Email Forensics

How to Trace an Email?

Table of Content

    There are many reasons why you want to trace an email. It could be because you want to investigate a crime or you do not trust the source of the mail. It has been noted that most cyberattacks start from the email through phishing, spoofing, and spamming. Therefore, it is important to understand how to trace emails to expose the malicious senders and ultimately avoid them.


    Whether you use Gmail, Office 365, Outlook, or another emailing platform, the messages have a similar format. The sender’s name is usually attached to the message header to aid identification. If the sender is an enterprise, a unique profile icon is displayed alongside the name. However, this is not enough if you want accurate information on who the sender is, especially when you are not expecting the message. You can thoroughly analyze the email header as it not only contains the name of the sender but also the routing information and email metadata that could help you know more about the sender. 

    What is an Email Header?

    An email header is a part of the email message that carries significant information about inbound mail. The email header is located above the main body of the message and contains information that can help you unravel the genuine source of the sender. It comprises the sender and receiver details, IP address, the return path, content type, delivery period, etc. It also provides reports that show if the sender passed the security protocols, such as SPF, DKIM, and DMARC.

    Importance of Email Header in Tracing an Email

    Email header contains various information fields that can help in differentiating a spam or phishing email from a genuine email. It also helps you to trace the original source or sender of the email. Email header investigation can help you in the following ways: 

    1.  Validates the Source of the Sender

    Phishing attacks mostly come from a spoofed email address. The attackers pretend as your business client or a service provider to lure you into releasing valuable information. By checking the full email header of a message, you can verify if the sender is genuine.

    2. Provides Authentication Reports on the Sender

    The full email header reveals if the sender passed or failed the scrutiny by security mechanisms, such as SPF, DKIM, and DMARC. An email that failed either of these protocols should be considered a threat.

    3. Reveals the Route Information of the Sender

    With the route information in the email header, you can track the IP address of the sender with the help of a tool. You can also permanently block the source from sending you unwanted messages.

    How to Investigate Email Header to Trace Email?

    To trace an email, locate the email header first. Finding the full email header can be tricky because many email service providers tend to hide some of its components to improve user experience. Nonetheless, locating and studying an email header is simple if you dedicate some minutes. Let’s understand how to analyze email header to trace an email.

    To trace an email, it is crucial to understand what each piece of information in the email header represents. 

    From: This is the information that appears in your inbox as the sender’s name. Sometimes, this information can be unreliable.

    To: This contains information about the recipient.

    Delivered To: This is the final destination of the message.

    Date: This contains information about the time, day, month, and year, when the message is arrived.

    Subject: This field contains the content of the email.

    Return path: This is where replies to emails go. A careless attacker might spoof the address only for the return path to display their source.

    Content type: This tells your email client how to decode the email, which can be in a UTF-8 character set or ISO-8859-1.

    MIME version: Multipurpose Internet Mail Extension shows the email format standard in which the message comes. Currently, the 1.0 version is in use.

    DKIM Signature: This validates the sender.

    Received SPF: This authentication process prevents spoofing of the originator’s address.

    Received: This shows the servers from where the message passed before it reaches you. The bottom server is the message creator.

    Authentication results: This contains the results of the authentication process used to validate the sender.

    ARC Authentication-Results: Authenticated Receive Chain validates the identity of the servers from where the message passed to reach its final destination.

    ARC Message Signature: This verifies the email header.

    ARC Seal: This validates the authenticated results and message signature.

    X Spam Status: This shows if the email identifies is spam. It displays the spam score and limit of the email. If the mail exceeds the spam limit, it will appear in the spam folder.

    By meticulously analyzing the email header, you can easily trace the origin of the email or sender. The authentication results, spam status, and comparison between From and Return Path address is enough to know if they are legitimate or malicious. 


    You can manually inspect the email headers for tracing and verification of the email source. Nevertheless, the sophistication of threat actors is also increasing at a high rate. A malicious sender can manipulate this process and find a way to you or cover tracks. It is recommended to be wary of unexpected emails with spontaneous offers.

    Was this article helpful?

    No NO

    About The Author

    Leave a comment

    Your email address will not be published. Required fields are marked *

    Image Captcha
    Refresh Image Captcha

    Enter Captcha Here :

    Related Posts


    Why Choose Stellar?

    • 0M+


    • 0+

      Years of Excellence

    • 0+

      R&D Engineers

    • 0+


    • 0+


    • 0+

      Awards Received