Email Header Forensics: Tracing Spoofing and Routing
What is in an Email Header?
Every email carries a chain of Received: headers tracing its path from
sender to recipient. Alongside these, authentication headers record the
results of SPF, DKIM, and DMARC checks.
A typical header chain looks like:
Received: by mx.example.com; Mon, 25 May 2026 10:00:00 +0000
Received: from mail.sender.com (203.0.113.5) by relay.example.com
Authentication-Results: mx.example.com;
spf=pass smtp.mailfrom=sender.com;
dkim=pass header.d=sender.com;
dmarc=pass
Tracing Email Spoofing
When From: and the Return-Path: differ, or when dkim=fail appears,
someone may be spoofing the sender identity. The API parses headers and
flags these discrepancies:
curl -X POST https://api.toolkitapi.io/v1/email/parse-headers \
-H "X-API-Key: $API_KEY" \
-H "Content-Type: application/json" \
-d '{"headers": "Received: from ...
Authentication-Results: ..."}'
{
"hops": [
{ "from": "mail.sender.com", "by": "relay.example.com", "delay_seconds": 1 },
{ "from": "relay.example.com", "by": "mx.example.com", "delay_seconds": 0 }
],
"spf": "pass",
"dkim": "fail",
"dmarc": "fail",
"spoofing_risk": "high"
}
Calculating Routing Delays
The timestamps in each Received: header let you calculate how long each hop took.
Unusual delays (>60s between hops) can indicate a spam filter hold or a grey-listing delay.
Where to Find Raw Headers
- Gmail — open the message → three-dot menu → "Show original"
- Outlook — File → Properties → Internet headers
- Apple Mail — View → Message → Raw Source
Automating Abuse Investigation
for message_id in flagged_messages:
raw_headers = fetch_raw_headers(message_id)
analysis = parse_headers_api(raw_headers)
if analysis["spoofing_risk"] == "high":
escalate(message_id, analysis)