FreeEmailAnalyzer

Core Components of an Email Header

Basic Fields

These are the most common header fields you'll see in emails, and what they really mean:

🔍 From

  • What you see: The sender's name and email address
  • What to know:
    • This can be easily faked (like writing a fake return address on a letter)
    • Always check authentication headers (SPF/DKIM) to verify
    • Example: From: "Your Bank" <support@yourbank.com> could be fake

📩 To

  • What you see: The main recipient(s) listed
  • What to know:
    • Doesn't show all recipients if it was BCC'd
    • Doesn't prove the email was actually delivered to these addresses
    • Example: To: john@example.com, jane@example.com

📝 Subject

  • What you see: The email's title
  • What to know:
    • Spammers often use urgent/scary subjects
    • Legitimate businesses use consistent subject styles
    • Example: Subject: Urgent: Your account will be closed!

📅 Date

  • What you see: When the email was supposedly sent
  • What to know:
    • Comes from the sender's computer clock (can be wrong or faked)
    • Useful for spotting delayed scam emails
    • Example: Date: Wed, 15 May 2025 09:30:45 +0000

Other Common Fields

  • Reply-To: Where replies will go (may differ from From address)
  • Message-ID: Unique email identifier (like a tracking number)
  • MIME-Version: Technical details about email format

Remember: While these basic fields are helpful, the most important security information is in the authentication headers (SPF, DKIM, DMARC) which we'll cover separately.

These fields help identify who really sent an email and where responses should go:

📩 Return-Path

  • What it is: The "return address" for bounce messages
  • Why it matters:
    • Shows where undeliverable notices go
    • Often matches the actual sender (not always the "From" address)
    • Example: Return-Path: <bounces@mailinglist.example.com>

✉️ Sender

  • What it is: The actual sender when different from "From"
  • Why it matters:
    • Common in mailing lists (shows list address vs original sender)
    • Helps identify forwarded messages
    • Example: Sender: <list-admin@example.org>

↩️ Reply-To

  • What it is: Where replies should be sent
  • Why it matters:
    • May differ from "From" address (common in contact forms)
    • Scammers sometimes set malicious reply-to addresses
    • Example: Reply-To: "Support Team" <support@example.com>

Key Differences:

FieldShowsCommon Uses
FromDisplayed senderWho appears to have sent it
SenderActual senderMailing lists, forwarding
Reply-ToReply destinationContact forms, customer service
Return-PathBounce handlerTechnical delivery tracking

Remember: These fields help you understand the real path of an email, not just what's displayed in your inbox.

Message Identification

These fields help track and identify individual email messages:

📧 Message-ID

  • What it is: A unique fingerprint for each email
  • Why it matters:
    • Helps track conversations and replies
    • Can reveal if multiple suspicious emails came from same source
    • Example: <20240502120000.123456@example.com>

🔗 In-Reply-To & References

  • What they are: Links connecting email replies
  • Why they matter:
    • Show if an email is part of a conversation
    • Help email clients group messages together
    • Can expose fake replies that don't match real conversations

🔍 How to use these for analysis:

  1. Check if Message-ID follows standard format (should include timestamp and domain)
  2. Verify In-Reply-To matches a real message you received
  3. Look for suspicious patterns like:
    • Same Message-ID used for different emails
    • Fake reply chains
    • Unusual domain in Message-ID

💡 Tip: Legitimate businesses use consistent Message-ID formats. Random-looking IDs may indicate spam.

Format and Encoding

These headers control how email content is formatted and displayed:

📜 MIME-Version

  • What it is: The standard for email attachments and special formatting
  • Why it matters:
    • Modern emails should show "MIME-Version: 1.0"
    • Missing or incorrect versions may indicate tampering

🖼️ Content-Type

  • What it does: Tells your email program how to display the message
  • Common types:
    • text/plain - Simple text only
    • text/html - Allows formatting and images
    • multipart/mixed - For emails with attachments
  • Watch for:
    • Unexpected HTML content in supposedly plain emails
    • Mismatches between declared type and actual content

🔤 Character Encoding

  • What it is: How text characters are represented
  • Common encodings:
    • UTF-8 (recommended) - Supports all languages
    • ISO-8859-1 - Older Western European standard
  • Red flags:
    • Garbled text may mean wrong encoding was used
    • Unexpected character sets could hide malicious content

💡 Tip: Legitimate emails use standard formats. Strange encoding or content types may indicate spam or phishing attempts.