How To Tell if Email Headers Were Altered
Email headers contain critical components of an email, including the sender and receipt information and its end-to-end journey. If the sender alters their sending address, some of the email’s header information will indicate a spoofed address.
Although the headers contain many technical details, finding out whether a sending address has been changed is relatively easy when you know how.
Read on to learn whether an email’s sending address was altered.
Identifying an E-mail Has Been Tampered With
These days it is relatively straightforward to spoof a sending email address, and mail servers can be set up to send emails from a given domain name. In addition, some websites allow you to send one-off emails from any address for free. Fortunately, when you know what to look for in header information, you can discover where an email message originally started.
In our example, the pretend sending address is [email protected], a fictional U.S.-based company. However, the message has been dispatched from [email protected], a fictional email spoofing company in Australia.
Follow these steps for giveaway signs that an email address has been spoofed.
Start Reading the Headers From the Bottom Up
Email headers should be read from the end, as this is the start of the email’s journey. There you’ll find the following information:
- The date and time the message was sent
- Its unique message ID
- The “To” and “From” email addresses
- The actual domain name that the email has been dispatched from
Note the Sender’s Domain Name
In our example, the form address has been altered to look like the email came from [email protected]. This address will be shown as the “Reply-To:” and “From” addresses.
However, the sender’s domain name is the next entry after the sender and receipt information. It starts with “Received: by” and is usually straight after the “To” address entry.
With a spoofed email, the sending domain name will be different from what’s listed as the “Reply-To:” and “From” addresses. In our example, the sending domain name (“Received: by”) shows as “spoofedaddress.au” and not “USeasytech.com as listed in the “Reply-To:” and “From” header fields.
Verify the Sending IP Address
Sometimes, the sender’s domain in the first “Received: by” entry is listed as an IP address instead of an email address. In that situation, here’s how you verify the IP address:
- Visit the free domain tool Who is.
- Copy the IP address shown in the first “Received: by” field, then paste it into the “Whois Lookup” search field.
- In our example, the “Received: by” IP address says that the host is “spoofedaddress.au” in Australia. We’d expect to see “USeasytech.com” hosted in the States as stated in the “Reply-To:” and “From” fields.
Check Whether It’s “Fail” or “Softfail”
The next entry up, starting with “Received,” is labeled “Received-SPF.” In our email headers, this entry is shown as “softfail.”
Firstly, SPF stands for Sender Policy Framework, which is how domains like USeasytech.com indicate which servers are allowed to send an email on its behalf.
Emails sent from authorized mail servers will have “Pass” in the “Received-SPF:” entry, which is a strong sign that the email is authentic. On the other hand, if the result shows up as “Softfail” or “Fail,” this usually indicates that the email may be spoofed.
However, this isn’t 100% certain, as some domain SPF records are outdated, resulting in authentication failures.
How can I see email headers in Gmail?
Follow these steps to view email headers in Gmail:
1. Sign into your Gmail account.
2. Open the email in which you wish to see the headers.
3. Click on the vertical three-dotted “More” menu.
4. Select “Show original,” and the email headers will display in a new window or tab.
Exposing the Real Sender
Email headers will detail everything you need to know about an email, including the mail server it came from and its entire journey to the recipient’s mailbox. If you suspect a sender’s address has been altered by reading the email headers, you can determine whether that is the case with a few simple red flags.
When the first “Received by” domain name entry is different from what’s in the “Reply-To:” and “From” fields, you may be looking at a spoofed email. Another indicator is when the “Received by” IP address is for a domain name hosted somewhere in the world you didn’t expect to see. And lastly, if “Softfail” or “Fail” is populated in the first “Received-SPF:” entry, the email header was probably altered.
Were you able to determine whether the sender of your email spoofed their address? What did the header information reveal? Let us know in the comments section below.