Introduction
Firstly, you should know why it's essential to find an email header, why you should do it and how to analyze it. Indeed, you've encountered some suspicious emails and weren't sure if they were spam. Those emails could look like they came from a legitimate email address, but the content doesn't seem right. It could have grammar and spelling mistakes, ask you to click on suspicious links or leave some private and/or sensitive information. Emails like this are usually phishing attacks that use email address spoofing to make them seem more legitimate.
Email address spoofing
Email address spoofing means the sender wants the email to appear like it was sent from someone else, usually someone or some organization you know. It's traditionally used for phishing attacks to look more believable. This will also help get around some of the spam filters. To check if the email was really sent from where it appears to be, you should find and analyze the email header.
Email header
The email header is a report that contains all the important info about that email, like who sent it, from which server, DKIM, DMARC and SPF checks and much more information. All of this is important so you can check where the email actually came from.
Main part of an email header
From - which email address the email came from
To - which email address the email was sent to
Date - date and time when the email was sent
Subject - subject of the email
Additional parts of an email header
Return-Path - where will the return message be sent in case the email wasn't delivered or rejected
Authentication-Results - results of a DMARC, DKIM and SPF checks
Received - relay information, a log of IP addresses where the email traveled through
Message-ID - unique ID that was given when the email was created
MIME-Version - which MIME (Multipurpose Internet Mail Extensions) version was used to format the email
Content-type - information about the construction of the email, was HTML used, or is it just plain text
Finding and email header
This process can vary from a mail client to mail client, so here are the instructions for a few of the most used mail clients:
Gmail
Locate a three-dot icon on the top-right corner of the email and then select Show Original
Apple
Select View on the panel in the top-left corner and then select Message and then All Headers
Outlook
Open the email and select Properties from the File menu, then scroll down and locate Email Headers in the Internet Headers box
Webmail
Select Show Source from the More menu
Hotmail
Select email and right-click for a drop-down, then select View Message Source
Thunderbird
Open email, click on View, then select Message Source
Every email header starts with Delivered-To: name@example.com, and they can be quite long. The next step would be to read or analyze the email header using any online tool.
Analysis of an email header
For this example, we will analyze the email header from one of the phishing emails that looked like they were sent from SBB (EUnet) using the tool from MXToolBox. After opening this tool, we will paste the email header in the textbox and click on Analyze Header button.
After the email header was analyzed, we can see if the email passed DMARC, DKIM and SPF checks in the top part. Under that, we can see relay information and if any of those servers are on a blacklist.
Under that, we can see what exactly didn't pass in DMARC, DKIM and SPF checks:
Now we got to the chart that shows all of the information from the email header, but it's easier to read:
To check if an email really came from the sender you saw, compare From, Received and Return-Path parts of an email header. If any of those don't align with the other two - that email wasn't sent from the sender you thought it was.
In the example shown above, you can see that even thou it says the email was sent from admin@eunet.co.rs, in the Received-SPF part, you can see that the email wasn't sent from an authorized IP address and how this happened - SPF record wasn't configured properly.