Email Header Analysis

Definition

Email header analysis is the process of examining the metadata headers of an email message to trace its origin, verify its authenticity, and identify potential indicators of phishing, spoofing, or other malicious activity. Email headers contain a detailed record of every server that processed the message, along with authentication results and routing information.

How It Works

Email headers are read from bottom to top, as each server prepends its Received header to the chain. Key headers for security analysis include: Received (server hop chain with timestamps and IP addresses), From/Reply-To (display addresses that may differ from authenticated sender), Return-Path (envelope sender used for SPF), Authentication-Results (SPF, DKIM, and DMARC validation results from the receiving server), DKIM-Signature (cryptographic signature details), X-Originating-IP (original sender IP, when present), and Message-ID (unique identifier, format can reveal sending platform). Analysts trace the Received chain to identify the originating server, verify IP addresses against SPF records, check DKIM signature validity, and compare the authenticated domain against the displayed From address.

Why It Matters

Header analysis is the definitive method for investigating suspicious emails. Spoofed display names and similar-looking domains are immediately exposed by comparing From headers with authentication results. Routing anomalies reveal emails that transited through unexpected servers. Timestamp analysis detects impossible delivery sequences indicating header forgery. Authentication-Results headers show exactly which checks passed or failed. However, headers can be partially forged by the originating server, so only headers added by trusted servers (your own mail infrastructure) should be fully trusted. Security teams must train staff to submit suspicious emails with full headers for analysis.