Real-Life Email Header Investigation Cases


Email header analysis is an essential part of investigating and understanding email communications. By examining the header of an email, you can gather crucial information about the sender, recipient, date and time of the message, and its subject line. This information is vital for identifying and analysing potential threats such as spam, phishing, and email scams.

In this comprehensive guide, we will provide you with real-life email header investigation cases to demonstrate the practical application of email header analysis. Whether you are a cybersecurity professional or an individual looking to protect yourself from malicious emails, these cases will give you valuable insights into how to analyse email headers effectively.

What is an Email?

An email, short for electronic mail, is a digital message sent from one computer to another over the internet or a network. It allows individuals or organisations to exchange information quickly and efficiently without the need for physical mail or face-to-face interaction. An email typically consists of a body of text, sometimes with attachments such as files or images, and is addressed to one or more recipients.

Email has become an essential communication tool in both personal and professional settings, revolutionising the way we interact and communicate with one another.

Basic Flow of an Email

Understanding the basic flow of an email is essential for analysing email headers effectively. The following steps outline the typical flow of an email:

  1. Composing the Message: The sender creates the message using an email client, such as Apple Mail or Gmail.
  2. Sending the Message: The message is sent through the Mail Transfer Agent (MTA) using Simple Mail Transfer Protocol (SMTP).
  3. Transfer of Message: The message travels over the internet or a network from one mail server to another through various SMTP protocols until it reaches the recipient’s mail server.
  4. Delivery Agent Check: The mail delivery agent checks whether the email is spam or non-spam using Sender Policy Framework (SPF). If it is non-spam, the email continues to the recipient’s mailbox.
  5. Accessing the Message: The recipient accesses their mailbox to view the message and its content.

This flow illustrates how email messages are composed, sent, transferred, and received, with various protocols and security measures in place to ensure successful delivery and minimize the risk of spam or other threats.

Parts of an Email

To effectively analyze an email header, it is necessary to understand the various parts of an email. These parts include:

  1. Email Header: The email header contains metadata about the message, such as the sender and recipient email addresses, the message subject, date and time sent, and any unique identifiers or tracking information.
  2. Email Body: The email body contains the actual content of the message, including text, images, hyperlinks, and attachments.
  3. Attachments: Attachments are files or documents that are included with the email message, such as images, PDFs, or Word documents.
  4. Signatures: Signatures are commonly used to include contact information or other relevant details at the bottom of the email message, often including the sender’s name, title, and contact information.
  5. Salutations: Salutations are the opening greeting of the email message, which can be formal or informal depending on the context and relationship between the sender and recipient.
  6. Closings: Closings are the final words or phrases of the email message, often including expressions of gratitude or well wishes.
  7. Quotations: Quotations are used to include text from a previous message or email chain within the current message, providing context or referencing earlier discussion.

Understanding the different parts of an email can help improve communication and ensure that messages are clear, concise, and professional.

Steps to Analysing an Email

When analysing the header of an email, there are several main parts to consider. These parts include:

  1. Return-Path: This field indicates the email address to which bounce messages (undeliverable emails) are sent. It may differ from the “From” or “Reply-To” fields and can help identify the actual source of the email.
  2. Received: The “Received” field provides a chronological list of servers or relays through which the email passed during its journey to your inbox. Each relay is represented by an entry containing information such as the IP address, server name, date, and time. By examining these entries, you can trace the path of the email and potentially identify any suspicious or unauthorised relays.
  3. Message-ID: The “Message-ID” field is a unique identifier assigned to each email. It helps track the email’s origin and can be useful in distinguishing legitimate emails from fraudulent ones.
  4. From: This field specifies the sender’s name and email address. While it can be easily spoofed, analysing this field alongside other header information can help determine if the sender is legitimate.
  5. Reply-To: The “Reply-To” field indicates the email address where replies should be directed. It is worth checking this field to ensure it aligns with the sender’s identity and is not pointing to a suspicious or unrelated address.
  6. X-Sender, X-Originating-IP, X-Mailer: These fields are often found in the header and provide additional information about the email’s origin, sender’s IP address, or the software used to send the email. While not always present, they can offer valuable insights during the analysis.
  7. SPF and DKIM: Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are email authentication methods. Analysing SPF and DKIM headers can help verify the email’s authenticity and determine if it has been tampered with or spoofed.
  8. X-Spam-Status, X-Spam-Score: These fields are usually added by spam filters and indicate the likelihood of the email being spam. They provide a spam score or status, giving you an idea of how the email was evaluated by the filtering system.
  9. X-Antivirus or X-AntiAbuse: Some email servers append these fields to indicate if the email has been scanned for viruses or potential abuse.

Analysing these header fields can provide valuable information about the email’s origin, path, and potential indicators of suspicious activity. It’s important to note that header information can be manipulated or forged, so it should be examined alongside other contextual clues and content analysis.

Basic Fields of an Email Header Analysis

When analysing an email header, several basic fields provide valuable information. These fields include:

  1. From: The “From” section displays the sender’s name and email address.
  2. Date: The “Date” field provides the date and time of delivery.
  3. To: The “To” field represents the receiver’s email details, containing CC and BCC.
  4. Subject: The “Subject” field gives the topic of the email’s content.
  5. Return-Path: This header field displays the email address of the return path, which shows the return address.
  6. DKIM-Signature: Domain Key Identified Mail (DKIM) signatures are used to identify and authenticate emails.
  7. Message-ID: The “Message-ID” is a unique combination of numbers and letters used to identify each email. No emails have the same Message-ID.
  8. MIME-Version: The MIME-Version is an internet standard that converts non-text content, such as images or video attachments, into text so they can be sent through email.

These basic fields provide essential information about the email, its origin, and its content.

Real-Life Email Header Investigation Cases

Case 1: Suspicious Phishing Email

In this case, a user received an email claiming to be from their bank, requesting them to verify their account information. The user suspected it was a phishing attempt and decided to analyze the email header to gather more information.

Step 1: Examine the “From” Field

The user noticed that the “From” field displayed an email address that did not match their bank’s official email domain. This raised suspicions that the email was not legitimate.

Step 2: Analyse the “Received” Field

By examining the “Received” field, the user traced the email’s path from the sender to their inbox. They identified several relays that were unfamiliar and potentially suspicious. This indicated that the email may have been routed through unauthorised servers.

Step 3: Check for SPF and DKIM Authentication

The user looked for SPF and DKIM authentication headers to verify the email’s authenticity. However, these headers were missing, further confirming their suspicion that the email was a phishing attempt.

Based on their analysis of the email header, the user concluded that the email was indeed a phishing attempt and promptly deleted it.

Case 2: Malicious Email with Suspicious Attachments

In this case, an employee receives an email with an attachment claiming to be an invoice from a known vendor. However, the employee suspected the email might contain malware and decided to analyse the email header for any indicators of malicious intent.

Step 1: Analyse the “From” Field

The employee examined the “From” field and noticed that the email address did not match the vendor’s official email domain. This raised suspicions that the email was fraudulent.

Step 2: Check for Authentication Headers

The employee looked for SPF and DKIM authentication headers to verify the email’s authenticity. However, these headers were missing, indicating that the email may have been spoofed or tampered with.

Step 3: Examine the Attachment

The employee downloaded the attachment and scanned it using an antivirus software. The scan detected a known malware signature, confirming their suspicion that the email contained malicious content.

Based on their analysis of the email header and the presence of malware in the attachment, the employee reported the email to their organisation’s IT department and deleted it from their inbox.

Importance of Email Header Analysis

Email header analysis plays a crucial role in protecting individuals and organisations from email-based threats. The importance of email header analysis can be summarised as follows:

  1. Source Verification: Email headers provide crucial information about the source of an email. By analysing the header, you can identify the sender’s IP address, server details, and the path the email took to reach your inbox. This helps verify the authenticity of the email and detect any attempts at spoofing or forging.
  2. Detecting Phishing and Spoofing Attempts: Email header analysis can reveal signs of phishing attacks or email spoofing. By examining the header fields, you can look for inconsistencies or discrepancies that indicate a fraudulent email. This information helps in distinguishing legitimate emails from those attempting to deceive or trick recipients.
  3. Tracing Email Routes: Analysing the “Received” fields in the email header allows you to trace the path of the email from the sender to your inbox. This can be useful in identifying any unauthorised or suspicious relays or servers the email passed through. It helps determine if the email has been rerouted or if it originated from a known malicious source.
  4. Malware and Spam Detection: Email headers often contain indicators that can help in identifying malicious attachments or links. The presence of suspicious or unexpected file types, unusual message IDs, or inconsistencies in the email metadata can suggest the presence of malware or spam. This analysis aids in preventing potential security threats and protecting users from harmful content.
  5. Authentication and Security Checks: Email header analysis involves examining authentication mechanisms such as SPF and DKIM. Verifying the presence and validity of these fields helps ensure the email is from a legitimate sender and has not been tampered with during transit. It enhances email security and reduces the risk of falling victim to phishing or impersonation attacks.
  6. Incident Response and Forensic Investigations: In cases where malicious or fraudulent activity is suspected, email headers play a crucial role in incident response and forensic investigations. Analysing the headers can provide valuable information for tracking down the source of the email, identifying potential attackers, and understanding the attack vectors used.

Overall, email header analysis is a vital process for assessing the authenticity, integrity, and security of email communications. It helps users and organisations make informed decisions about handling emails, mitigating risks, and protecting against various forms of email-based threats.


In conclusion, email header analysis is a critical process for understanding the origin, authenticity, and potential threats associated with an email. By examining the various header fields, such as the sender information, routing details, authentication mechanisms, and spam indicators, individuals and organisations can make informed decisions regarding the legitimacy and security of the email.

Through header analysis, one can verify the true source of the email, detect phishing attempts or email spoofing, and trace the email’s path from sender to recipient. It helps in identifying suspicious relays, unauthorised servers, or signs of tampering during transit. Moreover, email header analysis plays a crucial role in malware and spam detection, as it can uncover indicators of malicious attachments, unusual file types, or inconsistencies in email metadata.

By scrutinising authentication mechanisms like SPF and DKIM, email header analysis enhances security by ensuring emails come from legitimate sources and have not been tampered with. This process is invaluable in incident response and forensic investigations, as it aids in tracking down attackers, understanding attack vectors, and strengthening defences against future threats.

Overall, email header analysis empowers users and organisations to make informed decisions about handling emails, mitigating risks, and safeguarding against email-based threats. By leveraging the insights gained from analysing email headers, individuals and organisations can effectively protect themselves from malicious emails, maintain data integrity, and promote a secure email communication environment.

This website uses cookies. By continuing to use this site, you accept our use of cookies.  Learn more