Friday, May 24, 2024

Email Header Analysis – Verify Received Email is Genuine or Spoofed

Email Header Analysis highly required process to prevent malicious threats since Email is a business-critical asset.

Altering the email header to make the message appear to come from somewhere other than the actual source is a fraudulent email.

If the spam filter is bypassed receiving the mail to the inbox can be a critical impact on the organization.

This makes an organization open the door to attacks like social engineering, delivering malicious payloads to compromise the internal asset.

The labels of an email message are looked at to find out where the message came from, how it got there, and if it is real.

This is called email header analysis. Email headers hold information about an email, like who sent it, who received it, what it was about, and the systems it went through.

Looking at email tags can help you find problems like spam, phishing attempts, or issues with email delivery.

Table of Contents

Email Header Analysis – Analyzing message headers
Email Header Analysis – Breakdown
DomainKeys Identified Mail
Email Header Analysis – Open Relay Test
Email Header Analysis – Threat Intelligence Report


1.How do I analyze email headers in Outlook?

  • Open the text that you want to study.
  • In Outlook, click on “File” in the upper left corner.
  • Click on “Properties” on the screen that appears.
  • The email labels are in the “Internet Headers” part of the Properties window.
  • Look at the title information to figure out where the email came from and how it got there.

2. What is the importance of email header analysis?

It helps find phishing efforts, spam, and malicious emails by showing header information that doesn’t make sense or looks fishy.

Check for authentication methods like SPF, DKIM, and DMARC to make sure that an email is real. This makes sure that emails come from real sources.

Tracks an email from sender to receiver, which helps figure out why emails aren’t getting delivered and find possible bottlenecks.

3. What is the best email header analyzer?

This is a flexible tool that can be used by IT workers and security experts because it can analyze email headers, look up DNS servers, and check blacklists.

This web-based tool from Google is easy to use and gives a simple analysis of email headers, so a lot of people can use it.

It helps Office 365 users figure out why their emails aren’t getting delivered and gives them useful information about headers.

  • In Email Header Analysis. Message headers (email headers) are used by people and include from, to, cc, and subject.
  • The email message headers are contained in the envelope headers.
  • care used by the simple mail transfer protocol (SMTP).
  • Investigating headers will provide routing details.
  • You can look at Raw contains in mailbox>more>Show original or View Raw Message.

Note: Before start investigating the envelope header let’s break down the process for better understanding.

Email Header Analysis – Breakdown

Process of Email header analysis, The Envelope Header (Email Header) contains many fields, but this is most important to investigate when you think something is suspicious.


  • Delivery status notices are sent to this address
  • Validation by sender policy framework(SPF)
  • Looks up the domain in the return path (SMTP envelope sender) and verifies that the corresponding IP is authorized to send an email for the domain.
  • But this does not prevent attackers from spoofing the “From” address.


  • Email address used in message replies
  • overrides the “From” address in replies


  • A single email will have more “Received” entries
  • The bottom “Received” entry will show the initial server to handle the message.

A line beginning with X

  • Added by email servers and security tools. Received & X-Fields are created by your own email services and are completely trustworthy entries.

Email Header Analysis – Header Drill Down

Email Header Analysis
  • In this, you can view mail Received from (EHLO (

Malformed SPF

Email Header Analysis
  • Received-SPF is a permanent error during validation.
  • This is good evidence that the mail is spoofed and the sender policy framework failed.
  • As we discussed earlier, does not prevent attackers from spoofing the “From” address.

DomainKeys Identified Mail

  • The receiver runs a DNS query to get the public key from the sender domain and Digitally signs emails.
  • Does not prevent attackers from spoofing the “From” address.
  • Can Validate message integrity
  • Thus dkim=neutral ( no sig) which shows no signatures.

Email Header Analysis – Open Relay Test

  • An open relay is an SMTP server configured in such a way that allows a third party to relay (send/receive email messages that are neither from nor for local users).
  • Therefore, such servers are usually targets for spam senders.
Email Header Analysis
  • Thus Test is Passed with an error message, and Replay access is denied.
  • so the attacker is targeting the victim to click the link and pay money.
  • The above figure shows that the attacker’s goal is to click and pay the amount with a legitimate look at the source email address.

Email Header Analysis – Threat Intelligence Report

  • Checking the reputation of the malicious IP.
  • You can use your online tools for searching reputation.
    Example: VirusTotal or IBM X-force
  • So here we can conclude that the attacker has tried communicating with the victim with spoofing techniques to show him as a legitimate user.
  • Aware of social engineering attacks through technologies.
  • Never click and pay when communicating IP is not Trustworthy.

You can follow us on LinkedinTwitter, and Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep yourself updated.

Also Read: Penetration Testing Mail Server with Email Spoofing – Exploiting Open Relay Configured Public Mail Servers


Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles