A Guide to Analysing and Understanding Email Headers
Ketty C.
You’ve just received an Email!📮
You’ve just received an email claiming that you’ve inherited a huge sum of money and that you need to act quickly to claim it. It sounds too good to be true, right? This is a classic example of a phishing attempt. To protect yourself from falling victim to such scams, being able to understand how to analyse email headers comes in handy.
Email header analysis plays a key role in investigating and understanding email communications. An email header contains vital information such as the sender and recipient details, the date and time the message was sent, and the subject line. By interpreting this data, you can identify potential threats, like phishing attempts, spam, or other scams.
In this step-by-step tutorial, I will guide you through the process of examining an email header, helping you gather crucial information about the sender's identity, location, and intent. Whether you're a cybersecurity professional or just someone looking to protect yourself from malicious emails, this tutorial will equip you with the knowledge and tools to analyse email headers effectively.
What is an Email?
Email (short for electronic mail) is a digital message sent between computers over the internet or a network. It allows individuals and organisations to exchange information quickly and efficiently without relying on physical mail or in-person communication. An email typically includes a body of text, which may also contain attachments like files or images, and is addressed to one or more recipients. As an essential communication tool in both personal and professional contexts, email has significantly changed the way we interact and share information.
🚩The Email Journey - How an Email is Created, Sent, and Received
The basic flow of an email begins with the sender composing the message using an email client, such as Gmail, Outlook or Apple Mail. Once the message is ready, it is sent through the Mail Transfer Agent (MTA) using the Simple Mail Transfer Protocol (SMTP). This protocol ensures that the email is transmitted from the sender's mail server to the recipient's server.
As the email travels over the internet or a network, it passes through various SMTP protocols, moving from one mail server to another until it reaches the recipient’s mail server. Upon arrival, the Mail Delivery Agent (MDA) checks the message for spam using security protocols like Sender Policy Framework (SPF). If the email is classified as non-spam, it is delivered to the recipient’s mailbox.
Finally, the recipient accesses their mailbox, where they can open and view the email’s content. This flow explains how emails are composed, sent, transferred, and received, with various protocols and security measures in place to ensure proper delivery and minimise the risks of spam or other potential threats.
☑️Main Elements in an Email
An email message is made up of several key components:
The email header contains important metadata about the message, such as the sender and recipient’s email addresses, the subject line, the date and time it was sent, and any unique identifiers or tracking information.
The email body is where the main content of the message is located. This can include text, images, hyperlinks, and sometimes attachments.
Attachments refer to files or documents that are included with the email, such as images, PDFs, or Word documents.
Signatures are typically found at the end of the email and often contain the sender's contact information, title, and other relevant details.
Salutations are the opening greetings of the email, which can be formal or informal depending on the relationship between the sender and recipient.
Closings are the final words or phrases used to conclude the email, often including expressions of gratitude or well-wishes.
Quotations are excerpts from previous messages or email threads that may be included in the current email to provide context or refer to earlier conversations.
🔍Where to Find the Email Header in Some Popular Email Clients?
To find an email header, the process varies depending on the email client or service you are using. These steps will help you access the email header, which contains important metadata about the email's origin and path. Here are some popular email clients:
Gmail: Open the email you want to analyse. Click on the three vertical dots in the top-right corner of the email and select "Show original." This will display the full email header.
Outlook (Web): Open the email, click on the three dots in the top-right corner, and select "View message source." This will show the email header.
Outlook (Desktop): Open the email, go to the "File" tab, and select "Properties." The header information will be displayed in the "Internet headers" section.
Apple Mail: Open the email, click on "View" in the menu bar, select "Message," and then choose "All Headers" or "Raw Source" to view the email header.
Yahoo Mail: Open the email, click on the three dots in the top-right corner, and select "View raw message" to see the email header.
Time to Dive In: How to Analyse an Email Header
✔️Key Components to Focus On
Before we start, let’s look at several key components in the email header:
Return-Path: This field shows the email address where undeliverable messages (bounces) are sent. It may differ from the “From” or “Reply-To” fields and can help identify the true source of the email.
Received: The “Received” field lists the servers or relays that the email passed through on its journey to your inbox. It provides details such as the IP address, server name, date, and time. By reviewing these entries, you can trace the path of the email and potentially spot suspicious or unauthorised relays.
Message-ID: This unique identifier is assigned to each email, allowing you to track its origin. It can be especially useful in distinguishing legitimate emails from fraudulent ones.
From: This field shows the sender's name and email address. Although it can be easily spoofed, cross-referencing this information with other header details can help determine if the sender is legitimate.
Reply-To: The “Reply-To” field indicates the address where replies should be sent. Check this to ensure it matches the sender’s identity and doesn’t point to a suspicious or unrelated address.
X-Sender, X-Originating-IP, X-Mailer: These optional fields provide additional details about the email’s origin, such as the sender’s IP address or the software used to send the email. While not always present, they can offer valuable insights during analysis.
SPF and DKIM: These are email authentication methods. Analysing the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) headers can help verify the authenticity of the email and detect tampering or spoofing.
X-Spam-Status, X-Spam-Score: These fields are added by spam filters and indicate the likelihood of the email being spam. They provide a score or status that reflects the filter's assessment of the message.
X-Antivirus or X-AntiAbuse: Some email servers include these fields to show whether the email has been scanned for viruses or potential abuse.
✔️Key Points for Analysis
Sender Verification: Investigate the email header to uncover the sender's IP address and server information, aiding in the validation of the email's legitimacy and spotting any attempts at spoofing.
Detection of Phishing and Spoofing: Search for anomalies or irregularities in the header fields that could suggest a fraudulent email, which assists in differentiating between authentic communications and deceptive messages.
Tracing Email Paths: Analyse the "Received" sections to follow the email's journey, revealing any unauthorised or questionable relays or servers it traversed, potentially indicating rerouting or a malicious source.
Indicators of Malware and Spam: Look for suspicious file extensions, odd message identifiers, or inconsistencies in the metadata within the headers, which may indicate malware presence or spam.
Verification of Authenticity: Confirm SPF and DKIM records to make sure the email originates from a valid sender and has not been altered, thereby improving defenses against phishing and impersonation threats.
Forensic Analysis and Incident Response: Utilise header examination in scenarios involving suspected malicious activities to trace the origin of the email, pinpoint possible attackers, and gain insight into the methods employed in the attack.
Overall, email header analysis is a vital process for assessing the authenticity, integrity, and security of email communications. It helps users and organizations make informed decisions about handling emails, mitigating risks, and protecting against various forms of email-based threats.
Conclusion…
Email header analysis is like being a detective for your inbox! By examining the sender info, routing paths, and authentication details, you can uncover the true origin of an email and spot any phishing or spoofing attempts. It's like tracing the email's journey from sender to recipient, revealing any suspicious detours or tampering along the way. Plus, it plays a crucial role in sniffing out malware and spam by identifying odd attachments or metadata inconsistencies. By checking SPF and DKIM, you ensure emails are legit and untampered. This detective work is invaluable for incident response and forensic investigations, helping track down attackers and bolster defenses. Ultimately, email header analysis empowers you to make smart decisions, dodge email threats, and keep your communication safe and sound!
Subscribe to my newsletter
Read articles from Ketty C. directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Ketty C.
Ketty C.
I'm a junior cyber risk analyst just starting my journey in cybersecurity. I have been studying cybersecurity, participating in CTFs and other competitions, self-learning programming, and hustling on projects during nights and weekends.👾