Received headers traces entire email journey

Return-Path:

Return-Path: <[email protected]>

What it shows: Where bounces go
Security note: Should match From domain

Reply-To:

Reply-To: <[email protected]>

What it shows: Where replies go
Security note: If different from From, suspicious

Authentication Headers

Authentication-Results:

Authentication-Results: mx.company.com;
  spf=pass (domain of sender designates 192.0.2.1 as permitted sender);
  dkim=pass (signature verification succeeded);
  dmarc=pass (message passed DMARC policy)

What it shows:
- SPF result (pass/fail/softfail)
- DKIM result (pass/fail)
- DMARC result (pass/fail)

Security importance: Highest—proves authenticity

SPF-Result:

Received-SPF: pass (example.com: domain designates 192.0.2.1 as permitted sender)

What it shows: SPF authentication result

DKIM-Signature:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=example.com; s=selector1;
  h=from:to:subject:date;
  bh=jw6g7qKjJq...;
  b=signature_data...

What it shows:
- Digital signature proving message authenticity
- Domain signed with (d=example.com)
- Selector used (selector1)
- Algorithm used (rsa-sha256)
- Headers signed
- Message body hash
- Actual signature

DMARC-Filter:

DMARC-Filter: OpenDMARC Filter v1.3.2

What it shows: DMARC processing information

Delivery Information

Content-Type:

Content-Type: text/plain; charset=UTF-8

What it shows: Email format (plain text, HTML, etc.)

MIME-Version:

MIME-Version: 1.0

What it shows: Message format version

X-Headers (Custom):

X-Originating-IP: [192.0.2.1]
X-Priority: 1 (Highest)
X-Spam-Score: 2.5
X-Spam-Status: No

What it shows: Custom headers added by mail servers
Useful for: Identifying origin, spam scoring

Why Headers Matter for Security

Detecting Email Spoofing

Spoofed email analysis:

Visible (User sees):
From: [email protected]
Subject: Urgent payment needed
Body: Transfer $50,000 to account...

Hidden (But tells real story):
Received: from attacker.net ([192.0.2.99])
Return-Path: <[email protected]>
Authentication-Results: dmarc=fail

Analysis:
- User sees: From company.com
- Headers show: Actually from attacker.net
- DMARC fails: Not authenticated
- Verdict: SPOOFED PHISHING EMAIL

Identifying Phishing Attacks

Phishing detection via headers:

Email appears from bank, but headers show:
1. Received from suspicious IP not in bank's range
2. SPF fails for bank's domain
3. DKIM signature missing or from wrong domain
4. DMARC fails
5. Reply-To address is free email service

Conclusion: Phishing attempt

Tracking Email Journey

Headers show the path email took:

Example path (bottom to top):
Received: from attacker.net (attacker sends)
Received: from mail.relay.com (relay server)
Received: from mx.company.com (company receives)

This reveals:
- Where email originated
- Which servers handled it
- If any unusual routing
- Potential security issues

Detecting Forwarding and Manipulation

Headers show if email was forwarded:

New Received: from forwarding-service.com
Original Received: from original-sender.com

Shows:
- Email was forwarded
- Through what service
- Can indicate spoofing if suspicious

Reading Email Headers

How to Access Headers

Gmail:

1. Open email
2. Click ▼ (dropdown) next to Reply
3. Select "Show original"
4. Headers displayed in new window

Outlook:

1. Open email
2. File → Properties
3. Look for "Internet Headers" section
4. Click View message source

Apple Mail:

1. Select email
2. View → Message → All Headers
3. Headers displayed above message

Yahoo:

1. Open email
2. Click ▼ (menu)
3. Select "View Full Headers"

Interpreting Critical Headers

Check these in order:

1. Received-from (bottom first):

   Bottom = Original source
   Top = Final recipient
   
   Verify: Servers listed are legitimate
   Suspicious: Mismatched IPs or unknown servers
   

2. Return-Path:

   Should match: From domain or authorized bounce domain
   Suspicious: Completely different domain
   
   Example:
   From: [email protected]
   Return-Path: [email protected] ← RED FLAG
   

3. Authentication-Results:

   Look for: spf=pass, dkim=pass, dmarc=pass
   If any fail: Email not authenticated
   
   Example:
   Authentication-Results: dmarc=fail ← RED FLAG
   

4. X-Originating-IP:

   Check: Is IP in legitimate server range?
   Suspicious: Random IPs or known bad actors
   

Common Red Flags in Headers

Red Flag 1: Missing Authentication

Headers have NO:
- Authentication-Results header
- DKIM-Signature header
- SPF result

Indicates: Email not authenticated
Risk: Likely spoofed

Red Flag 2: Authentication Failures

Authentication-Results showing:
spf=fail
dkim=fail
dmarc=fail

Indicates: Failed authentication
Risk: Spoofed or compromised sender

Red Flag 3: Mismatched Domains

From: [email protected]
Return-Path: [email protected]
Reply-To: [email protected]

Indicates: Likely phishing
Risk: HIGH - Multiple domain mismatches

Red Flag 4: Unknown/Suspicious IPs

X-Originating-IP: [192.0.2.100]

Check: Is this a known company server?
If not: Could be spoofed
Lookup: Use IP geolocation tools

Red Flag 5: Routing Anomalies

Received: from attacker.net
Received: from forwarding-service.com
Received: from legitimate.com

Indicates: Email rerouted through suspicious service
Risk: Potential credential interception

Red Flag 6: Delayed Timestamps

Date sent: 2025-01-01 10:00:00
Last Received: 2025-01-15 14:00:00

14-day delay is suspicious!
Indicates: Email resurfaced, possibly from cache

Using Headers for Forensics

Phishing Investigation

1. Get headers: Use mail client to view full headers
2. Extract IP: From bottom Received header
3. Check IP reputation: Use whois, IP geolocation
4. Verify authentication: Check SPF/DKIM/DMARC results
5. Identify links: Find any URLs in headers
6. Report findings: Document for security team

Investigating Business Email Compromise

Steps:
1. Request headers from recipient
2. Check Return-Path for anomalies
3. Verify all authentication passed
4. Check X-Originating-IP against known ranges
5. Review Received path for unusual routing
6. Document findings
7. Recommend action (block sender, flag emails, etc.)

Email Trace and Reconstruction

Multiple headers show:
- Which servers handled message
- When (timestamps)
- For whom (recipients)
- From what origin (first Received)

Reconstruction:
- Trace journey from sender through mail system
- Identify where issues occurred
- Determine routing
- Find bottlenecks or anomalies

Tools for Header Analysis

Online Tools

• Inventive HQ Email Header Analyzer
• Google Admin Toolbox Message Header Analyzer
• MXToolbox Email Header Analyzer
• Mailtester

Command-Line

# Extract specific header
grep "From:" email.eml

# View authentication results
grep "Authentication-Results:" email.eml

# Check SPF
grep -i "spf" email.eml

# Find IPs
grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' email.eml | sort -u

Email Clients

Built-in header viewers in Gmail, Outlook, Apple Mail, etc.

Best Practices

1. Train Users to Check Headers

Teach users:

• Where to find headers in their email client
• What to look for (authentication, From domain)
• When to report suspicious emails

2. Implement Authentication

Ensure:

• SPF records configured
• DKIM signing enabled
• DMARC policy enforced
• Legitimate emails pass all checks

3. Monitor Headers

For your domain:

• Ensure all legitimate emails have Authentication-Results: pass
• Alert on DMARC failures
• Track trends in authentication

4. Educate About Spoofing

Users must understand:

• From address can be spoofed (it's the display, not the reality)
• Headers show actual origin
• Authentication proves legitimacy
• Should verify suspicious emails

Conclusion

Email headers are the forensic evidence trail of every email. While users see only the subject and sender, headers reveal:

• True origin (who actually sent it)
• Authentication status (is it genuine?)
• Routing path (where did it come from?)
• Potential tampering (was it modified?)
• Whether it's spoofed (is it what it claims?)

By understanding headers and teaching users to check them, organizations can:

• Identify phishing and spoofing attacks
• Investigate email security incidents
• Verify sender authenticity
• Prevent credential theft
• Detect email compromise

Headers are the single most important tool for email security analysis. Mastering header interpretation is essential for anyone involved in email security, fraud investigation, or user education.