TLDR
Email headers contain the full routing history of every email. By reading them, you can verify whether an email actually came from who it claims. The three key authentication checks are SPF (authorized sending server), DKIM (message integrity), and DMARC (policy enforcement). ScamVerify™'s email checker automates this analysis, but understanding the manual process helps you evaluate any suspicious email.
Why Email Headers Matter
The "From" field in an email can say anything. A scammer can send an email that displays security@chase.com in your inbox without any connection to Chase Bank. Email headers reveal the truth behind the display name.
Email spoofing is a core technique behind Business Email Compromise (BEC) and phishing attacks. Our URLhaus threat intelligence tracks 69,088 malicious domains, many of which send spoofed emails directing victims to credential harvesting pages.
How to View Email Headers
Gmail
- Open the email
- Click the three dots (top right of the email)
- Click "Show original"
- The full headers appear in a new tab
Outlook (Web)
- Open the email
- Click the three dots (top right)
- Click "View message source" or "View message details"
Apple Mail
- Open the email
- Click View in the menu bar
- Click Message > All Headers
The Three Authentication Checks
Check 1: SPF (Sender Policy Framework)
What it does: SPF verifies that the email was sent from a server authorized by the domain owner.
What to look for in headers:
Received-SPF: pass (google.com: domain of support@company.com designates 192.168.1.1 as permitted sender)
| Result | Meaning |
|---|---|
| pass | Server is authorized to send for this domain |
| fail | Server is NOT authorized - likely spoofed |
| softfail | Server is not authorized but domain owner has not enforced strict policy |
| neutral | Domain has no SPF policy |
Red flag: SPF: fail or SPF: softfail means the sending server is not authorized by the claimed domain.
Check 2: DKIM (DomainKeys Identified Mail)
What it does: DKIM adds a digital signature to the email that verifies the message was not altered in transit and confirms the sending domain.
What to look for in headers:
DKIM-Signature: v=1; a=rsa-sha256; d=company.com; s=selector;
Authentication-Results: dkim=pass header.d=company.com
| Result | Meaning |
|---|---|
| pass | Signature is valid, message is authentic |
| fail | Signature does not match - message was altered or forged |
| none | No DKIM signature present |
Red flag: DKIM: fail means the email's cryptographic signature does not match, indicating tampering or forgery.
Check 3: DMARC (Domain-based Message Authentication)
What it does: DMARC combines SPF and DKIM results and tells receiving servers what to do with emails that fail authentication (reject, quarantine, or do nothing).
What to look for in headers:
Authentication-Results: dmarc=pass (p=REJECT) header.from=company.com
| Result | Meaning |
|---|---|
| pass | Email passes DMARC alignment |
| fail (p=REJECT) | Email failed and domain policy says reject it |
| fail (p=QUARANTINE) | Email failed and domain policy says quarantine it |
| fail (p=NONE) | Email failed but domain has no enforcement policy |
Red flag: DMARC: fail with any policy is a strong indicator of spoofing.
Reading the "Received" Headers
The Received: headers show every server the email passed through, from bottom (origin) to top (your server).
Received: from mail.scammer-server.com (192.168.1.1)
by mx.gmail.com with SMTP
for <you@gmail.com>;
Mon, 3 Mar 2026 10:00:00 -0500
What to check:
- Does the originating server match the claimed sender's domain?
- Are there unexpected servers in the routing chain?
- Does the timestamp make sense for the claimed sender's time zone?
The Return-Path Check
The Return-Path header shows where bounced emails go. In legitimate emails, this matches the sender's domain.
Return-Path: <bounces@company.com>
Red flag: If the email claims to be from support@chase.com but the Return-Path is bounces@random-server.xyz, the email is spoofed.
Quick Spoofing Detection Checklist
- View full email headers
- Check SPF result - should be
pass - Check DKIM result - should be
pass - Check DMARC result - should be
pass - Compare Return-Path domain with From domain - should match
- Read Received headers bottom-to-top; originating server should match sender's domain
If any of these fail, the email is likely spoofed. Use ScamVerify's email checker to automate this analysis.
FAQ
Can scammers pass all three authentication checks?
Yes, if they send from their own properly configured domain. An email from support@chase-security-alert.com can pass SPF, DKIM, and DMARC because the scammer owns that domain and configured it correctly. Authentication checks verify the sending domain - they do not verify that the domain belongs to the company being impersonated. Always check the actual domain name.
What if an email has no DKIM or DMARC records?
Many smaller organizations and older email systems do not have DKIM or DMARC configured. The absence alone does not prove spoofing, but it means you cannot verify the email's authenticity through those checks. Look at SPF and the Received headers instead.
Does ScamVerify check email headers automatically?
Yes. When you paste email content into ScamVerify's email checker, it analyzes headers (if included), sender domain reputation, and content patterns to assess risk. It checks the sender's domain against our threat intelligence databases and evaluates authentication signals.
