What can email headers reveal?

Email headers contain the complete route an email took from sender to recipient, authentication results (SPF, DKIM, DMARC), the sending server's IP address, the email client used, and timestamps for each hop. This information is invaluable for investigating phishing and spam.

Can phishing emails be detected through headers?

Yes. Key indicators include mismatches between the From address and Return-Path, failed SPF/DKIM/DMARC authentication, suspicious originating IP addresses, and Received headers showing unexpected server hops. These signs often reveal that an email is not from who it claims to be.

Does Gmail include the sender's IP address in headers?

When sending through Gmail's web interface or app, Google does not include the sender's original IP address in the headers, showing only Google's server IPs. However, when using Gmail through a third-party email client via SMTP, the sender's IP may be included in the X-Originating-IP header.

How to Read Email Headers - The Hidden Travel Log in Every Email

Email Headers Are a "Travel Log"

Every email carries metadata called "headers" alongside the body text. Normally hidden, they can be viewed using the "Show headers" feature in your email client. Headers contain a detailed "travel log" of the email - which servers it passed through, when it was sent, the sender's IP address, and whether authentication checks passed.

Knowing how to read headers is a powerful tool for determining the authenticity of phishing emails or tracing the origin of spam.

Key Header Fields

Received Header - Server Relay Records

This is the most important header. Each server the email passes through adds its own information as a Received: header. Reading from bottom to top reveals the chronological path from sender to recipient.

    Received: from mail-out.example.com (203.0.113.10)

      by mx.recipient.com with ESMTPS

      Tue, 15 Apr 2026 10:30:15 +0900

From this header, you can read the sending server's hostname and IP address, the receiving server, the communication protocol (ESMTPS = encrypted), and the timestamp.

From / Return-Path - The Sender's "Self-Declaration"

From: is a field the sender can freely set, making it easy to forge. Phishing emails set legitimate company addresses in the From: field. Return-Path: (envelope From) is the actual bounce address - if it differs from From:, forgery is possible.

Authentication-Results - Verification Outcomes

This header records the receiving server's SPF, DKIM, and DMARC authentication results.

    Authentication-Results: mx.recipient.com;

      spf=pass (sender IP is 203.0.113.10);

      dkim=pass header.d=example.com;

      dmarc=pass

If SPF, DKIM, and DMARC all show pass, the sender's legitimacy is highly likely. If fail or none appears, caution is warranted.

X-Originating-IP - The Sender's Real IP

Some email services (such as Outlook.com) record the sender's actual IP address in the X-Originating-IP: header. You can check this IP address with IP Check-san to estimate the sender's approximate geographic location. However, Gmail does not include this header for privacy protection.

Detecting Phishing Through Headers

When you receive a phishing email, examining the headers can help expose the forgery.

From: shows a major company's address, but the Received: sender IP is from an unrelated country's server
SPF is fail - the sender IP is not on the domain's authorized list
DKIM is fail - the email content may have been tampered with
Reply-To: uses a different domain than From: - an attempt to redirect replies to a different address

Summary

Email headers are a complete record of the journey a single email has taken. Tracing the route via Received headers, checking authentication status in Authentication-Results, and detecting forgery through From and Return-Path mismatches - these skills are practical email security knowledge.

Related Glossary Terms

IP Address Recorded in Received headers as the sending server's identifier. Used to trace the sender. Phishing Fake emails disguised as legitimate senders. Header analysis can detect the forgery. Spam SPF/DKIM/DMARC authentication results are recorded in headers and used for spam detection. Encryption Headers can confirm whether email transfer was encrypted via ESMTPS (SMTP over TLS). DNS SPF records are published in DNS and used to verify the legitimacy of sender IPs.

Email Headers Are a "Travel Log"

Key Header Fields

Received Header - Server Relay Records

From / Return-Path - The Sender's "Self-Declaration"

Authentication-Results - Verification Outcomes

X-Originating-IP - The Sender's Real IP

Detecting Phishing Through Headers

Summary

Related Glossary Terms

Related Articles

HTTP Security Headers: 5 Essential Headers to Protect Your Website

Email Security Basics: How to Protect Yourself from Phishing

Encrypted Email Services Compared: ProtonMail vs Tuta vs Mailfence

Metadata and Privacy: The Hidden Data That Reveals Your Information

What Is Do Not Track (DNT)? How to Set It Up and Its Real Effectiveness

How to Spot Phishing: A Practical Checklist to Avoid Scams