How to Read Email Headers Manually
A practical, print-friendly guide to verifying sender identity, tracing delivery paths, and spotting red flags using the raw header.
What an Email Header Is
The header is a block of metadata attached to every message. It lists the route the message took, which servers relayed it, when each hop occurred, and what authentication results were recorded. You can read it with no special tools, although a viewer helps format the output.
How to Copy the Full Header
Gmail on the web
- Open the message.
- Select the three dots menu near the reply button.
- Choose Show original.
- Click Copy to clipboard to capture the raw header.
Outlook on the web
- Open the message.
- Select the three dots menu at the top right.
- Choose View, then View message details or View source.
- Copy the header text.
Apple Mail (macOS)
- Open the message.
- From the menu bar, choose View, then Message, then All Headers or Raw Source.
- Copy the full header block.
Outlook desktop
- Open the message in its own window.
- Select File, then Properties.
- Copy everything in the Internet headers box.
What to Look For
1. Authentication results
These fields indicate whether the sending infrastructure is authorized to use the visible domain.
- SPF checks the sending IP against the domain’s authorized list.
- DKIM verifies a cryptographic signature tied to the domain.
- DMARC states policy alignment and final pass or fail.
Authentication-Results: mx.example.net; spf=pass smtp.mailfrom=paypal.com; dkim=pass header.d=paypal.com; dmarc=pass (p=reject) header.from=paypal.com
A consistent pass on all three is a good sign. A softfail or fail can be legitimate in rare forwarding cases, but in combination with other anomalies it raises risk.
2. Identity consistency
Compare the visible sender to the technical senders.
- From should match the organization you expect.
- Return-Path shows the bounce address; large mismatches are suspicious.
- Sender and Reply-To should make sense for the brand.
From: "PayPal" <service@paypal.com> Reply-To: billing@random-domain.example Return-Path: bounce@mailer.paypal.com
A Reply-To on a different, unrelated domain often indicates a lure that diverts responses away from the brand.
3. The Received chain
Each mail server inserts a new Received: line at the top. Read from bottom to top to trace the route.
Received: from mta-1.origin.example (203.0.113.10) by relay-2.example;
Wed, 08 Oct 2025 10:14:00 -0700
Received: from relay-2.example by mx.yourdomain.net;
Wed, 08 Oct 2025 10:14:05 -0700
- Look for unrecognized hosts that do not match the sender’s infrastructure.
- Watch timing gaps. Large unexplained delays can indicate relaying or manipulation.
- Check private or reserved IPs that should not appear as public senders.
4. Message-ID and Date
Message-ID format usually reflects the sending system. Completely generic or malformed IDs can be a sign of poor infrastructure. A Date that disagrees with the Received timestamps is also suspicious.
5. Red flags that deserve extra caution
- Authentication failures together with a Reply-To on a different domain.
- Links that differ from the brand’s real domains.
- Requests for urgent action, gift cards, wire changes, or password resets you did not initiate.
Quick Manual Workflow
- Copy the full header.
- Check SPF, DKIM, and DMARC results.
- Compare From, Reply-To, Return-Path, and Sender for consistency.
- Read the Received chain from bottom to top and confirm the route is plausible.
- Evaluate Message-ID and Date for normal formatting and alignment.
- Decide: if multiple anomalies appear, treat the message as suspicious and verify through another channel.
Using the CyberLifeCoach Analyzer
You can validate your manual reading with the free analyzer. It runs entirely in your browser, processes data locally, and never uploads headers to a server. It summarizes SPF, DKIM, DMARC, highlights identity mismatches, and formats the Received chain with timing deltas.
Privacy Tips When Sharing Headers
- Headers may contain your email address and sometimes IP addresses. Redact personal details before posting screenshots.
- If you need help from a colleague, share only the header text, avoid attachments you cannot verify.
Practice Example
This is a small, synthetic snippet you can read without risk.
From: "Service" <notice@example-payments.com> Reply-To: helpdesk@payments-support.example Return-Path: bounces@mail.example-payments.com Authentication-Results: mx.yourdomain.net; spf=softfail; dkim=fail; dmarc=fail Received: from userpc.lan (192.0.2.20) by relay-unknown.example; Wed, 08 Oct 2025 10:11:02 -0700 Received: from relay-unknown.example by mx.yourdomain.net; Wed, 08 Oct 2025 10:12:10 -0700 Message-ID: <abc123@unknown> Date: Wed, 08 Oct 2025 10:12:05 -0700
Here, multiple signals align: failures on SPF, DKIM, and DMARC, an off-brand Reply-To, a private LAN address appearing as a sender, and a route through an unknown relay. Treat as suspicious and verify directly with the brand through a trusted channel.
Legal-Disclaimer and Responsible Use
The Email Header Analyzer has been developed and tested by CyberLifeCoach with careful attention to accuracy and validation. While the tool has demonstrated reliable results during testing, no automated or human-assisted analysis can guarantee 100% precision. Email infrastructure varies widely across services, and certain headers may appear differently depending on forwarding, relays, or security gateways.
This tool is provided to assist with learning and investigation — it should never be your sole source of verification. Always confirm sender legitimacy using multiple sources, including direct domain lookup, official contact verification, and common-sense review of message context.
CyberLifeCoach and its affiliates make no warranties, expressed or implied, regarding completeness or accuracy, and shall not be held liable for any misinterpretation or decision based solely on tool output.