Tracing a Phishing Email Using Headers: A Forensic Walkthrough

Phishing emails are designed to look legitimate on the surface — a familiar logo, a plausible sender name, and a sense of urgency. But the moment you peel back the headers, the story changes. The headers hold the real routing data: which server actually sent the message, whether SPF and DKIM passed, and where the trail ultimately leads.

This walkthrough shows you exactly what to look at, in what order, and how to interpret each piece when investigating a suspicious email.

Step 1: Get the Full Raw Headers

The From: field shown in your inbox is cosmetic and trivially forged. You need the full source headers.

How to extract them

• Gmail: Open the email → three-dot menu → Show original. Copy everything from Delivered-To: down to the blank line before the body.
• Outlook (web): Open the email → three-dot menu → View → View message source.
• Apple Mail: View → Message → All Headers (Shift+Cmd+H).
• Thunderbird: View → Headers → All, or Ctrl+U for full source.

Save the raw text to a file — you'll be cross-referencing fields, and a hosted analyzer like the AXOX Hub Email Header Analyzer can parse the entire hop chain for you in seconds.

Step 2: Read the Received Chain Bottom-Up

Email headers stack in reverse. The bottom-most Received: line is the origin; each line above it is a subsequent hop. Reading bottom-up lets you watch the email travel from sender to your inbox.

A typical line looks like:

Received: from mail.shady-host.tld (mail.shady-host.tld [192.0.2.55])
        by mx.google.com with ESMTPS id abc123
        for <you@example.com>; Tue, 14 Nov 2024 09:12:44 -0800 (PST)

What to extract from each hop

• HELO/EHLO hostname — what the sending server claimed to be.
• Reverse DNS — the hostname the receiving server resolved from the IP.
• IP address in brackets — the actual connecting IP. This is gold.
• Timestamp — useful for spotting timezone mismatches or impossible delivery times.

Red flag: the claimed HELO says mail.paypal.com but the bracketed IP belongs to a residential ISP or an offshore VPS provider.

Step 3: Identify the Originating IP

Once you've found the bottom-most external hop (ignore internal 127.0.0.1 or private RFC1918 addresses), run lookups on the IP:

1. WHOIS — who owns the IP block? A known ESP like SendGrid or Mailgun is different from a random VPS in a high-abuse ASN.
2. Reverse DNS (PTR) — does it match the claimed sender domain?
3. Blocklist check — query Spamhaus, SORBS, or Barracuda. Listed IPs strongly suggest abuse.
4. Geolocation — a "your bank" email originating from an IP in an unrelated country is suspicious.

Step 4: Verify Authentication Results

Look for the Authentication-Results: header added by the receiving mail server. This summarises the three checks that matter most:

SPF (Sender Policy Framework)

Did the sending IP appear in the claimed domain's SPF record?

• spf=pass — IP is authorised. Good, but not proof of legitimacy alone.
• spf=fail or softfail — the IP is not on the sender's approved list. Major red flag for domains that publish strict SPF.
• spf=none — the domain has no SPF record. Common with smaller domains; less informative.

DKIM (DomainKeys Identified Mail)

Was the message cryptographically signed, and does the signature verify against the domain's published public key?

• dkim=pass with d= matching the sender domain — legitimate signing.
• dkim=pass but d= is a completely different domain — possible relay through an unrelated service. Investigate further.
• dkim=fail — body or headers were modified, or signature is forged.

DMARC

Does the message align with the domain's DMARC policy?

• dmarc=pass requires either SPF or DKIM to pass and the authenticated domain to align with the visible From: domain.
• dmarc=fail with a p=reject policy means the receiving server should have rejected or quarantined the mail — and confirms spoofing.

Step 5: Cross-Check the Message-ID and Return-Path

These two fields are quick spoofing indicators:

• Message-ID: Format is usually <unique-string@sending-domain>. If the domain portion doesn't match the From: domain or the originating server, treat it as suspect.
• Return-Path: Where bounces are sent. Phishers often set this to a throwaway address on a completely different domain than the visible From:.
• Reply-To: A common tell. The From: shows support@bigbank.com but Reply-To points to billing-team@gmail.com — that's a deliberate redirect of your response to an attacker-controlled inbox.

Step 6: Inspect X-Headers and Mailer Signatures

Custom X- headers can reveal the platform used to send the mail:

• X-Mailer: — sometimes names the client (e.g. PHPMailer 6.x, which is heavily abused).
• X-Originating-IP: — webmail providers often add this; it can expose the actual user's IP behind a relay.
• X-Sender-Score or ESP-specific headers — confirm whether the mail came from a reputable bulk sender or a self-hosted script.

Bulk phishing campaigns often use compromised hosting accounts running PHPMailer or similar. If you see PHPMailer combined with a residential IP and failed DMARC, you have a near-certain phishing send.

Step 7: Correlate, Don't Rely on One Signal

No single header proves intent. Build a picture by combining indicators:

• Spoofed From: domain + DMARC fail + originating IP in an unrelated ASN = high-confidence phishing.
• Legit-looking SPF pass + suspicious Reply-To + urgent financial wording = likely compromised account being used to phish.
• All authentication passes + clean IP + but content asks for credentials via a lookalike URL = legitimate sending infrastructure that's been hijacked (e.g. via SendGrid account takeover).

Always pivot from headers to the URLs in the body. A link's display text and its actual href often differ — scan suspicious URLs separately before clicking anything.

Run It Through a Header Analyzer

Parsing dozens of Received: lines by hand is tedious and error-prone. Paste the full raw headers into the free AXOX Hub Email Header Analyzer to get a visual hop chain, SPF/DKIM/DMARC results, IP attribution, and timing per hop — everything you need to confirm whether an email is genuine or worth reporting to your abuse team.