Analyzing Specific Headers
Glossary of Common Headers
From
Shows who sent the email (though this can sometimes be faked).
This is the first place to check when verifying an email's sender. Be cautious if the name looks familiar but the email address seems unusual or doesn't match the organization it claims to be from.
To
Lists the main recipients of the email.
If you see many recipients you don't recognize, it might be a mass mailing. Sometimes you'll find your email in the "Bcc" field instead, which means the sender hid who else received it.
Subject
The title or topic of the email message.
Spam emails often use urgent or too-good-to-be-true subjects. Legitimate businesses usually keep subjects professional and relevant.
Date
When the email was sent (according to the sender's computer).
Watch for dates that don't make sense (like future dates) which could indicate tampering. Timezone differences might explain minor discrepancies.
Return-Path
Where bounce messages go if the email can't be delivered.
This often matches the From address, but some services use different addresses for tracking. Mismatches here aren't necessarily suspicious.
Rare but Important Headers
X-Originating-IP
Shows the actual IP address of the computer that sent the email.
This can reveal the true origin of an email, especially useful when the From address is forged. However, many email services now hide this for privacy.
X-Mailer
Identifies the email program used to send the message.
Different email clients have different security features. Seeing an outdated mail client might indicate higher risk.
X-Priority
Indicates how urgent the sender thinks the message is.
Spammers often mark messages as high priority to trick you into opening them. Most legitimate senders use normal priority.
X-Spam-Score
A rating of how likely the email is to be spam (higher numbers = more likely).
Scores above 5 usually indicate spam. This is calculated by spam filters analyzing multiple factors in the email.
Headers Used in Mailing Lists and Newsletters
List-ID
A unique identifier for the mailing list.
This helps email clients group messages from the same list together. Legitimate lists always include this.
List-Unsubscribe
Provides ways to stop receiving emails from the list.
Look for unsubscribe links that use https:// and go to the same domain as the newsletter. Avoid suspicious unsubscribe methods.
Precedence: bulk
Marks the email as a mass mailing (not personal).
This tells your email client to handle it differently from personal messages. Most newsletters and promotions include this.
Feedback-ID
Helps track responses and engagement with newsletters.
Companies use this to see which content performs best. It doesn't contain personal information.
Non-Standard or Forged Headers
X-Forged-Headers
Indicates someone may have tampered with the email headers.
This is a red flag that the email might be fraudulent. Many email services add this when they detect header manipulation.
X-Apparently-From
Shows what the sender's address appeared to be before verification.
Useful for spotting spoofed emails where the From address doesn't match the actual sender.
X-Failed-Recipients
Lists email addresses that couldn't receive the message.
Normally only seen in bounce messages. If this appears in a regular email, it might indicate a forwarding loop or misconfiguration.
X-Authentication-Warning
Warns when parts of the email might not be authentic.
Pay attention to these warnings as they often indicate potential phishing attempts or spoofed messages.