BEGINNER SECURITY GUIDE

How to read an email header and trace every visible hop

An email header is the message's travel log. It records addresses, mail servers, timestamps, authentication checks, and the route that the email says it followed.

What an email header can—and cannot—prove

The visible From line tells you the name and address shown in your inbox, but that field can be forged. A header becomes more useful when you compare it with the return address, the mail-server route, and the SPF, DKIM, and DMARC results.

A header can show which servers handled a message and which IP addresses those servers recorded. It usually cannot prove the real-world identity or exact physical location of the person who pressed Send. Webmail providers may hide the sender's home IP, private addresses are not internet locations, and a compromised account can still pass authentication.

The important sender and recipient fields

From

This is the sender identity displayed by an email app. Treat it as a claim until other checks support it.

Return-Path

This is the envelope address used for delivery failures. A different domain is not automatically malicious—mailing services often use separate bounce domains—but it deserves explanation.

Reply-To

This controls where your reply goes. A surprising Reply-To address is a useful warning sign.

To and Delivered-To

To is the intended visible recipient. Delivered-To or X-Original-To may show the mailbox that finally received the message.

How the Received route works

Each mail server normally adds a Received line at the top of the header. That means the newest line appears first in the raw text. To reconstruct the journey, read the lines from the bottom upward.

Hop 1: the earliest visible sending device or server hands the message to an outgoing mail server.
Hop 2: a relay or filtering service accepts and forwards it.
Final hop: the recipient's mail system accepts the message for delivery.

For each hop, look for from, by, with, the timestamp after the semicolon, and any address inside square brackets. The from server is handing off the email; the by server is receiving it.

Public, private, and reserved IP addresses

A public IP can be routed over the internet and may identify a hosting or email provider. Private ranges such as 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 only describe an internal network. Reserved documentation addresses are examples, not real sender locations.

The first visible IP is not always the human sender's address. It may belong to a corporate gateway, VPN, webmail system, security filter, or cloud mail provider.

SPF, DKIM, and DMARC in plain English

SPF

SPF asks whether the sending server was authorized to send mail for the envelope domain. A pass is useful, but it does not guarantee the visible From address matches.

DKIM

DKIM checks a domain's cryptographic signature and helps detect changes made after signing. A valid signature identifies a signing domain, not necessarily a trustworthy person.

DMARC

DMARC checks whether the visible From domain aligns with the SPF or DKIM identity and applies the domain owner's policy. A failure is a meaningful warning; a pass is only one part of the decision.

A safe review checklist

  1. Compare From, Return-Path, and Reply-To domains.
  2. Read Received lines from oldest to newest.
  3. Label every IP as public, private, or reserved.
  4. Check whether timestamps move forward sensibly.
  5. Review SPF, DKIM, and DMARC together.
  6. Be cautious with urgent requests, unexpected attachments, and login links even when authentication passes.