What You'll Learn
- Identify the three structural layers of an email: envelope, headers, and body
- Trace an email's delivery path by reading Received headers from bottom to top
- Distinguish between the envelope sender (Return-Path) and the display sender (From) and explain why they differ in phishing attacks
- Extract forensic indicators from X-headers including X-Mailer, X-Originating-IP, and X-Sender-IP
- Analyze Message-ID fields to detect forged or anomalous origin servers
- Read raw email headers in any mail client and identify the fields that matter for triage
- Recognize spoofing indicators by comparing Return-Path, From, Reply-To, and Received chains
Why Email Headers Matter
When a phishing email lands in a user's inbox, the body is what the attacker wants you to see. The headers are what the attacker hopes you will never look at.
Every email carries metadata that records the full journey from the sender's mail server to the recipient's inbox. This metadata — the headers — is the forensic evidence of the email's true origin. A convincing phishing email can fake the display name, the From address, and the entire body. But the headers contain infrastructure fingerprints that are significantly harder to forge convincingly.
As a SOC analyst, email header analysis is one of your most frequently used skills. Phishing is the initial access vector in over 80% of breaches, and your ability to quickly dissect headers separates a 30-second triage from a 30-minute rabbit hole.
Every phishing investigation starts with the same action: view the raw headers. Not the pretty rendered email — the full, ugly, plaintext headers. If you take nothing else from this lesson, internalize that habit.
The Three Layers of an Email
An email is not a single blob of text. It has three distinct layers, and understanding them is essential for analysis.
Layer 1: The Envelope
The envelope is the SMTP-level routing information. It is never displayed to the end user, but it controls where the email actually goes and where bounces return. The two critical envelope fields are:
- MAIL FROM (envelope sender): The address that receives bounce notifications. This becomes the
Return-Pathheader in the delivered message. - RCPT TO (envelope recipient): The actual delivery destination.
Think of it like a physical letter: the envelope has a return address and a destination address. The letter inside can say anything — the postal service only reads the envelope.
Layer 2: The Headers
Headers are key-value pairs that record metadata about the email. They include both sender-provided fields (which can be forged) and server-added fields (which are harder to forge). Critical headers for analysis:
| Header | Set By | Forgeable? | Purpose |
|---|---|---|---|
From | Sender's mail client | Yes — trivially | Display address shown to recipient |
Return-Path | Receiving server (from MAIL FROM) | Partially | Bounce address; reflects envelope sender |
Reply-To | Sender's mail client | Yes — trivially | Where replies go (often different from From in phishing) |
Received | Each mail server in the chain | Partially (sender can inject fake entries) | Delivery chain — the forensic backbone |
Message-ID | Originating mail server | Yes, but forgery leaves patterns | Unique identifier; contains origin domain |
X-Mailer | Sending application | Yes | Identifies the software used to send |
X-Originating-IP | Webmail services | Difficult | Sender's actual IP (when present) |
Date | Sender's mail client | Yes | Claimed send time |
MIME-Version | Sender's mail client | Yes | Always "1.0" — absence is suspicious |
Layer 3: The Body
The body is the visible content — text, HTML, attachments. Phishing analysis of the body focuses on URL inspection, attachment type, and social engineering language. We will cover body analysis in later lessons. For now, the headers are your primary target.
The SMTP Delivery Chain
To understand Received headers, you need to understand how email actually travels. SMTP delivery works as a relay chain:
Sender's MUA (Mail User Agent)
→ Sender's MSA (Mail Submission Agent)
→ Sender's MTA (Mail Transfer Agent)
→ [Intermediate relays if any]
→ Recipient's MTA (inbound MX server)
→ Recipient's MDA (Mail Delivery Agent)
→ Recipient's mailbox
Each server in this chain adds a Received header to the top of the email. This means the bottom Received header was added first (by the first server in the chain) and the top Received header was added last (by the server that delivered to the mailbox).
Always read Received headers from bottom to top. This matches the chronological order of delivery. The bottom entry is closest to the sender's origin. New analysts instinctively read top-to-bottom and get the chain backwards.
Reading Received Headers
Here is a real-world Received header chain from a legitimate email:
Received: from mail-gateway.company.com (10.0.1.5) by mailbox.company.com
(10.0.1.10) with LMTP; Mon, 23 Feb 2026 14:32:18 +0000
Received: from mx1.company.com (mx1.company.com [203.0.113.50]) by
mail-gateway.company.com (Postfix) with ESMTPS id A1B2C3;
Mon, 23 Feb 2026 14:32:17 +0000
Received: from sender-smtp.example.com (sender-smtp.example.com [198.51.100.25])
by mx1.company.com (Postfix) with ESMTPS id D4E5F6;
Mon, 23 Feb 2026 14:32:16 +0000
Reading bottom to top:
- Origin:
sender-smtp.example.com(198.51.100.25) sent the email tomx1.company.comat 14:32:16 - Inbound gateway:
mx1.company.compassed it tomail-gateway.company.comat 14:32:17 - Final delivery:
mail-gateway.company.comdelivered it tomailbox.company.comat 14:32:18
The timestamps increment by about one second per hop — this is consistent with normal delivery. If you see a 6-hour gap between hops, or timestamps that go backwards, something is wrong.
Anatomy of a Single Received Header
Each Received header follows this pattern:
Received: from <sending-server> (<reverse-DNS> [<IP>])
by <receiving-server> (<software>) with <protocol> id <queue-id>;
<timestamp>
| Field | What to Check |
|---|---|
from | The name the sending server claims — can be spoofed |
Parenthetical (<reverse-DNS> [<IP>]) | The receiving server's own lookup of the sender — much harder to fake |
by | The receiving server — trustworthy because it wrote this header |
with | Protocol used: ESMTPS (encrypted) vs ESMTP (plaintext) |
| Timestamp | Should be sequential; large gaps or backwards jumps are red flags |
The parenthetical is gold. When the from name does not match the reverse-DNS in parentheses, the sending server is lying about its identity. For example: from mail.google.com (unknown [45.33.18.201]) means the server claimed to be Gmail but the receiving server could not verify that claim.
Return-Path vs From: The Phishing Red Flag
The single most common phishing indicator visible in headers is a mismatch between Return-Path and From.
Return-Path: <random38271@cheap-bulk-mailer.ru>
From: "IT Support" <support@yourcompany.com>
Reply-To: helpdesk-urgent@gmail.com
Three different addresses, three different domains. The user sees "IT Support support@yourcompany.com" in their inbox and trusts it. But the actual envelope sender is a Russian bulk mailer, and replies go to a Gmail account.
| Scenario | Return-Path | From | Suspicious? |
|---|---|---|---|
| Normal email | user@example.com | user@example.com | No — domains match |
| Mailing list | bounce-123@list.example.com | user@example.com | No — legitimate list handling |
| Spoofed phishing | x8k2@attacker.xyz | ceo@yourcompany.com | Yes — domain mismatch |
| BEC attack | ceo@yourcompany.com | ceo@yourcompany.com | Maybe — SPF/DKIM needed to verify |
A matching Return-Path and From does not mean the email is legitimate. Attackers who compromise a real mailbox or use a look-alike domain (yourcomapny.com) will have matching fields. You still need SPF, DKIM, and DMARC validation — which we cover in the next lesson.
X-Headers: Hidden Intelligence
X-headers are non-standard headers added by mail servers, security gateways, or sending applications. They are prefixed with X- and often contain forensic gold:
X-Originating-IP
Added by webmail services (Outlook.com, Yahoo) to record the sender's actual IP address:
X-Originating-IP: [185.220.101.42]
This lets you geolocate the sender. If the email claims to be from your CEO in Chicago but X-Originating-IP resolves to a Tor exit node in Romania, you have a strong indicator.
X-Mailer
Identifies the software used to compose the email:
X-Mailer: Microsoft Outlook 16.0
X-Mailer: PHPMailer 6.5.0
X-Mailer: sendmail/8.15.2
Legitimate corporate email typically shows Outlook, Apple Mail, or Thunderbird. Phishing campaigns often reveal bulk-sending tools: PHPMailer, King Phisher, GoPhish, or custom Python scripts. Seeing X-Mailer: PHPMailer on an email claiming to be from your CFO is a red flag.
X-Spam-Status and X-Spam-Score
Added by spam filters (SpamAssassin, Barracuda, Proofpoint):
X-Spam-Status: Yes, score=8.7 required=5.0
X-Spam-Flag: YES
If the email reached the inbox despite a high spam score, check whether the user whitelisted the sender or if a mail rule bypassed filtering.
Message-ID Analysis
Every email should have a unique Message-ID generated by the originating server:
Message-ID: <5f2b3c4d.1c69fb81.a3f52.8721@mx.google.com>
The domain after @ in the Message-ID should match the sending infrastructure. Key checks:
| Check | What It Reveals |
|---|---|
| Domain matches From domain | Consistent — email likely originated from claimed infrastructure |
| Domain is a known mail provider | Normal — Gmail, Outlook, Yahoo generate standard Message-IDs |
| Domain is random/unknown | Suspicious — could be a compromised server or attacker infrastructure |
| Message-ID is missing entirely | Highly suspicious — legitimate mail servers always generate one |
| Message-ID format is unusual | Some phishing tools generate predictable or malformed Message-IDs |
Message-ID: <20260223.abc123@legitimate-corp.com> ← consistent
Message-ID: <x8dj2k@vps-cheap-hosting.xyz> ← suspicious origin
Message-ID: <> ← broken/missing — red flag
Practical Header Analysis: Spotting the Phish
Let us walk through a complete set of suspicious headers:
Return-Path: <info-29481@mass-mailer.info>
Received: from gateway.company.com (gateway.company.com [10.0.1.1])
by mailbox.company.com with LMTP; Mon, 23 Feb 2026 09:14:22 +0000
Received: from mx.company.com (mx.company.com [203.0.113.10])
by gateway.company.com (Postfix) with ESMTPS id 7A8B9C;
Mon, 23 Feb 2026 09:14:21 +0000
Received: from mail-out.mass-mailer.info (unknown [45.33.18.201])
by mx.company.com (Postfix) with ESMTP id 3D4E5F;
Mon, 23 Feb 2026 09:14:20 +0000
Received: from localhost (unknown [192.168.1.100])
by mail-out.mass-mailer.info (Postfix) with ESMTP id 1A2B3C;
Mon, 23 Feb 2026 09:14:18 +0000
From: "Microsoft 365 Team" <no-reply@microsoft.com>
Reply-To: account-verify@outlook-security-check.com
Message-ID: <928371.a8c9d2@mass-mailer.info>
X-Mailer: PHPMailer 6.5.0
Subject: Urgent: Your Account Will Be Suspended
Red flags identified (bottom to top):
- Return-Path domain (
mass-mailer.info) does not match From domain (microsoft.com) - Bottom Received header: Originated from
localhoston a private IP viamass-mailer.info— not Microsoft infrastructure - Received
fromvs parenthetical:from mail-out.mass-mailer.info (unknown [45.33.18.201])— the IP has no reverse DNS, flagged as "unknown" - Protocol:
ESMTP(no S) — the connection from the attacker to the company MX was unencrypted - Reply-To:
outlook-security-check.com— a look-alike domain, notmicrosoft.comoroutlook.com - Message-ID domain:
mass-mailer.info— matches the actual sending infrastructure, not Microsoft - X-Mailer:
PHPMailer 6.5.0— a bulk-sending library, not Outlook/Exchange
That is seven independent indicators in a single header set. Any one of them warrants suspicion. Together, they confirm this is a phishing email with near certainty.
How to View Raw Headers
Every mail client lets you access raw headers. Here are the common methods:
| Client | Steps |
|---|---|
| Outlook (Desktop) | Open message → File → Properties → Internet Headers |
| Outlook (Web) | Open message → ··· (More actions) → View message details |
| Gmail | Open message → ⋮ (More) → Show original |
| Thunderbird | Open message → View → Message Source (Ctrl+U) |
| Apple Mail | Open message → View → Message → All Headers |
| Command line | cat email.eml or pipe through less |
Save the .eml file. When a user reports a phishing email, ask them to forward it as an attachment (not inline forward). This preserves the original headers. An inline forward rewrites the headers and destroys forensic evidence.
Building Your Header Analysis Checklist
When you receive a suspicious email for analysis, work through these checks in order:
- Return-Path vs From: Do the domains match? If not, why?
- Received chain (bottom to top): Does the origin server match the claimed sender? Are there suspicious hops?
- Reply-To: Does it differ from From? Is it a look-alike domain?
- Message-ID domain: Does it match the sending infrastructure?
- X-Originating-IP: If present, does the geolocation make sense?
- X-Mailer: Is it a legitimate mail client or a bulk-sending tool?
- Timestamps: Are they sequential? Any large gaps or anachronisms?
- Authentication-Results: SPF, DKIM, DMARC pass/fail (covered in depth next lesson)
Speed matters in production. In a real SOC, you will not spend 20 minutes on every reported phishing email. With practice, this checklist takes 60-90 seconds. The first three checks (Return-Path, Received chain, Reply-To) catch 90% of phishing. The remaining checks confirm edge cases and sophisticated attacks.
Key Takeaways
- An email has three layers: envelope (SMTP routing), headers (metadata), and body (content) — headers are the primary forensic target
- Read Received headers from bottom to top to trace the delivery path chronologically
- The
Return-Path(envelope sender) andFrom(display sender) are independent — a mismatch is the single most common phishing indicator - The parenthetical in Received headers (reverse-DNS and IP) is added by the receiving server and is much harder to forge than the
fromclaim - X-headers like
X-Originating-IPandX-Mailerprovide attacker infrastructure fingerprints Message-IDdomain should match the actual sending infrastructure — mismatches reveal spoofing- Always request the original
.emlfile from reporters — inline forwarding destroys header evidence
What's Next
You now know how to read the forensic evidence in email headers. But how do you know if the sending server was authorized to send that email? In the next lesson, we will cover the three email authentication protocols — SPF, DKIM, and DMARC — that give you a definitive answer. These protocols are the automated gatekeepers that validate (or reject) every email before it reaches the inbox, and understanding their headers is essential for phishing triage in Lab 4.1.
Knowledge Check: Email Anatomy & Header Analysis
10 questions · 70% to pass
When reading Received headers in an email, what is the correct order to analyze them for tracing the delivery path?
An email shows From: "CEO John Smith" <john.smith@company.com> but the Return-Path is <promo-8827@bulk-sender.net>. What does this mismatch indicate?
In a Received header, what is the significance of the parenthetical section: from mail.example.com (unknown [45.33.18.201])?
Which X-header, when present, allows you to geolocate the actual IP address of the person who composed a webmail message?
An email's Message-ID is <3847291.x8d@vps-cheap-hosting.xyz> but the From header claims the email is from support@microsoft.com. What does this reveal?
In Lab 4.1, you analyze a reported phishing email and find X-Mailer: PHPMailer 6.5.0 in the headers. The email claims to be an automated notification from your company's HR portal. Why is this X-Mailer value significant?
A user reports a suspicious email. You ask them to forward it for analysis. Why should you request they forward it 'as an attachment' rather than using inline forward?
In Lab 4.1, you examine a Received header chain and notice a 6-hour gap between two consecutive timestamps. What does this anomaly suggest?
Which of the following header combinations would be LEAST suspicious in a phishing investigation?
In Lab 4.1, you are triaging a suspicious email and need to prioritize your header checks for speed. Which three checks should you perform first to catch 90% of phishing emails?
0/10 answered