Site Menu
Site Menu

How to Analyze a Phishing Header (Step-by-Step)

Posted on by Saish Bhise
A metal padlock resting on a computer keyboard, symbolizing email security, digital forensics, and protection against phishing attacks.

A practical forensic guide on how to analyze a phishing email headers, trace origin servers, and verifying spoofing using SPF, DKIM, and DMARC.

Introduction

Phishing header analysis/ investigations rarely begin with malware. They begin with metadata.

Every email forensics carries a technical audit trail embedded in its headers: routing hops, authentication results, sending infrastructure, timestamps, and client fingerprints. While the message body can be forged with trivial effort, headers are constrained by mail transfer protocols and, therefore, much harder to falsify end-to-end.

For investigators, journalists, and incident responders, header analysis provides three critical capabilities:

  • Attribution (infrastructure, hosting, relay chains)
  • Verification (spoofing vs. legitimate origin)
  • Evidence preservation (timeline and technical provenance)

This guide provides a practical, field-usable method to extract and analyse phishing headers with investigative rigour.

What Is an Email Header?

An email header is a structured block of metadata added by mail servers as a message traverses the internet.

It records:

  • Sending IP addresses
  • Mail servers involved
  • Authentication checks (SPF, DKIM, DMARC)
  • Time and routing sequence
  • Client software fingerprints

Headers are not visible by default in email clients, but can be exported in raw form.

Step 1 – Obtain the Full Header Safely

Never forward the phishing email.

Export headers directly:

Gmail:
Message → “Show original” → Download .eml

Outlook (Desktop):
File → Properties → Internet headers → Copy

Apple Mail:
View → Message → All Headers → Raw Source

Save the header as a text file for evidence handling.

Step 2 – Understand Header Structure

Headers are read bottom to top.

The lowest Received: The entry is the origin point. Each subsequent server adds a new line above it.

Example:

Received: from mail.attacker.com (185.XX.XX.10)
Received: from relay.provider.net
Received: from mx.google.com

Step 3 – Trace the Origin IP

Locate the first Received entry:

Received: from unknown (HELO mail.example) (185.216.xxx.xxx)

Extract the IP address.

Investigative checks:

  • WHOIS lookup
  • ASN ownership
  • Hosting provider
  • Country
  • Abuse history

Cloud providers (OVH, Hetzner, DigitalOcean) are common abuse platforms.

Step 4 – Analyse SPF Results

Search for:

Received-SPF:

Interpretation:

  • pass – domain authorised sending server
  • fail – spoofed domain
  • softfail – suspicious
  • neutral – inconclusive

SPF failure strongly indicates impersonation.

Step 5 – Validate DKIM

Locate:

DKIM-Signature:

And:

Authentication-Results:

Check:

  • Domain alignment
  • Signature validity

Invalid DKIM = content tampering or forged sender domain.

Step 6 – Check DMARC Policy

Look for:

dmarc=pass | fail

DMARC combines SPF + DKIM results.

A failure means the domain owner explicitly disallowed this message.

Step 7 – Examine Message-ID and Client Fingerprint

Message-ID: <random@mail.example>
X-Mailer:
User-Agent:

Indicators:

  • Cheap phishing kits reuse formats
  • Fake mail clients
  • Suspicious domain patterns

These fields help cluster campaigns.

Step 8 – Review Timestamp Anomalies

Check Date: vs Received: timestamps.

Red flags:

  • Time travel (negative delays)
  • Timezone inconsistencies
  • Large delivery gaps

Used to detect relays, queue manipulation, or botnet staging.

Step 9 – Use Header Analysis Tools (Optional)

Manual analysis is preferred for evidentiary integrity, but tools accelerate parsing:

  • Google Admin Toolbox – Messageheader
  • MXToolbox
  • Mailheader.org
  • AbuseIPDB

Always retain raw headers separately.

Step 10 – Preserve Evidence

For journalistic or legal use:

  • Save original .eml file
  • Hash the file (SHA-256)
  • Record extraction date/time
  • Do not alter formatting

Headers constitute admissible technical evidence when preserved correctly.

Common Pitfalls

  • Trusting From: field (easily forged)
  • Reading headers top-down
  • Ignoring internal relays
  • Relying solely on automated tools
  • Publishing attacker IPs without provider context

Investigative Value

Header analysis enables:

  • Campaign attribution
  • Infrastructure mapping
  • Host provider reporting
  • Legal complaints
  • Pattern correlation across victims
  • Early warning detection

For journalists, headers provide corroboration independent of victim testimony.

Conclusion

Phishing is not anonymous. It is merely obscured.

Every fraudulent email investigation leaves a structured forensic footprint across multiple email forensics servers, jurisdictions, and networks. Reading headers transforms a deceptive message into a traceable technical artefact.

In cyber investigations, headers are not auxiliary data. They are the primary evidence layer.

Sources & Bibliography

  1. Google – Email Header Format & Analysis
    https://support.google.com/mail/answer/29436
  2. Microsoft – Message Header Fields Explained
    https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/message-headers
  3. NIST SP 800-177 – Trustworthy Email
    https://csrc.nist.gov/publications/detail/sp/800-177/final
  4. CISA – Phishing Defense Techniques
    https://www.cisa.gov/phishing
  5. DMARC.org – Technical Overview
    https://dmarc.org/overview
  6. MXToolbox – Header Analysis Documentation
    https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx
  7. Google Admin Toolbox – Messageheader
    https://toolbox.googleapps.com/apps/messageheader

For deeper context on these power tactics, see our Tools, Guides & Tutorials.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *