How to Extract Email Headers for Authentication
Practical guide to viewing email headers and verifying authenticity using SPF, DKIM, and DMARC records.
Why headers matter
Email body can be faked easily. Headers are harder to forge. Headers contain routing information, sender authentication, IP addresses, and timestamps. Defense might claim threatening email was spoofed. Headers prove whether it came from claimed sender or was forged.
How to view headers
Gmail: Open email, click three dots menu, select "Show original." New tab opens showing full headers and message source.
Outlook: Open email, File > Properties. Headers appear in "Internet headers" box at bottom. Copy entire content.
Apple Mail: Open email, View > Message > Raw Source. Shows complete headers and message.
Webmail (various): Look for "View source," "Show original," or "Message details" option. Usually in More/Options menu.
Key header fields
From: Claimed sender. Can be spoofed. Do not trust alone.
Return-Path: Where bounce messages go. Often reveals actual sender if different from From field.
Received: Trail of mail servers that handled message. Read bottom to top (first received is last in list). Shows origin IP address. Multiple Received headers trace full path.
Message-ID: Unique identifier assigned by sending server. Format varies by provider. Can track related emails or prove tampering if ID format does not match claimed sender.
Date: When sender's server accepted message. Compare to Received timestamps to detect manipulation or delays.
Authentication headers
SPF (Sender Policy Framework): "Authentication-Results" header shows "spf=pass" if sending server is authorized for that domain. "spf=fail" means unauthorized server sent email (likely spoofed).
DKIM (DomainKeys Identified Mail): Cryptographic signature proving email was not altered in transit. "dkim=pass" means signature valid. "dkim=fail" means message was modified or signature forged.
DMARC (Domain-based Message Authentication): Combines SPF and DKIM. "dmarc=pass" means email authenticated successfully. "dmarc=fail" is major red flag for spoofing.
All three passing (SPF, DKIM, DMARC all show "pass") provides strong authentication. Email is very likely legitimate. Any failures warrant investigation.
IP address tracking
First Received header (bottom of received chain) shows origin IP address. Use WHOIS lookup to identify ISP and location. Compare to known locations of suspected sender. Email supposedly from US address but originates from foreign IP suggests spoofing or compromised account.
Multiple hops through unusual countries (email routed through Russia, China, then delivered) raises suspicion. Legitimate email usually takes direct path through major carriers.
Preservation and documentation
Export email with headers in .eml or .msg format. These preserve complete headers and message structure. PDF export strips headers. Do not use PDF for evidence.
Document in Forensic Notes: email sender, recipient, subject line, date/time sent, authentication results (SPF/DKIM/DMARC pass/fail), origin IP address, key header excerpts. Calculate hash of .eml file for integrity verification.
Common spoofing indicators
SPF/DKIM/DMARC failures. Return-Path domain differs from From domain. Received headers show suspicious origin. Message-ID format does not match claimed provider. Unusual routing through foreign servers. Mismatched timezones (Date shows US timezone but origin IP is foreign).
Related resources
Related pages:Email Evidence Collection | Digital Evidence Guide
Related articles:Preserving Deleted Social Media | Calculating File Hashes
Document Email Evidence Professionally
Forensic Notes helps you document email evidence with timestamps, hash values, and audit trails that courts trust.