Email Header Analyzer

Received headers trace email's path through mail servers: Format: Received: from sendingserver.com (IP [192.0.2.1]) by receivingserver.com with ESMTP; timestamp. Reading order: Headers added in reverse order (newest first), read from BOTTOM to TOP to trace email path, bottom = originating server, top = final delivery to your inbox. Example path: (1) Bottom: Received: from client.home.net [203.0.113.45] (user's computer sent to their mail server). (2) Middle: Received: from mail.sender.com [198.51.100.10] (sender's mail server to internet). (3) Middle: Received: from mx.recipient.com [192.0.2.50] (recipient's mail server received from internet). (4) Top: Received: from mx.recipient.com by mailbox.recipient.com (internal delivery to user mailbox). Red flags: (1) Unexpected countries - Email from "US company" but originated from Eastern Europe, check geolocation of IPs. (2) Free email services - Business email routed through gmail/yahoo/hotmail, suspicious for corporate communications. (3) Too many hops - Normal: 3-6 hops, suspicious: 10+ hops (routing through multiple relays to obscure origin). (4) Time inconsistencies - Timestamps out of order, impossible time zones, future dates. (5) Spoofed Received headers - Attacker can add fake Received headers above theirs, but can't modify headers added by YOUR infrastructure. Trust boundary: Only trust "Received" headers added by YOUR mail servers (your domain), everything before that could be forged. Useful tools: MXToolbox Email Header Analyzer, Google Admin Toolbox, this email header analyzer. Analysis tips: Extract all IP addresses, do reverse DNS lookups, check IPs against reputation databases (Spamhaus, Barracuda), verify SPF records for claimed sender domain, cross-reference with Authentication-Results. Real-world example: BEC attack showed "From: [email protected]" but bottom Received showed origin from gmail.com with Nigerian IP.

Three complementary email authentication standards: SPF (Sender Policy Framework) - Published as DNS TXT record, lists IP addresses/servers authorized to send email for domain, receiving server checks if sending IP is in SPF record. SPF record example: v=spf1 ip4:192.0.2.0/24 include:_spf.google.com -all. Mechanisms: +all (allow all - insecure!), -all (hard fail - reject unauthorized), ~all (soft fail - mark as spam), ?all (neutral - no policy). DKIM (DomainKeys Identified Mail) - Cryptographic signature in email header, sending server signs email with private key, receiving server verifies with public key in DNS, ensures email not modified in transit. DKIM header: DKIM-Signature: v=1; a=rsa-sha256; d=sender.com; s=selector; h=from:to:subject:date; bh=; b=. Verification: Extract public key from DNS (selector._domainkey.sender.com), verify signature with public key, check "d=" domain matches "From" domain. DMARC (Domain-based Message Authentication) - Policy framework for SPF and DKIM, published in DNS: _dmarc.sender.com, tells receivers what to do with failed authentication, provides reporting mechanism. DMARC record: v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]; aspf=s; adkim=s. Policies: none (monitoring only), quarantine (send to spam), reject (refuse delivery). How they work together: (1) Sending server: SPF authorizes IP, DKIM signs email, DMARC policy published. (2) Receiving server: checks SPF (pass if IP authorized), verifies DKIM signature (pass if valid), checks DMARC policy (pass if SPF or DKIM aligned with From domain), applies policy (reject/quarantine/allow), sends aggregate reports to sender. Alignment: SPF alignment: Return-Path domain matches From domain, DKIM alignment: DKIM d= domain matches From domain. Prevents: (1) Direct spoofing (attacker sends as victim domain - caught by SPF/DKIM), (2) Display name spoofing (still detectable via DMARC reports). Doesn't prevent: Lookalike domains (attacker registers similar domain and properly configures authentication), compromised accounts (legitimate credentials used). This tool shows authentication results in headers.

BEC attacks show specific patterns in email headers: BEC attack types: (1) Display name spoofing - From: "CEO Name" [email protected], looks like CEO but different email address, catches victims who only read display name. (2) Lookalike domains - From: [email protected] (legitimate is company.com), From: [email protected] (rn looks like m). (3) Compromised accounts - Legitimate account stolen via phishing, all authentication passes (it's a real account!), behavioral analysis needed. Header indicators of BEC: (1) Mismatched domains - Display name: "CFO Name [email protected]", From header shows different domain (gmail.com, yahoo.com), Return-Path doesn't match From. (2) Authentication failures - SPF: fail (sent from unauthorized server), DKIM: fail or missing (no signature), DMARC: fail (domain alignment broken). (3) Suspicious origin - X-Originating-IP from unexpected country, free email service for business communication, unusual sending time (3 AM from "executive"). (4) Reply-To manipulation - From: [email protected], Reply-To: [email protected] (responses go to attacker). (5) User-Agent anomalies - Executive uses Outlook, but User-Agent shows Gmail web interface, unusual email client for that user. (6) Message-ID patterns - Format inconsistent with company's mail server, generated by free email service. Analysis workflow: (1) Check Authentication-Results first (any failures = red flag), (2) Compare From/Return-Path/Reply-To (all should match for legitimate email), (3) Trace Received headers to origin (verify comes from company infrastructure), (4) Check X-Originating-IP geolocation (matches sender's expected location?), (5) Verify urgency/requests (BEC often uses urgent wire transfer requests). Real-world BEC example: From: "John Smith CEO" [email protected], Return-Path: [email protected], Authentication-Results: spf=fail, dkim=fail, dmarc=fail, Received: from mail-sor-f41.google.com (free Gmail), Message-ID: [email protected] (Gmail format). Prevention: (1) Deploy DMARC with p=reject policy, (2) Train users to check full email address, (3) Implement "external email" warnings, (4) Flag emails with Reply-To different from From, (5) Require out-of-band verification for financial requests (call known number, not reply to email). FBI estimates $43B+ lost to BEC since 2016.

Authentication-Results header shows SPF, DKIM, DMARC verification status: SPF results: (1) pass - Sending IP authorized in SPF record, legitimate sender or properly configured relay. (2) fail - Sending IP NOT in SPF record, likely spoofed or misconfigured, DMARC policy determines handling. (3) softfail - SPF record uses ~all (ambiguous), treated as suspicious but not rejected. (4) neutral - SPF record uses ?all (no policy), provides no protection. (5) none - No SPF record published, legacy systems or misconfiguration. (6) temperror - DNS lookup failed temporarily, retry later. (7) permerror - SPF record syntax error, needs fixing by domain owner. DKIM results: (1) pass - Signature verified successfully, email integrity confirmed, signing domain authentic. (2) fail - Signature verification failed, email modified after signing, wrong public key used, replay attack. (3) policy - Signature doesn't meet policy requirements. (4) neutral - Signature couldn't be verified (missing key). (5) temperror - Temporary DNS failure. (6) permerror - Signature syntax error. (7) none - No DKIM signature present. DMARC results: (1) pass - SPF or DKIM aligned with From domain, domain authentication successful, safe to trust sender domain. (2) fail - Neither SPF nor DKIM aligned, spoofing attempt or misconfiguration, apply DMARC policy (reject/quarantine/none). Example interpretations: (1) Legitimate email: spf=pass, dkim=pass, dmarc=pass → All checks passed, strong confidence in sender. (2) Suspicious email: spf=fail, dkim=fail, dmarc=fail → Multiple failures, likely spoofing attempt. (3) Forwarded email: spf=fail (forwarding server not in SPF), dkim=pass (signature preserved), dmarc=fail (SPF broken, DKIM might not align) → Legitimate but forwarding breaks SPF. (4) Mailing list: spf=fail (list server sends), dkim=fail (list modified content), dmarc=fail → Mailing lists often break authentication. (5) Misconfigured but legitimate: spf=none, dkim=none, dmarc=none → Domain owner hasn't deployed authentication (risky!). What to trust: DMARC pass = highest confidence (requires alignment), DKIM pass alone = medium confidence (email integrity good, but domain might not align), SPF pass alone = low confidence (IP authorized but doesn't prove "From" address), All fail = high suspicion (investigate before trusting). Edge cases: Forwarding, mailing lists, and some cloud services break authentication - analyze full context.

Multiple methods to determine email's geographic source: Method 1: X-Originating-IP - Header added by webmail services (Gmail, Yahoo, Outlook.com), shows IP address of device that sent email, most reliable indicator of true origin. Example: X-Originating-IP: [203.0.113.45]. Lookup: Use IP geolocation services (MaxMind, IPinfo.io, ip2location), shows country, city, ISP, VPN/proxy detection. Method 2: Received Headers - Extract IPs from all Received headers, start with bottom-most (first) Received header, geolocate each IP in the chain. Example: Received: from client.isp.com [203.0.113.45] → geolocate 203.0.113.45. Method 3: Sending Mail Server - Identify sending domain's mail server, look up MX records for domain, geolocate mail server IPs. Example: nslookup -type=MX sender.com → mail.sender.com → 192.0.2.10 → geolocate. Method 4: SMTP Banner - Some Received headers include hostname, reverse DNS lookup on IP, identify ISP or hosting provider. Example: Received: from mail-lf1-f42.google.com → Google datacenter (multiple countries). Red flags: (1) Geographic mismatch - Email claims to be from "US company" but X-Originating-IP is in Nigeria, unlikely for legitimate business email. (2) VPN/Proxy indicators - IP belongs to known VPN provider (NordVPN, ExpressVPN), cloud hosting (AWS, Azure, DigitalOcean) for individual email (not corporate), Tor exit nodes. (3) High-risk countries - Not all emails from certain countries are malicious, but statistically more phishing originates from certain regions. (4) Impossible timeline - Email timestamp says 9 AM in New York, but IP geolocates to China with local time 9 PM. Tools: (1) MaxMind GeoIP2 - Commercial geolocation database, accuracy: ~90% country-level, ~80% city-level. (2) IPinfo.io - Free API for IP geolocation, includes privacy detection (VPN/proxy). (3) AbuseIPDB - Check IP reputation, see reports of malicious activity. (4) WHOIS - Find IP allocation info, identify ISP or organization. Limitations: (1) VPNs/proxies hide true location, (2) Compromised servers relay email (shows server location, not attacker), (3) Residential proxies use legitimate IPs, (4) Corporate VPNs may show unexpected locations. Investigation tip: Cross-reference multiple indicators (IP location, time zones in headers, language/spelling in email, domain registration location, claimed sender's known location). Don't rely solely on geolocation - context matters.

Step-by-step header extraction and analysis: Extract headers (by email client): (1) Gmail - Open email → three-dot menu → "Show original" → shows full headers + original message. (2) Outlook Desktop - Open email → File → Properties → look in "Internet headers" box, copy all text. (3) Outlook Web - Open email → three-dot menu → "View message details" → header displayed. (4) Apple Mail - Open email → View → Message → Raw Source, or View → Message → Long Headers. (5) Thunderbird - Open email → More → View Source → Ctrl+U. (6) Yahoo Mail - Open email → More → View Raw Message. Automated analysis tools: (1) MXToolbox Email Header Analyzer - Paste headers → get formatted output, shows SPF/DKIM/DMARC results, IP geolocation, spam score, hop-by-hop timeline. (2) Google Admin Toolbox - messageheader.google.com, similar to MXToolbox, good for Gmail analysis. (3) This Email Header Analyzer - Parse and visualize headers, extract authentication results, identify suspicious patterns. (4) Email Header Analyzer (Chrome Extension) - Right-click email → analyze headers, no copy-paste needed. Manual analysis workflow: (1) Identify sender - Check From, Return-Path, Reply-To (all match?). (2) Authentication - Find Authentication-Results header, check SPF/DKIM/DMARC (all pass?). (3) Trace path - Read Received headers bottom-to-top, extract and geolocate IPs. (4) Check timing - Verify timestamps make sense, consistent time zones. (5) Sender reputation - Lookup X-Originating-IP in AbuseIPDB, check domain in VirusTotal, query Spamhaus blocklists. Advanced analysis: (1) DKIM verification - Extract DKIM-Signature, extract public key: dig selector._domainkey.domain.com TXT, manually verify signature (use DKIM validator tool). (2) SPF lookup - Extract Return-Path domain, query SPF: dig domain.com TXT, check if sending IP in SPF record. (3) DMARC policy - Query: dig _dmarc.domain.com TXT, check policy (p=reject/quarantine/none). Automation for SOC teams: (1) Use SIEM to ingest email logs, (2) Create parsing rules for headers, (3) Enrich with threat intel (IP reputation, domain age), (4) Alert on patterns (authentication failures, unexpected geolocation, known bad IPs). Preservation for evidence: Save original email (.eml file format), screenshot full headers, document hash of email file (SHA-256), maintain chain of custody, use forensic email tools (FTK, EnCase). This tool helps automate header parsing and highlight security indicators.

Header-based phishing detection checklist: Indicator 1: Authentication Failures - ❌ spf=fail, dkim=fail, dmarc=fail → High confidence phishing, legitimate companies have working authentication, exception: legitimate but misconfigured senders (check other indicators). Indicator 2: Domain Mismatches - From: "CEO Name" [email protected], Return-Path: [email protected], domains don't match → spoofed sender. Indicator 3: Free Email Services for Business - From: [email protected], [email protected], [email protected], legitimate businesses use their own domains. Indicator 4: Reply-To Different from From - From: [email protected], Reply-To: [email protected], responses intercepted by attacker, legitimate mail rarely does this. Indicator 5: Suspicious Origin IPs - X-Originating-IP from unexpected country, IP belongs to VPN/hosting provider, IP has poor reputation (AbuseIPDB). Indicator 6: Unusual Received Path - Too many hops (10+), routing through unexpected countries, multiple free email services in chain. Indicator 7: Time Zone Inconsistencies - Email sent "from US office" at 3 AM local time, timestamps out of order or impossible. Indicator 8: Message-ID Patterns - Message-ID doesn't match From domain, generated by free email service, format inconsistent with claimed sender. Indicator 9: User-Agent Anomalies - Executive typically uses Outlook, but User-Agent: Gmail web interface, mobile app from user who always uses desktop. Indicator 10: Missing or Invalid DKIM - No DKIM signature (most businesses sign emails), DKIM d= domain doesn't match From domain, signature verification fails. Scoring system example: Authentication fail (all 3): +40 points, Domain mismatch: +30 points, Free email service: +25 points, Suspicious IP: +20 points, Reply-To mismatch: +15 points, Other anomalies: +10 points each. Total score: 0-30: Likely legitimate, 31-60: Suspicious (investigate), 61-90: High probability phishing, 91+: Almost certainly phishing. Real phishing example analysis: From: "Apple Support" <support@applé.com> (é is special char), Return-Path: [email protected] (Punycode for applé), Authentication-Results: spf=none, dkim=none, dmarc=none (no authentication at all), X-Originating-IP: 185.220.101.45 (Romania, VPN exit node), Received: from mail.cheaphosting.com (budget hosting), Message-ID: [email protected] (doesn't match "Apple"), User-Agent: PHPMailer 6.5.0 (bulk mail script). Result: Multiple red flags = phishing. Best practice: Combine header analysis with content analysis (urgent language, requests for credentials, grammatical errors, suspicious links).