(Updated 2020) How to Read Email Headers and Identify SPAM?
Written by
Dibya Sahoo
dibya.sahoo
0

Subscribe for updates

(Updated 2020) How to Read Email Headers and Identify SPAM?

Published : February 17, 2020

The tumorous flow of SPAM requires a SMART solution. Read below to keep your inbox free of junk. It is not only plain intrusive, but it also puts our online identity at risk. Phishing attacks have only been on the rise ever since they came into existence.

email header to identify spam

Detection of Phishing Emails

To defend customers’ inboxes from SPAM emails, companies spend time and money to block malicious emails before they even reach the customers with the DMARC (Domain-based Message Authentication Reporting and Conformance) standard.

Unfortunately, no matter what one does, some unsolicited emails will always make it to the inbox. While some of the emails we receive are obvious spam, most of them are not very easy to recognize just by seeing the content or the sender. And these are extremely deceptive!

97% of people around the globe cannot identify a sophisticated phishing email.
-BusinessWire (May 12, 2015). Read the full report here.

Analysis of Email Headers

Here comes the advance debugging of email which is commonly known as analyzing the email headers. Let’s understand what email headers are and how they can help in detecting fraudulent emails.

Generally, only the basic information like From, To, Subject is displayed on a normal email header. However, there are a lot of other parameters like SPF, DKIM, DMARC which is important to understand the authenticity of emails. Some times these authentications fail and which impact the delivery of emails. You can use email tools which can help you understand all these technical parameters and problems within your email which is impacting your delivery. Some examples of normal email header in different mail clients:

Google Mail Header (GMAIL)

email header gmail

Thunderbird

As you notice, most email readers only show the “From” and “To” headers, which can be easily forged. The complete message headers will look something like this:

Delivered-To: [email protected]
Received: by 10.200.41.121 with SMTP id z54csp461727qtz;
       Sun, 8 Jan 2017 04:33:03 -0800 (PST)
X-Received: by 10.55.157.17 with SMTP id g17mr82034336qke.122.1483878783846;
       Sun, 08 Jan 2017 04:33:03 -0800 (PST)
Return-Path: <[email protected]>
Received: from trans.pepitrans01.com (trans.pepitrans01.com. [103.52.181.228])
       by mx.google.com with ESMTPS id 94si44473076qtb.140.2017.01.08.04.33.03
       for <[email protected]>
       (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
       Sun, 08 Jan 2017 04:33:03 -0800 (PST)
Received-SPF: pass (google.com: domain of [email protected] designates 103.52.181.228 as permitted sender) client-ip=103.52.181.228;
Authentication-Results: mx.google.com;
      dkim=pass [email protected];
      [email protected];
      spf=pass (google.com: domain of [email protected] designates 103.52.181.228 as permitted sender) [email protected]
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=pepipost; d=delivery.seasonsms.com;h=Message-ID:To:From:Subject:Content-Type:List-Unsubscribe:Date;
bh=IReTMq2p4Y99Y1lFEln+pSvcofA=;b=dEWvsIdSK0j5Gmp9ATUlhfDRHQqUR7BolSaqyBh+CzC5WU4iGnn6aBZFtLSi0b4ze+V5nwG3fCAyn4mkAGhdgA7DvJTikspVnn+Jqpu68ru6UnH10WVD8oCJ6aa4Pa6A/sA4Zm52K9h2R7cGQjMOcEZ+N5NNQ6BG9Dtvi+ezKgk=
Received: by trans226.mailxy.com id he8oo0229vgh; Sun, 8 Jan 2017 18:03:04 +0530 (envelope-from <[email protected]>)
Delivered-To: [email protected]
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=pepipost; d=delivery.seasonsms.com;h=Message-ID:To:From:Subject:Content-Type:List-Unsubscribe:Date;bh=ChnX1bsU13QtrayAVkclQsY4c0s=;b=Ziuit9vOzeeAanLi0/
idQ3hTE/Jb3cWs2pMLW71gzQ1/AHgpWYBhXDZoxU8wAmluG/8q2BmnQNKYr9W+ZU1DD4aZHUS1ViqMWYcAdudle3pBb40kLPyk6uCuixu3hXcV/J2d13xEOJ5QkVyiYWYYL1WLxRSOypYBU/7eHWxntiE=
Message-ID: <[email protected]>
To: [email protected]
From: "Confirmation - Thrifty-Deals" <[email protected]>
Subject: Confirm your newsletter subscription
Content-Type: text/plain
List-Unsubscribe: <mailto:unsub-aeaaaaaacdxdf5qykzk2kqaivun2lcnkeegsmkob35aq@delivery.seasonsms.com>
X-InjTime: 1483878784
X-Abuse-Reports-To: [email protected]
X-FNCID: 22228-14838138016706353-0
X-TransMail: 1
Date: Sun, 8 Jan 2017 18:03:04 +0530
We have received your request to receive the Thrifty-Deals newsletter. Please click below now to complete the process:
http://seasonsms.com/lt.pl?jfklowerwksdfha
Thank you!
Publisher:
Season Publishing House
Newport News, VA 23606

The complete email header would provide much more information on the origin of a message and is a useful tool for tracking and stopping SPAM and virus-laden email.

Whenever you open an email to read, you’ll also find options like View Source, View Message Header or Show Original. Here is the guide for you to view the complete email headers on different email clients or webmail provider.

Understanding the different elements of email headers

Received

The header lines begin with Received: and provide a trace of the email from its origin to your mail server. It will show the origin along with the list of servers that processed this email before reaching your mailbox. The ‘Received:’ parameter of your email gives you many valuable clues to identify the legitimacy of the source.

How to analyze the Received parameter in the mail headers

Each mail server that handles an email message adds a Received: header set to the front of the message; the first set is therefore added by your mail server.

The first Received header shows that the email was actually originated from a server with IP address 10.200.41.121

Received: by 10.200.41.121 with SMTP id z54csp461727qtz;
       Sun, 8 Jan 2017 04:33:03 -0800 (PST)

In the above example, the header shows the email is actually received From: “Confirmation – Thrifty-Deals” <[email protected]> but the Received: parameter is showing from trans.pepitrans01.com. [103.52.181.228].

Received: from trans.pepitrans01.com (trans.pepitrans01.com. [103.52.181.228])
       by mx.google.com with ESMTPS id 94si44473076qtb.140.2017.01.08.04.33.03
       for <[email protected]>
       (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
       Sun, 08 Jan 2017 04:33:03 -0800 (PST)

Now, this seems suspicious. Unless trans.pepitrans01.com belongs to the same owner who owns seasonsms.com or the owner of seasonsms.com has given rights to trans.pepitrans01.com to send emails on their behalf.

Let’s check the SPF record of seasonsms.com. This you can easily do on Mxtoolbox or simply type ~ dig TXT seasonsms.com on your terminal.email header - spf

As per the SPF record, seasonsms.com has granted rights to pepipost.net for sending emails on their behalf.

So, now let’s try to validate the actual sending IP address trans.pepitrans01.com. [103.52.181.228] belongs to pepipost.net or not. If that validates, then we are safe to say that email is not spam.

So, let’s check the SPF record of pepipost.net

email header spf2

Also, the SPF of trans.pepitrans01.com

email header spf3

Cool, in both of the above we got the same reference of IP address, which is 103.52.181.x here. So, this shows that pepipost.net has allowed 102.52.181.x to send emails on their behalf.

So, here’s the insight to all of the above : 

  • the user [email protected] has received an email from [email protected] via 103.52.181.x IP address which is owned by pepipost.net
  • seasonsms’s SPF shows that they have allowed pepipost.net to send emails on their behalf.

Hence, this is a legitimate email and not a forged one.

Received-SPF and DKIM-Signature

In the above example, there are two more important parameters, Received-SPF and DKIM-Signature. Not every sender adds these, but most of the good/ big senders have now made it a practice to add SPF and DKIM. These parameters help in identifying the authenticity of the email.

The header parameter in Received-SPF is showing as pass. This means the domain seasonsms.com has allowed the IP address 103.52.181.228 to send emails on their behalf.

This conforms to the analysis which we did earlier.

Received-SPF: pass (google.com: domain of [email protected] designates 103.52.181.228 as permitted sender) client-ip=103.52.181.228;

The next header parameter Authentication-Results: is showing dkim=pass. This means the long public key mentioned in the parameter DKIM-Signature: matches with its associated private key stored on the actual sending server 103.52.181.228/pepipost.net server.

Authentication-Results: mx.google.com;
      dkim=pass [email protected];
      spf=pass (google.com: domain of [email protected] designates 103.52.181.228 as permitted sender) [email protected]
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=pepipost; d=delivery.seasonsms.com;
h=Message-ID:To:From:Subject:Content-Type:List-Unsubscribe:Date;
bh=IReTMq2p4Y99Y1lFEln+pSvcofA=;b=dEWvsIdSK0j5Gmp9ATUlhfDRHQqUR7BolSaqyBh+CzC5WU4iGnn6aBZFtLSi0b4ze+V5nwG3fCAyn4mkAGhdgA7DvJTikspVnn+Jqpu68ru6UnH10WVD8oCJ6aa4Pa6A/sA4Zm52K9h2R7cGQjMOcEZ+N5NNQ6BG9Dtvi+ezKgk=

Received-SPF: pass (google.com: domain of [email protected] designates 103.52.181.228 as permitted sender) client-ip=103.52.181.228;

In the above case, the email was sent using a third party SMTP service Pepipost. But, in case the email was sent using their own in-house infrastructure, then the owner of the sender domain and sending IP address should be ideally the same (unless on a shared infrastructure).

A number of tools are available for verifying the ownership of a domain/IP address. The authoritative reference for IP addresses is the American Registry of Internet Numbers. Using ARIN’s “Search WHOIS” tool, you can find the identification of the IP address owner.

Pro Tip: If nothing works out and you still doubt on the legitimacy of an email then simply send a message to "abuse@organization" with a copy of the complete email header (Here is the above example: it will be [email protected]).

Most of the webmasters validate and reply to queries received on abuse.

List-Unsubscribe

This is another important parameter in the email header.

List-Unsubscribe:<mailto:unsub-aeaaaaaacdxdf5qykzk2kqaivun2lcnkeegsmkob35aq@delivery.seasonsms.com>

In case the user wants to unsubscribe from an email then simply send an email to this long email address, and the user will get unsubscribed.

The List-Unsubscribe header is an optional piece of text. It works in conjunction with options that the email client provides for unsubscribing and spam complaints.

email header list unsub

Example: In the case of Gmail you will see an option to unsubscribe from this sender. When a user clicks on this link, the email client sends an email to the email address defined in the List-Unsubscribe header parameter.

All email headers prefixed with “X-” are actually not the standard headers. It is added by the sending server for some of their internal trackings and reporting purposes. Hence, these can be simply ignored for any analysis. Examples of these headers in the above example are X-Abuse-Reports-To, X-InjTime, X-FNCID, X-TransMail, X-SG-EID.

Historically, designers and implementers of application protocols have often distinguished between standardized and unstandardized parameters by prefixing the names of unstandardized parameters with the string “X-” or similar constructs. In practice, that convention causes more problems than it solves. Hence it is later depreciated by the IETF community.

Did you know about DMARC policy for email senders which protects users from SPAM emails involving pornography?

email-validation

Some handpicked tips to identify and avoid Spam emails

Tip 1: Test it before you check it

If you are unsure of any embedded text in the email, hover your mouse over the link to review the full email address. If it looks fishy, don’t click it. Test the link by opening the link in a different window.

Tip 2: Check for spelling mistakes

Brands are pretty serious about the emails they send out. Legitimate messages usually do not have major spelling mistakes or poor grammar. Email addresses of Spam or phishing emails have random spellings that can be easily noticed.

Tip 3: Don’t share your personal information

Legitimate banks and most other companies will never ask for personal credentials via email so don’t share it.

Tip 4: Invoking a sense of urgency or fear is a common phishing tactic.

Beware of subject lines that claim your “account has been suspended” or your account had an “unauthorized login attempt” such emails are most probably SPAM.

Tip 5: Don’t click on attachments

Including viruses and malware as an attachment is a common phishing tactic. Malware can damage files on your computer, steal your passwords or spy on you without your knowledge. Don’t open any email attachments you weren’t expecting.

Also, read this important article on SPAM Traps.

Verdict

We at Pepipost take spam seriously. We are working hard to rebuild and reconstruct the email ecosystem. Let’s together make it spam free. Start analyzing your emails and mark unwanted suspicious emails as Spam and stay safe from Phishing.

There’s also a special layer of protection known as TLS, which you must know about.

Other Related Links:
Check if emails from your domain are landing in Spam within seconds with Email Blacklist Tool

Want to explore fascinating facets of email deliverability?

Learn from the best & gain a competitive edge for your email campaigns

Register now➡️

Unlock unmatched customer experiences,
get started now
Let us show you what's possible with Netcore.