Start with authentication, then trace delivery, then compare identities.
Look for Authentication-Results or Received-SPF. You want SPF, DKIM, and DMARC to pass. Fails or softfails increase risk. A pass does not guarantee safety if alignment is off.
Read Received: headers from bottom to top. Confirm the first public facing server for the sending domain and watch for sudden jumps, private addresses exposed to the public internet, and unusual time gaps.
Compare domains across From, Return-Path, Reply-To, and the domain in Message-ID. Mismatches can be benign forwarding or signs of spoofing.
Even with clean headers, unexpected invoices, password resets, or urgent requests can still be malicious. Verify through a known channel before acting.