What an email header can—and cannot—prove
The visible From line tells you the name and address shown in your inbox, but that field can be forged. A header becomes more useful when you compare it with the return address, the mail-server route, and the SPF, DKIM, and DMARC results.
A header can show which servers handled a message and which IP addresses those servers recorded. It usually cannot prove the real-world identity or exact physical location of the person who pressed Send. Webmail providers may hide the sender's home IP, private addresses are not internet locations, and a compromised account can still pass authentication.
The important sender and recipient fields
From
This is the sender identity displayed by an email app. Treat it as a claim until other checks support it.
Return-Path
This is the envelope address used for delivery failures. A different domain is not automatically malicious—mailing services often use separate bounce domains—but it deserves explanation.
Reply-To
This controls where your reply goes. A surprising Reply-To address is a useful warning sign.
To and Delivered-To
To is the intended visible recipient. Delivered-To or X-Original-To may show the mailbox that finally received the message.
How the Received route works
Each mail server normally adds a Received line at the top of the header. That means the newest line appears first in the raw text. To reconstruct the journey, read the lines from the bottom upward.
For each hop, look for from, by, with, the timestamp after the semicolon, and any address inside square brackets. The from server is handing off the email; the by server is receiving it.
Public, private, and reserved IP addresses
A public IP can be routed over the internet and may identify a hosting or email provider. Private ranges such as 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 only describe an internal network. Reserved documentation addresses are examples, not real sender locations.
The first visible IP is not always the human sender's address. It may belong to a corporate gateway, VPN, webmail system, security filter, or cloud mail provider.
SPF, DKIM, and DMARC in plain English
SPF
SPF asks whether the sending server was authorized to send mail for the envelope domain. A pass is useful, but it does not guarantee the visible From address matches.
DKIM
DKIM checks a domain's cryptographic signature and helps detect changes made after signing. A valid signature identifies a signing domain, not necessarily a trustworthy person.
DMARC
DMARC checks whether the visible From domain aligns with the SPF or DKIM identity and applies the domain owner's policy. A failure is a meaningful warning; a pass is only one part of the decision.
A safe review checklist
- Compare From, Return-Path, and Reply-To domains.
- Read Received lines from oldest to newest.
- Label every IP as public, private, or reserved.
- Check whether timestamps move forward sensibly.
- Review SPF, DKIM, and DMARC together.
- Be cautious with urgent requests, unexpected attachments, and login links even when authentication passes.