Email Routing and Delivery Path

The Received header chain

These headers form a "paper trail" showing an email's journey to your inbox:

🔍 What each Received header contains:

• Server hostname: Which computer handled the message
• Timestamp: When it was processed
• IP address: Where it came from
• Authentication: Verification results (if any)

🧭 How to read the chain:

Headers are added to the top, so read from bottom up:

1. Bottom header: First server that sent the email
2. Middle headers: Mail relays that passed it along
3. Top header: Your email provider's server

⚠️ Warning signs to watch for:

• Suspicious locations: Hops through unexpected countries
• Time jumps: Unrealistically fast delivery times
• Missing authentication: No SPF/DKIM verification
• Hidden hops: Headers that try to obscure the path

💡 Example Chain:

Received: from mail.provider.com (verified)
Received: from relay.example.net (10.1.1.1)
Received: from sender.com (unverified)

This shows the email came from sender.com → relay.example.net → your provider

🔒 Security Tip: Legitimate emails typically have 2-5 Received headers. Extremely long chains may indicate spam.

Understanding server hops

Server hops show each computer that handled an email on its way to you:

🔄 What's a normal hop pattern?

• Personal emails: 2-4 hops (sender → provider → your inbox)
• Business emails: 3-5 hops (may include security scanners)
• Forwarded emails: Additional 1-2 hops

🚩 Suspicious hop patterns:

• Too many hops (>5) - Could indicate spammers hiding their path
• Geographic oddities - Hops through unexpected countries
• Missing hops - Gaps in the chain may mean headers were faked
• Unverified servers - Hops without proper DNS records

🔍 How to analyze hops:

1. Count the number of Received headers
2. Check locations using IP geolocation
3. Verify each server's domain exists
4. Look for consistent timestamps (each hop should take seconds)

💡 Example: Sender → Company Mail Server → Google → Your Inbox = Normal
Sender → Russia → China → Your Inbox = Suspicious

🔒 Security Tip: Legitimate organizations use predictable routes. Random hops through foreign countries often indicate spam.

Detecting forged or suspicious hops

Here's how to spot potentially dangerous email routing:

🚩 Red Flags in Email Paths:

• Private IPs (10.x, 192.168.x) - Should never appear in legitimate emails
• Time anomalies - Hops that appear to travel backwards in time
• Location jumps - Example: "USA → Russia → Nigeria" in minutes
• Missing hops - Gaps where headers were likely removed

🕵️ Common Scammer Techniques:

1. Header stripping - Removing incriminating hops
2. IP spoofing - Faking server addresses
3. Fast-flux - Rapidly changing server locations
4. Bulletproof hosting - Using abuse-tolerant providers

🔍 How to Investigate:

1. Check if timestamps progress logically
2. Verify each server's location matches the claimed sender
3. Look for sudden geographic jumps
4. Search unknown IPs in abuse databases

💡 Real Example: "From: Bank <spoofed@bank.com>" Received: from [192.168.1.1] (Nigeria) This mismatch suggests fraud

🔒 Protect Yourself: Never trust emails with suspicious routing - even if the content looks legitimate.

IP address tracking and geolocation

IP addresses in email headers reveal where messages really came from:

🌍 How IP geolocation works:

• Every internet device has a unique IP address
• These can be mapped to approximate locations (city/country)
• Accuracy varies (better for cities than rural areas)

🔍 Using geolocation for email analysis:

1. Verify sender locations - Does the path match the claimed origin?
2. Spot suspicious routes - Unlikely country jumps may indicate fraud
3. Check hosting providers - Some locations are known for spam

🛠️ Free tools to check IPs:

• IPinfo.io - Simple location lookup
• ARIN - Detailed registration info
• WhatIsMyIPAddress - Geolocation and blacklist checks

⚠️ Important limitations:

• VPNs and proxies can hide real locations
• Some IPs may show the provider's HQ rather than actual server
• Mobile IPs are less accurate than fixed-line

💡 Example: An email "from your bank" with IPs tracing to Russia → This suggests phishing

🔒 Security Tip: Combine geolocation with other header analysis for best results.