Phishing is one of the most common forms of cyber crime with billions of phishing emails sent out everyday. Email headers provide detailed information about an email’s journey from the sender to the receiver. Analyzing email message headers can assist in giving valuable information, but should not be used as the only method to determine if an email is legit. It is important to analyze the contents of the email as well including what is written, links, or attachments that may contain malware.
Retrieving the Email Header
Gmail:
- Open the email message.
- Click on the three vertical dots (more options) next to the reply arrow.
- Select “Show original” to view the full email header.
Outlook:
- Open the email message.
- Click on “File” > “Properties”.
- View the Internet headers section for the full email header.
Common Email Header Analyzer Tools
- Message Header Analyzer (https://mha.azurewebsites.net/)
- MX Toolbox (https://mxtoolbox.com/EmailHeaders.aspx)
Key Components of an Email Header:
- Authentication Results – indicates whether SPF, DKIM, and DMARC checks passed or failed which is used to help determine email spoofing.
- Received Headers – shows the sequence of servers that handled the email. It is used for tracing the email’s path by giving timestamps, server names, and IP addresses.
- Return Path – email address where delivery errors are sent.
- X-Received – timestamp and details of when the email provider received the email.
- ARC-Seal – cryptographic seal for each server it passes through on its way. The seal includes information including the server’s domain and time it was processed.
- ARC-Message-Signature – cryptographic signature to ensure that headers were not altered passing through each server on its way to its destination.
- ARC-Authentication-Results – combines authentication results from SPF, DKIM, and DMARC to confirm if each server in the delivery chain verified the sender’s identity and that it passed authentication checks.
- Content-Type – specifies the format of the content in the email.
- Content-Transfer-Encoding – the encoding method to represent the email content that can be decoded accurately.
- List-Unsubscribe-Post – information on how to unsubscribe from mailing lists.
- X-Feedback-ID – the email server providers use feedback loops to receive notifications when email receivers mark emails as spam or unsubscribe from mailing lists.
- X-SG-EID/X-SG-ID – specific to SendGrid, an email delivery platform that tracks opens, clicks, and email delivery metrics.
Analyzing the Email Header
- Identify the Source: Start from the top with the oldest Received Header line. Trace through each server or gateway listed. Look for inconsistencies or unexpected servers.
- Check Authentication Results: Look for indications of SPF, DKIM, and DMARC verification results. These can help determine if the email passed legitimate authentication checks.
- IP Addresses: Note the IP addresses of the servers listed in the Received lines. Look up these IPs using IP locater tools to determine their location. This can help identify if the email has been routed through suspicious servers or countries.
- Message ID and Date: Verify the uniqueness of the Message ID. Cross-check the date and time with the sender’s claimed time of sending.
- Content-Type: Ensure that the content type matches what is expected.
Conclusion
Examining email headers can help provide details to determine if an email is legitimate. Knowing how to analyze email message headers is a needed skill for any person looking to get into cyber security.