How to analyze email headers to detect phishing and spoofing
Learn how to inspect the technical headers of an email to verify its authenticity and protect yourself from spoofing attacks.
How to analyze email headers to detect phishing and spoofing
Email remains the main attack vector for cybercriminals. Using email spoofing techniques, attackers manage to camouflage malicious emails by passing them off as notifications from your bank, technical support or corporate bosses.
To verify the real authenticity of a suspicious email without clicking on its links, it is essential to examine its technical header or headers.
The importance of hidden metadata
The header of an email contains the complete journey history that the message followed from the sending device to your inbox. Unlike visual content, the header is much more difficult for an attacker to spoof in its entirety.
The three authentication pillars that you should review are:
- SPF (Sender Policy Framework): Specifies which SMTP servers are authorized to send mail on behalf of a specific domain.
- DKIM (DomainKeys Identified Mail): Adds a cryptographic signature to the message that guarantees that the content was not altered during transit.
- DMARC (Domain-based Message Authentication, Reporting, and Conformance): Tells the receiving server how to act if SPF or DKIM tests fail.
To simplify this technical analysis, you can use our interactive tool:
Copy the entire header from your email manager (Outlook, Gmail, etc.) and paste it into our analyzer to instantly decrypt the servers involved and verify the status of the SPF, DKIM and DMARC signatures.
