Checking Email Headers

When checking email headers for phishing or spoofing attacks, you will need to get the original email headers first

1: Get original email headers (can be found in screenshots) → On the upper right of the email click the 3 dots to show more options, then click show original, then download original. This should download a file with the correct headers. (Opening the file will try to open it in the Windows mail application. Editing it with notepad will get you to the text.)

2: Once you have the header file go to https://toolbox.googleapps.com/apps/messageheader/ and put the file into the analyzer, check the SPF, DKIM, DMARC all should pass. (If you're trying to get the Headers from an email that has been forwarded you need to make sure you get the targeted email's headers.)

3: If that doesn't work or if you need to check some other part of the email, such as the email domain use https://mxtoolbox.com/.



What do SPF, DKIM, & DMARC mean?


SPF (Sender Policy Framework) - 

Specifies the servers and domains that are authorized to send email on behalf of your organization.


DKIM (Domain Keys Identified Mail) -

 Adds a digital signature to every outgoing message, which lets receiving servers verify the message actually came from your organization.


DMARC (Domain-based Message Authentication Reporting and Conformance) - 

DMARC passes or fails a message based on whether the message’s From: header matches the sending domain.

If SPF and/or DKIM fail DMARC will tell the server to do one of the following actions.

  • It will take no action
  • It will quarantine the message and send it to spam 
  • It will reject the message and doesn't deliver it to the recipient.