Email Security Guide

Understanding Headers & Authentication Protocols

Introduction

Email headers contain critical metadata that tells the story of how a message was sent, transmitted across multiple servers, and delivered to its destination. While most email users only see the basic "From," "To," "Subject," and "Date" fields, headers contain extensive technical information that can reveal whether an email is legitimate, tampered with, or part of a phishing attack.

What are Email Headers?

Definition and Purpose

Email headers are blocks of metadata attached to every email message containing technical information about the sender, recipients, routing path, and authentication. Unlike the body, headers provide the infrastructure for delivery and security.

From: sender@example.com
To: recipient@example.com
Subject: Important Message

Why They Matter

  • Authentication: Verifies legitimacy via SPF, DKIM, DMARC.
  • Route Tracing: Documents the path through mail servers.
  • Forensics: Provides evidence for investigating threats.

Essential Email Header Fields

Primary Fields

  • From: Sender's name and address (easily forged).
  • To: Intended recipient.
  • Subject: Email topic (scrutinized by spam filters).
  • Date: Sent time (can be spoofed).
  • Reply-To: Where replies go (red flag if mismatches From).

Technical Routing Fields

  • Received: Added by each server. Read bottom-to-top to trace origin.
  • Return-Path: Where bounce messages go. Mismatch with From often indicates spoofing.
  • Message-ID: Unique identifier for the message.

Authentication Fields

  • Received-SPF: Result of Sender Policy Framework check (pass/fail).
  • DKIM-Signature: Cryptographic signature verifying content integrity.
  • Authentication-Results: Summary of SPF, DKIM, and DMARC checks.

Email Authentication Protocols

SPF (Sender Policy Framework)

Verifies that an email originated from an authorized IP address for that domain.

v=spf1 ip4:192.168.1.1 include:sendgrid.net ~all

This record authorizes specific IPs and services to send email for the domain.

DKIM (DomainKeys Identified Mail)

Uses cryptographic signatures to verify the email was sent by the claimed domain and hasn't been altered.

The sending server signs the email with a private key; the receiver verifies it with a public key published in DNS.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

A policy framework that tells receivers what to do if SPF or DKIM fails.

  • p=none: Monitor only.
  • p=quarantine: Send failed mail to spam.
  • p=reject: Block failed mail entirely.

How to Read and Analyze Headers

Reading the Received Chain

Read `Received` headers from bottom to top.

  • Bottom: Original sending server.
  • Top: Last server before delivery.

Analysis Steps

  1. Extract From, Reply-To, and Return-Path.
  2. Verify Authentication Status (look for "pass").
  3. Trace the Received Chain for origin IP.
  4. Check for Domain Alignment (From matches Return-Path/DKIM).
  5. Cross-reference IP with blacklists.

Detecting Spoofing and Phishing

Spoofing involves forging the "From" address. Since standard protocols were built without strict identity checks, attackers exploit this gap.

Common Tactics

  • Lookalike Domains: `amazon.com` vs `amaz0n.com`.
  • Subdomain Spoofing: `security@apple-support.attacker.com`.
  • Display Name Deception: "CEO Name" <attacker@gmail.com>.

Common Red Flags

Authentication Failures

Any `fail` or `softfail` in SPF, DKIM, or DMARC is a major warning sign.

Domain Mismatches

When `From` says `company.com` but `Return-Path` says `attacker.net`.

Suspicious IPs

Sending server IPs located in unexpected countries or on blocklists.

Urgency

Content demanding immediate payment, password resets, or sensitive info.

Best Practices

For Users

  • Never trust Display Name alone.
  • Hover over links to verify destinations.
  • Don't open unexpected attachments.

For Organizations

  • Implement SPF, DKIM, and DMARC (aim for `p=reject`).
  • Monitor DMARC reports.
  • Train employees on phishing awareness.

Advanced Standards

ARC (Authenticated Received Chain)

Preserves authentication results across forwarding chains (like mailing lists).

BIMI (Brand Indicators)

Displays verified logos in inboxes for DMARC-compliant domains.

MTA-STS

Enforces encrypted TLS connections between mail servers.

Analysis Tools

While this site analyzes headers for you, other tools include:

  • MxToolbox
  • Google Admin Toolbox
  • Online DMARC Checkers

Quick Reference Checklist