Analyzing Email Headers

What's the purpose of analyzing email headers? May be you're trying to identify an actual sender, block a malicious sender, validating some threat analytics, or can't block a sender due to spoofing. Cyber security and forensic professionals analyze headers daily as part of incident response and/or forensic investigations. Plus this useful for aspiring students.

To analyze headers, you're going to need a copy of the original email (not a forwarded or text copied one). "Forwarding as An Attachment" will preserve the original data. Regular forwarding (right clicking) will simply container header info from the forwarding address which is not useful. Once you've copied the header info, you can use Microsoft's Remote Connectivity Analyzer website to parse the data out for easier analysis.

If you use Gmail and have the email open, click the three dot stack next to the reply arrow button. Select View Original Message to see the header information.

If you use Microsoft Outlook Exchange, double click and open the email, find the Tags tab at the top. A little window will pop open with all the header information. Highlight and copy all the data

If you use Microsoft Office 365 (cloud Exchange), click on the arrow down menu button next to Reply-all, and then select Message Details out of the list.

In either of these cases, copy the data and open the MS Remote Connectivity Analyzer. Just below the information banner, select Message Analyzer. Paste the header data into the field and press the Analyze Headers button.

Regardless of spoofed (faked) sender/source email or IP addresses, you'll see where the actual email originated. You can also find the actual source sender information even if they're using an cloud email messaging service such as those used by threat actors or irresponsible vendors. Either way, with this information, you can mitigate/remediate (block or blacklist) or collect forensic evidence regarding malicious senders.