Email headers are hidden metadata attached to every message — the digital equivalent of a postal stamp trail. They show where the email originated, which servers it passed through, and whether it was authenticated. Reading headers is the most reliable way to determine if an email actually came from who it claims.
Want the quick version? Paste the email into IsThisAScam.to — it analyzes headers, links, and content automatically.
How to View Headers
- Gmail: Three dots > "Show original"
- Outlook Web: Three dots > "View message source"
- Outlook Desktop: File > Properties > Internet headers
- Apple Mail: View > Message > All Headers
Think it might be a scam?
Paste it here for a free, instant verdict.
Free · No signup required · Cmd+Enter to scan
The Three Checks: SPF, DKIM, DMARC
SPF
Checks if the sending server is authorized by the sender's domain. Look for Received-SPF: pass. "Fail" means unauthorized.
DKIM
Cryptographic signature confirming the email was not tampered with. Look for dkim=pass.
DMARC
Ties SPF and DKIM together with a policy. dmarc=pass (p=reject) is the gold standard.
The "Received" Chain
Read from bottom to top — the bottom-most header is the originating server. Check that the originating domain matches the claimed sender.
From vs. Return-Path
If "From: Apple Support <noreply@apple.com>" but "Return-Path: <bounce@random-domain.xyz>" — the email is spoofed.
Practical Example
A "PayPal" phishing email: Return-Path was marketing-notify.xyz. SPF: fail. DKIM: fail. DMARC: fail. Originating server: budget VPS in Eastern Europe. Every check failed.
Header Analysis Tools
- Google Admin Toolbox: toolbox.googleapps.com/apps/messageheader
- MXToolbox: mxtoolbox.com/EmailHeaders.aspx
- IsThisAScam: Comprehensive analysis beyond headers — 6-layer detection
See email legitimacy guide and email security tools.
Received something suspicious? Check it now for free →