Email Header Forensics: Tracing Spoofing and Routing

Header Analysis

What is in an Email Header?

Every email carries a chain of Received: headers tracing its path from sender to recipient. Alongside these, authentication headers record the results of SPF, DKIM, and DMARC checks.

A typical header chain looks like:

Received: by mx.example.com; Mon, 25 May 2026 10:00:00 +0000
Received: from mail.sender.com (203.0.113.5) by relay.example.com
Authentication-Results: mx.example.com;
  spf=pass smtp.mailfrom=sender.com;
  dkim=pass header.d=sender.com;
  dmarc=pass

Tracing Email Spoofing

When From: and the Return-Path: differ, or when dkim=fail appears, someone may be spoofing the sender identity. The API parses headers and flags these discrepancies:

curl -X POST https://api.toolkitapi.io/v1/email/parse-headers \
  -H "X-API-Key: $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"headers": "Received: from ...
Authentication-Results: ..."}'
{
  "hops": [
    { "from": "mail.sender.com", "by": "relay.example.com", "delay_seconds": 1 },
    { "from": "relay.example.com", "by": "mx.example.com", "delay_seconds": 0 }
  ],
  "spf": "pass",
  "dkim": "fail",
  "dmarc": "fail",
  "spoofing_risk": "high"
}

Calculating Routing Delays

The timestamps in each Received: header let you calculate how long each hop took. Unusual delays (>60s between hops) can indicate a spam filter hold or a grey-listing delay.

Where to Find Raw Headers

  • Gmail — open the message → three-dot menu → "Show original"
  • Outlook — File → Properties → Internet headers
  • Apple Mail — View → Message → Raw Source

Automating Abuse Investigation

for message_id in flagged_messages:
    raw_headers = fetch_raw_headers(message_id)
    analysis = parse_headers_api(raw_headers)
    if analysis["spoofing_risk"] == "high":
        escalate(message_id, analysis)

Try it out

Browse Tools →

More from the Blog