See how you can identify the real sender of a Gmail email and whether it might be dangerous.
The first thing you do when you see that you have a new message in your Gmail is to check the sender, right? It's the fastest way to find out who the email is from and whether or not something interesting has arrived.
But each email comes with a lot more information than most email receiving and sending programs show. There is a lot of information about the sender included in the email header. Information you can use to identify the actual source and other details.
Here's how you can trace where an email message really came from and why you should.
Why trace an email address?
The answer is obvious. In this day and age, there are too many malicious emails. The scams, spam, malware and phishing emails is a common occurrence in the inbox of any email management program.
If you trace an email back to its source, you have a good chance of finding out who (or where) the email came from and if this is dangerous.
In other cases, you can trace the origin of an email to block a persistent source spam or abusive content by permanently removing it from your inbox. Server administrators trace emails for the same reason.
How to view the full details of an email
You can locate the sender's email address by looking at the full header of the email. The email header contains routing information and email metadata, information you usually don't care about. But this information is crucial to identifying the source of the email message.
Most email programs do not immediately display the full email header because it is full of technical data and somewhat useless to an untrained eye. However, most email programs offer a way to check their full header. You just have to know where to look, as well as what you're looking at.
For the most common programs the way to enter this information is:
- gmail: Open your Gmail account, then open the email you want to trace. Select the drop-down menu in the upper right corner, then “View Original” from the menu.
- Outlook : Double-click the email you want to scan, go to File > Properties. The information appears in the web headers.
- Apple Mail: Open the email you want to trace, then go to View > Message > Raw Source.
Of course, there are countless other email management programs. A quick internet search will reveal how to find the full email header in your program of choice. Once you open the email header, you'll see what we mean by “full of technicalities”.
Understanding the data in a complete email header
What you'll see in a full email header has a lot of information. However, keep the following in mind: you read the email header chronologically; from down to up (ie, the oldest information at the bottom) and that each new server the email travels through adds its own Received header.
Check out this sample email header from our iGuru Gmail account:
There is a lot of information. Let's analyze them. First, understand what each line means (reading from bottom to top).
♦ DATE: The date the email was sent
♦ To (To): The intended recipients of the email. It can display multiple addresses.
♦ Content-type: Tells your browser or email program how to interpret the content of the email.
♦ MIME-Version: Indicates the email format template in use. The MIME version is usually “1.0.”
♦ Subject: The subject of the email content.
♦ Message-ID: The email ID. It is like a digital fingerprint of a message and is usually added by the mail server that sends your message on behalf of your mail client.
♦ From: Displays the sender of the message. It is easy to fake.
♦ DKIM-Signature (DKIM-Signature): DOMain Khey Identified Mail. It verifies the identity of the domain from which the email was sent and protects against spoofing and sender fraud.
♦ Received-SPF: The Send Policy Fframework (SPF) is part of the email authentication process that stops sender address spoofing.
♦ Received: The “Received” line lists each server the email travels through before reaching your inbox. You read the “Received” lines from bottom to top. The bottom Received is also the creator of the email.
♦ Return-Path: The location where undelivered or bounced messages end up.
♦ ARC-Authentication-Results (ARC-Authentication-Results): The Aauthenticated Receive Chain is another authentication standard. ARC verifies the identities of the email intermediaries and servers that forward your message to its final destination.
♦ ARC-Message-Signature (ARC-Message-Signature): The signature takes a snapshot of the message header information for validation. Similar to DKIM.
♦ ARC-Seal: Seals ARC authentication results and message signature, verifying their content. Similar to DKIM.
♦ X-Received: Differs from “Received” in that it is considered non-standard. That is, it may not be a permanent address, such as a mail transfer agent or Gmail SMTP server.
♦ X-Google-Smtp-Source: Displays email transfer using a Gmail SMTP server.
♦ Received: Second “Received” station before the email reaches you. It is the #2 server from which the email travels. We remind you that you must read the “Received” lines from bottom to top. The bottom Received is also the creator of the email.
♦ Delivered-To: The final recipient of the email.
♦ X-Forwarded-For: Indicates that an email message was forwarded by one or more other accounts (possibly automatically). If emails are bothersome email to first address in the X-Forwarded-For section and tell them to stop automatically forwarding their emails.
♦ X-Forwarded-To: Indicates that an email message was forwarded by one or more other accounts (possibly automatically).
In addition to the above, you will probably also come across (which does not fit in the photo of our example):
♦ Authentication-Results: Contains a record of the authentication checks performed. It can contain more than one authentication method.
♦ Replay-To: The email address to which you are sending your reply.
The bottom line is that you don't need to understand what all of these mean to locate an email. But if learn where to look within the email header, you can quickly begin to identify the sender of the email.
Tracing the original sender of an email
To locate the IP address of the original email sender, head to first Received (Received) in the email header. Next to the first Received line is the IP address of the server that sent the email.
Sometimes, this is shown as X-Originating-IP or Original-IP. You may not see an IP but the domain of the server.
Copy the IP address and then head over in the MX Toolbox . Enter the IP address in the box, change the search type to Reverse Lookup using the drop-down menu, and then press Enter.
The search results will display a variety of information related to the sending server.
If the original IP address is one of the millions of private IP addresses, in this case, it will display the message that it is private and return no result.
In our example, no reverse lookup was needed as the email header gave us as the first sender mailb-dc.linkedin.com and that's how we know it's from Linkedin.
Free tools to trace email and IP addresses
Of course, there are some handy tools online that automate this process for you. It's best to know about email headers and the information they convey, but sometimes you need quick information.
In addition, you want to scan emails for free, without subscription or registration. So see the header parsers below:
- GSuite Toolbox Messageheader (Google's own)
- MX Toolbox Email Header Analyzer
- IP Address Email Header Trace (email header analyzer + IP address tracker)
Can you really trace an IP address from an email?
There are cases where locating an IP address via the email header is useful. Especially to annoying senders who send promotional messages, or spam, but also to find the source phishing messages.
Please note that some emails will only come from certain locations. For example, your PayPal emails will not come from China! If you see something like this, it's obviously a fake email.
But pinpointing the origin of an email is not always easy. As a huge number of people use free email services such as Gmail, Outlook and Yahoo, tracing an email sent from these services to find the actual IP address associated with the sender remains extremely difficult.