Email message headers read like a travel log for every message that hits your inbox. By unpacking the metadata, you can validate who really sent the mail, where it traveled, and whether someone tampered with it along the way. Here is a practical guide for turning raw headers into trustworthy intel.
- Open the suspicious email.
- Choose View message source or View message headers (wording varies by client).
- Copy the entire header block for analysis.
- Paste the header into a message header analyzer tool https://mha.azurewebsites.net/.
- Let the tool parse the fields so you can focus on interpretation, not formatting.
- Confirm that the
From,Return-Path, andReply-Todomains match what you expect. - Validate recipient lists to ensure the message was actually meant for you or your team.
- Review the
Receivedchain to see each server hop, complete with timestamps and IP addresses. - Flag anomalies such as unexpected geographies or servers outside the sender's organization.
- Look for delivery result lines that indicate success, delay, or bounce conditions.
- Repeated retries or unexplained delays can point to spoofing or misconfigured infrastructure.
- Confirm SPF, DKIM, and DMARC verdicts; failures are a strong warning sign.
- Note any TLS or other encryption indicators to assess transport security.
- Examine the subject, message ID, and sent/received timestamps for inconsistencies.
- Capture anything unusual (custom X-headers, mailing list tags, etc.) for further investigation.
Armed with these steps, you can quickly determine whether an email deserves trust or further scrutiny. Keep a message analyzer bookmarked, and make header reviews part of your standard incident response playbook.