Email Header Analysis Rules

Check SPF, DKIM, DMARC results: These are email security standards that help verify the sender's identity. SPF checks if the email came from an authorized server, DKIM verifies the message wasn't altered in transit, and DMARC tells you what to do if authentication fails. All three passing means the email is likely genuine.
Verify alignment between From and Return-Path: The From address (what you see) should match the Return-Path (where bounces go). If they're different, it might mean the sender is pretending to be someone else.
Look for ARC headers in forwarded mail: ARC (Authenticated Received Chain) helps preserve authentication results when emails are forwarded. If present, it means the email went through at least one forwarding service.

Examine Received header chain: This shows the path the email took to reach you. Each server adds its own Received header, with the most recent at the top. Look for unexpected jumps between countries or suspicious providers.
Verify server hostnames resolve: Each server name in the headers should correspond to a real mail server. You can check this by looking up the domain names to see if they belong to legitimate email services.
Check for suspicious IP addresses: Some IP ranges are known for sending spam. If an email comes through these, it increases the risk score even if other factors look good.
Validate timestamp sequence: Each Received header includes a timestamp. These should be in logical order (newest to oldest as you read down). Time going "backwards" could indicate tampering.

Detect known spam patterns: Certain phrases, excessive punctuation (!!!!), or ALL CAPS in subjects are common spam markers. Also watch for mismatched sender names and addresses.
Check for bulk mail indicators: Headers like "Precedence: bulk" or "X-Mailer: mass-mailer" show this is a mass email. Not necessarily bad, but combined with other red flags can indicate spam.
Verify unsubscribe mechanisms: Legitimate marketing emails must include working unsubscribe options. If the unsubscribe link looks suspicious or goes to a different domain, be cautious.
Look for suspicious content types: Emails that claim to be plain text but contain hidden HTML, or that include unexpected file attachments, are more likely to be malicious.

All authentication passes: When SPF, DKIM and DMARC all show "pass" results, you can be confident the email came from who it claims to be from.
Clean routing path: The email took a direct path through known reputable mail servers with no suspicious hops.
No spam indicators: The content looks professional, with proper formatting and no urgent demands or too-good-to-be-true offers.

Partial authentication failures: Maybe DKIM passed but SPF failed, which could mean the email was forwarded legitimately or could indicate spoofing.
Minor routing anomalies: Perhaps one server in the chain is unfamiliar but not clearly malicious, or there's a small time discrepancy in the timestamps.
Some spam indicators: The email might use some sales language or have a few characteristics common in spam, but nothing definitive.

Multiple authentication failures: When two or more authentication methods fail, there's a high chance the email is forged.
Forged routing information: Headers showing impossible routes (like an email supposedly going from New York to London in 1 second) or known malicious servers.
Multiple spam indicators: The email hits several spam markers - poor grammar, mismatched sender info, urgent requests for personal information.