Introduction
Phishing emails are constantly more convincing, often including text and images that sound and look authentic. If you receive an unexpected email it's good to know how to check the headers of that message to get more details about where is was sent. Verifying this information can help you confirm if you are reading a legitimate message from a verified sender, or a fake message that is trying to get your information.
Procedure
Viewing the email headers of a message is a great way to verify the authenticity of the sender. However, even getting the header information is different on each client. Some call this area "view headers" but some clients use wording such as "show original" or "view raw message." It would be best to check with your email client or webmail tool to find out how to view the headers of a message.
Once you are looking at the headers you can find the important details. While every email message will look slightly different, the following are some common values in email headers you will find.
Return-Path:
This value shows the address the message was sent from. While a spoofed message can often make the "From" field of an email, the return path will show you where the mailserver handled the message from
Received: from
This value shows you the hostname of the server that sent the message. For example, if you receive a message asking you to reset your password, but this field doesn't have that company's name, that it a potential indicator the message is not legitimate.
Received-SPF:
This value shows if the sender has a valid SPF record, and if it passed validation. If this passed, the message is much more likely to be authentic.
Authentication-Results:
Similar to the SPF value, this area will show DKIM, DMARC, and SPF validation of the mail message. It may also include the IP address that is verified as the permitted sender of messages.
Using those values together will help to show the legitimacy of an email message. It's important to never click links or provide login details from a link you received in an email unless you are 100% sure it is a legitimate message. If you have any doubts, it's best to access your account directly from a web page instead of using the links in an email message. You can also always contact the company or individual that sent the message to verify the legitimacy as well.