Analyzing Email Headers for Phishing Investigation

Analyzing Email Headers for Phishing Investigation

Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify

Category: development Source: mukul975/Anthropic-Cybersecurity-Skills

What Is This?

"Analyzing Email Headers for Phishing Investigation" is a critical cybersecurity skill focused on parsing and interpreting email header data to trace the true origin of suspicious emails, verify sender authenticity, and identify spoofing attempts. This skill leverages technical analysis techniques to examine header fields such as Received, From, Return-Path, and authentication results like SPF, DKIM, and DMARC. By dissecting these headers, security professionals can uncover the delivery path of an email, detect forged sender information, and validate whether the message was sent from a legitimate source or is part of a phishing campaign.

Why Use It?

Phishing attacks remain one of the most prevalent and damaging threats to organizations and individuals. Attackers commonly use email spoofing and social engineering to trick users into divulging sensitive information or executing malicious payloads. Relying solely on visual inspection of an email's content or sender address is insufficient because adversaries can easily manipulate these fields. Analyzing email headers provides deeper, forensic-level insight by exposing technical metadata that is much harder to forge.

Through header analysis, you can:

  • Trace the route an email took across mail servers to determine its true origin.
  • Identify discrepancies between claimed sender and actual sending infrastructure.
  • Detect authentication failures or misalignments in SPF, DKIM, and DMARC records.
  • Correlate sending IP addresses and domains with threat intelligence to assess risk.
  • Gather evidence for incident response and reporting.

This skill is essential for anyone responsible for email security, digital forensics, or incident response.

How to Use It

1. Extract Raw Email Headers

The first step is to obtain the complete, unaltered headers from the suspicious email. The process differs by email client:

Outlook:

  • Open the suspicious email.
  • Go to File > Properties.
  • Copy the contents under "Internet headers."

Gmail:

  • Open the email.
  • Click the three dots (More).
  • Select "Show original."
  • Copy the entire header section.

Alternatively, save the message as an EML or MSG file for parsing.

2. Parse Headers

Headers consist of key-value pairs, each providing metadata about the email's journey. Focus on:

  • Received: Shows each mail server that processed the message. Read from bottom to top for the original sending server.
  • From, Reply-To, Return-Path: Compare these to detect spoofing.
  • Authentication-Results: Details results of SPF, DKIM, and DMARC checks.

Example Header Section

Received: from mail-bn7nam12olkn1024.outbound.protection.outlook.com (2603:10b6:5:1::24) by BN7NAM12FT035.mail.protection.outlook.com with ESMTP id 202306151201 for <user@example.com>;
From: support@secure-bank.com
Return-Path: admin@malicious-domain.com
Authentication-Results: spf=fail smtp.mailfrom=malicious-domain.com; dkim=fail; dmarc=fail

3. Trace the Email Path

Analyze the sequence of Received headers to determine the true origin. Look for:

  • Unexpected or suspicious domains.
  • Private or non-routable IP addresses.
  • Mismatches between sending infrastructure and claimed sender.

Python Example: Parsing Received Headers

import email

with open('phishing-email.eml', 'r') as f:
    msg = email.message_from_file(f)

received_headers = msg.get_all('Received')
for header in received_headers:
    print(header)

4. Validate SPF, DKIM, and DMARC

Check if the sender's domain is protected by these standards and whether the message passed authentication.

  • SPF (Sender Policy Framework): Confirms if the sending IP is authorized to send mail for the domain.
  • DKIM (DomainKeys Identified Mail): Checks if the message was signed by the legitimate domain owner.
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance): Aligns SPF and DKIM to enforce sender policies.

Use DNS lookup tools to verify records:

dig txt _dmarc.example.com
dig txt example.com

5. Correlate with Threat Intelligence

Cross-reference IP addresses and domains found in headers with threat intelligence databases (such as VirusTotal, AbuseIPDB, or internal threat feeds) to assess reputation.

6. Document and Report Findings

Summarize your findings, including discrepancies, authentication failures, and any indicators of compromise, for your security team or incident response process.

When to Use It

  • Investigating suspected phishing emails to determine their origin and authenticity.
  • During incident response when a user has interacted with a suspicious message.
  • When analyzing targeted spear-phishing or business email compromise attempts.
  • For regular security audits or forensic investigations of email traffic.
  • When validating the effectiveness of mail authentication controls.

Important Notes

  • Header analysis requires attention to detail and understanding of SMTP conventions.
  • Some attackers manipulate or remove certain headers to evade detection-always corroborate findings with external data.
  • Automated tools (e.g., emailheaders.net, Python scripts) can speed up analysis, but manual inspection is essential for complex cases.
  • SPF, DKIM, and DMARC failures are strong indicators but not absolute proof of phishing; always perform holistic analysis.
  • Maintain confidentiality-email headers can contain sensitive internal infrastructure details.

For further reference and sample tools, see the source repository.

By mastering email header analysis, you can significantly improve your ability to detect, investigate, and mitigate phishing threats in any organization.