Keepnet Labs Logo
Keepnet Labs > blog > how-to-do-phishing-email-header-analysis

How to Do Phishing Email Header Analysis?

Discover how to analyze phishing email headers with our step-by-step guide. Learn the secrets behind harmful emails and enhance your cybersecurity skills. Start protecting yourself against email fraud today with our expert tips and strategies.

How to Do Phishing Email Header Analysis?

Knowing all about email headers is important to getting good at analyzing phishing emails!

Here's how you can become a pro:

  • First, you've got to dive deep into what email headers are all about. Understanding them is key!
  • Next, I'll show you how to check out these headers so you can see clearly what's what.
  • Make sure you have some tools for analyzing email headers. They make finding the fakes a lot easier and faster.
  • And don't forget, practice makes perfect! I'll share some examples of email headers for you to study. This way, you can get better and faster at spotting those tricky phishing emails.

Let's get started on becoming experts at catching those tricky phishing emails!

What is an Email Header?

An email header is like a detailed map showing an email's journey from the sender to the recipient. Think of it as a digital trail, charting the email path across various servers and networks.

Understanding the header is essential for email analysis, especially when identifying and protecting against phishing attacks.

Key Components of an Email Header

When dealing with phishing emails, understanding the components of an email header is essential. It helps in conducting email header analysis effectively.

  • Received: This section lists a series of entries, each representing a server or node the email passed through. It includes the date and time for every hop, which is vital in tracing the email's route.
  • From: Indicates the sender's address. Verifying this address against known legitimate sources is crucial in phishing email header analysis.
  • To: The recipient's email address. It's helpful to see the intended target of the email.
  • Subject: This is the subject line of the email, which can often give clues about the email’s nature and intent.
  • Message-ID: Serves as a unique identifier for the email. It's useful for tracking and referencing specific emails.
  • Reply-To: This indicates which email address should receive replies. In phishing emails, it might be different from the 'From' address.
  • DKIM-Signature: Part of the DomainKeys Identified Mail protocol, which authenticates emails. A valid DKIM signature is a positive sign in email header analysis.
  • Content-Type: Describes the type of data in the email, such as text or HTML. Discrepancies here can be a red flag in phishing detection.
  • MIME-Version: This specifies the version of Multipurpose Internet Mail Extensions used, a standard in email formatting.

Can you detect phishing emails based on headers?

Based on the headers, yes, you can detect phishing emails.

Email header analysis can uncover clues about an email's origin and path. This process, known as email header analysis for phishing, is vital for identifying deceptive emails.

Phishing email header analysis typically involves a series of steps. These email header analysis steps guide us in examining the sender's information and tracking the email's route. Learning from email header analysis examples is also key, as it helps distinguish phishing emails from legitimate ones.

Accessing the email header from “Show Original”.jpeg
Picture 1: Accessing the email header from “Show Original”

How do you analyze a phishing email header?

Analyzing the header of a phishing email is a critical step in identifying potential threats and safeguarding your information. Before getting into technical analysis, knowing how to get the email header from your files is crucial. This applies to files in formats like .eml or .msg.

Accessing Email Headers from Different File Formats

From EML Files:

  • Open an EML file with a text editor, like Notepad, to view the email header. Alternatively, you can use any email client that supports the EML format.
  • You can usually find the header information at the beginning of the file, before the email body.

From MSG Files:

  • To access the header from an MSG file, open the file in Outlook.
  • Once opened, locate the ‘File’ tab and select ‘Properties.’ Here, you will find the header information in a dialogue box.

Steps to Retrieve Email Headers

  • Open the Email File: Open your email file, whether it's an .eml or .msg, using the appropriate program or a text editor that works with these files.
  • Locate the Header: In most cases, the header is at the top of the email content. It contains lines like 'Received,' 'From,' 'To,' and so on, as mentioned in this blog's “What is an Email Header” section.
  • Copy the Header Information: Once located, copy the entire header text. You can use this for detailed analysis later on.

Phishing Header Analysis Example

This section will look at an example of a phishing header analysis. The email header tells us where the email came from and how it got to you. Understanding this lets you learn to identify suspicious emails and protect yourself from phishing attacks.

—-- Received Tags Start —-

Received: from (2603:10a6:10:112::16) by with HTTPS; Fri, 8 Dec 2023 11:07:24 +0000

Received: from (2603:10b6:303:89::10) by (2603:10a6:10:112::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7068.28; Fri, 8 Dec 2023 11:07:23 +0000

Received: from (2603:10b6:303:89:cafe::bf) by (2603:10b6:303:89::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7068.28 via Frontend Transport; Fri, 8 Dec 2023 11:07:22 +0000

Received: from ( by ( with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.7091.17 via Frontend Transport; Fri, 8 Dec 2023 11:07:21 +0000

Received: from ( []) by ( with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) for <>; Thu, 21 Dec 2023 10:29:13 +0300

—-- Received Tags End —-

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mail;; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type: Content-Transfer-Encoding;; bh=H9Wh6Ufw6AmMMbZX6Ra9aCOiJUM=; b=FKKE0GWcdyIC84rYGvJdg3h1LLdNuU8iFMcHWFxmTK8RxSjjwN5SmjYN4unP/HmcHI5jmmSgWPRW oaiXGaUbXbsjEVlInym78Xl0QteTT9FoVwrY5YyHFvIk1Tzj5c3v/kKBTg58h6LWY4lSQM527EZ0 4ZC2dTNjGdnzKicAeTk=

Message-ID: <>

X-FEAS-SPF: spf-result=pass, ip=,,





X-MS-Exchange-Organization-Network-Message-Id: bb370b41-6684-4c3d-fd4c-08dc01f69230

X-ESET-AS: R=OK;S=0;OP=CALC;TIME=1703143770;VERSION=7966;MC=3910601708;ID=65085;TRN=0;CRV=-3;IPC=;SP=0;SIPS=3;PI=3;F=0

X-ESET-Antispam: OK

X-EsetResult: clean, is OK

X-EsetId: 37303A29BDA9A15B6C7464

X-EXCLAIMER-MD-CONFIG: fe9fac2e-69f0-4d7c-aa0b-c063ce408dbe

X-MS-Exchange-Organization-AuthAs: Anonymous

X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.5738958

X-MS-Exchange-Processed-By-BccFoldering: 15.02.1258.025

X-Received: by 2002:a05:6871:2b0a:b0:1fa:f5b2:afab with SMTP id dr10-20020a0568712b0a00b001faf5b2afabmr3879596oac.36.1702033638256; Fri, 08 Dec 2023 03:07:18 -0800 (PST)

MIME-Version: 1.0

MIME-Version: 1.0

From: "Outlook" <>

To: <>

Subject: Overdue Invoices to be settled before the end of the year

Date: Thu, 21 Dec 2023 07:29:25 +0000

Content-Type: multipart/alternative; boundary="de7b547a-4b44-4e7d-99d3-ca0f3c2513b1

Please refer to the following explanation to understand the information provided above:

  • Received Lines: The email has passed through multiple servers, which is typical for emails routed over the internet. However, the chain of 'Received' lines should be scrutinized to check for unusual patterns or suspicious server addresses.
  • Sender's Email and Domain: The email is purportedly from "Outlook" but uses the email address This mismatch is a major red flag. Phishing email samples often use a trusted name like "Outlook" but come from a different domain.
  • Subject Line: “Overdue Invoices to be settled before the end of the year.” - This subject line creates a sense of urgency, a common tactic in phishing emails to prompt quick action without scrutiny.
  • DKIM Signature: The presence of a DKIM (DomainKeys Identified Mail) signature ( suggests an attempt to authenticate the email, but it does not align with the purported sender (Outlook). This discrepancy is suspicious.
  • SPF Pass (X-FEAS-SPF): The SPF result is a pass, which means the sending server is authorized to send emails on behalf of the sender's domain. However, this doesn’t rule out phishing, as the domain itself ( is not a known entity like Outlook.
  • X-MS-Exchange-Organization-AuthAs: Marked as 'Anonymous,' which is common in external emails, but in the context of other red flags, it warrants caution.
  • Mismatch in Dates: There is a discrepancy in the dates. The 'Received' lines mention December 8, 2023, but the 'Date' in the email header is December 21, 2023. This inconsistency is suspicious.
  • Multiple MIME-Version Headers: Two MIME-Version headers are unusual and can indicate an attempt to confuse email processing systems.
  • Return Path and From Address Mismatch: The 'Return-Path' and 'From' addresses should usually match. Any discrepancy can indicate a spoofed email.
  • X-Received Line: The format of this line looks typical of a Google-managed email (noted by the 2002:a05: prefix), but it doesn’t align with the rest of the email's journey.
  • Content-Type: "multipart/alternative" is standard for emails containing HTML and plain text versions. However, in the context of phishing, HTML content can be used to hide phishing links.

What should I look for in an email header?

Analyzing a phishing email header is like being a detective, piecing together clues to uncover a hidden truth.

Let's dive into this intriguing world:

  1. Sender's IP Address: Imagine the IP address as a digital fingerprint. When you receive a suspicious email, this fingerprint can reveal a lot. Catching a thief red-handed is similar to finding this IP on known blacklists!
  2. Domain Address: Now, focus on the domain address. If it's on a blacklist, it's akin to finding the thief's hideout. This is a solid indication that you're dealing with a phishing email.
  3. Matching IP Addresses: If the IP and domain appear legitimate, it's time for a more thorough investigation. Compare the IP address from the email's header with the official email server's IP. It's like verifying if the letter you received came from the official post office or a fake one.
  4. SPF, DMARC, DKIM Records - The Hidden Codes: These records are like secret codes that should match the official ones. If they're fake or mismatched, it's as if the thief has tried to forge a secret passcode but got it wrong.
  5. Altered Reply-To Addresses - The Trap: Sometimes, the phishing email wants you to respond. The attacker might have tampered with the 'reply-to' address, revealing a clear trap in the email header.
  6. Anomalous Additions - The Deceptive Mask: Attackers often know about vulnerabilities in anti-spam tools. They might add things like “X-Virus-Scan: Clean” to the header. It's a disguise, an attempt to make the email appear safe, like a wolf in sheep's clothing.

Keepnet’s Phishing Analysis Solution

Keepnet's phishing analysis solution helps you spot and stop phishing emails. It analyses suspicious emails closely and keeps you safe from phishing attacks. With Keepnet, you can quickly find out if an email is malicious and learn how to protect your emails better.

Please watch the video below from YouTube on how Keepnet does its analysis.



Schedule your 30-minute demo now!

You'll learn how to:
tickEnable your SOC team to phishing analysis 186x faster
tickUse over 20+ analysis engines, including Sandbox, Antivirus, and Threat Intelligence, and leverage different analysis capabilities for better protection.
tickGet a full report to see phishing email analysis results in one picture.

Frequently Asked Questions

What is phishing email header analysis?

arrow down

Phishing email header analysis involves examining the hidden part of an email, known as the header. This section contains technical details about the email's journey from sender to receiver. By analyzing this, you can spot signs that an email might be a phishing attempt designed to steal your information.

Why should I analyze email headers for phishing?

arrow down

Analyzing email headers helps you identify fake emails that could be harmful. Phishers often disguise their emails to look trustworthy. By checking the header, you can uncover discrepancies revealing an email's true nature, protecting yourself from scams.

What tools can help me with phishing email header analysis?

arrow down

There are several tools available, like Keepnet, that simplify the process of analyzing email headers. These tools can automatically parse the header information and highlight suspicious elements, making it easier to spot phishing attempts.

Can I practice email header analysis?

arrow down

Yes, you can practice by examining sample phishing emails available online. Many cybersecurity websites and training programs offer examples of phishing emails for educational purposes. Practicing with these can improve your ability to recognize phishing attempts.

Is analyzing email headers hard?

arrow down

Initially, it might seem complex due to the technical nature of email headers. However, with practice and analysis tools, it becomes more straightforward. Understanding the basic components of an email header is a valuable skill in identifying phishing emails.

What's the most important part of an email header in phishing analysis?

arrow down

The most critical parts are the sender's email address and the "Received" lines. These sections can tell you if the email genuinely comes from the claimed sender and the email's path across the internet, which can be crucial clues in identifying phishing.

iso 27017 certificate
iso 27018 certificate
iso 27001 certificate
ukas 20382 certificate
Cylon certificate
Crown certificate
Gartner certificate
Tech Nation certificate