Tech Made Simple

Hot Topics: How to Fix Bluetooth Pairing Problems | Complete Guide to Facebook Privacy | How to Block Spam Calls | Snapchat Symbol Meaning

We may earn commissions when you buy from links on our site. Why you can trust us.

author photo

How to Tell if an Email Has Been Spoofed

by Josh Kirschner on September 24, 2023

Updated on 9/24/2023 with information on how to view email headers for Outlook, Yahoo!, Proton Mail, and Apple Mail.

There are numerous email scams that land in your inbox every day, from malware-ridden attachments supposedly from a friend to IRS impersonators to fake invoices from Geek Squad. And what makes many of these scams harder to recognize is that they rely on a “spoofed” email address to make it appear that they are coming from someone you trust (or even your own email address) rather than a scammer 6,000 miles away. So learning how to tell if an email has been spoofed is critical to protecting yourself.

Part of the reason why spoofed emails are so prevalent is that it is incredibly easy to spoof an address. Any mail server can be set up to send from a given domain (e.g. irs.gov), and there are even websites that will let you send one-off emails using any email address for free. But both of these methods leave telltale tracks that give it away as spoofed.

To find these tracks, you need to look at the email header. The header contains critical components of every email – From, To, Date, and Subject – as well as detailed information about where the email came from and how it was routed to you. Importantly, it also contains the results of the verification process your email provider used to determine if the sending server has permission to send using that domain (i.e., Is this server authorized to send emails from irs.gov?).

How to find email header information

Showing your email headers varies depending on which email service you’re using. The instructions below are all for your computer or the "desktop view" using your phone's browser.

How to show email headers for Gmail

For Gmail, open the email and click on the three vertical dots next to the reply arrow and select “Show Original”.

Screenshot of Gmail message entitled  This is real email. Not scam. Honest. with the triple dot menu icon pointed out and a dropdown menu with Reply, Forward, Filter messages like this, Print, Delete this message, Block Josh Kirschner, Report spam Report phishing, show original (pointed out), translate message download message and mark as read.

How to show email headers for Outlook and Outlook.com

For Outlook, open the email. Click on "File" and then "Properties." The headers will show in the "Internet headers" box.

For Outlook.com, open the email. Click on the more icon (three dots) and select "View" and then "View message source." The headers will show in a pop-up box.

How to show email headers for Proton Mail

For Proton Mail, open the email. Click on the more icon (three dots) and select "View headers." The headers will show in a new window.

How to show email headers for Apple Mail

For Apple Mail, open the email. Click View > Message > All Headers. The headers will show in the window below your inbox.

How to show email headers for Yahoo! Mail

For Yahoo! Mail, open the email. Click on the more icon (three dots) and select “View raw message.” The headers will show in a new window.

How to find the header information that shows an email is spoofed

Below is an example of a spoofed email I sent from an online spoofing service pretending that it came from my own address. Looks pretty real. It says it came from my email address, and if I reply, it will go to that same address. In fact, unless it was filtered into my spam box by Gmail, the email will even show up in my Sent folder, which could leave me to believe, incorrectly, that my email was hacked.

But the header information gives it away as spoofed. There’s a lot of technical stuff in here, but you can ignore most of it. The two things that matter the most are the domain name and IP address in the “Received” field and the validation results in the Received-SPF field.

spoofed email header showing email being sent from is emkei.cz (the email spoofing site) in the email header Received field. Also pointed out is the Received-SPF showing as a softfail.

As you can see above, the domain name this email is being sent from is emkei.cz (the email spoofing site), not Techlicious.com, so that’s a dead giveaway. But if the domain name is similar or it’s listed as just an IP address, you should check the IP address, too, and see if that passes the smell test. To do that, go to Domain Tools and enter the “from” IP address in the Received field into the Whois Lookup. When I do that with 46.167.245.206 from the example above, it tells me this is a host called emkei.cz out of the Czech Republic – not what I would expect to see if this were really an email sent by Techlicious.

Next, if we look at the Received-SPF field and see that it is a soft fail. Sender Policy Framework (SPF) is a way for a domain (e.g., Techlicious.com) to specify what servers are permitted to send mail on its behalf. Mail sent from permitted servers will show up as “Pass” in the Received-SPF field, which is a very strong indicator that the email is legitimate. If the results show “Fail” or “Softfail”, that’s a sign the email may be spoofed, though it’s not 100% certain since some domains don’t keep their SPF records up to date, resulting in validation failures.

Taken together, the sending IP address and the SPF validation will give you a very good sense of whether an email truly comes from the person purported to be sending it. And don’t forget to trust your gut. If an email sounds implausible, it probably is. Don’t respond directly or open any attachments. If it is a company, bank or government organization, find their contact information on the web and contact them directly to see if the email is legit.

[Image Credit: BigStock-Woman at Computer]

Josh Kirschner is the co-founder of Techlicious and has been covering consumer tech for more than a decade. Josh started his first company while still in college, a consumer electronics retailer focused on students. His writing has been featured in Today.com, NBC News and Time.


Topics

Computer Safety & Support, Computers and Software, Tips & How-Tos, Privacy, Tech 101


Discussion loading

gravatar

From james on November 03, 2018 :: 2:55 pm


the list you show is not good for yahoo e-mail.

Reply

gravatar

From Josh Kirschner on November 05, 2018 :: 11:27 am


To see the email header info in Yahoo, open the email, click the three horizontal dots in the menu at the top of the message, and then hit “View raw message”

Reply

gravatar

From Petah on March 25, 2021 :: 6:32 pm


does it mean its been hacked?  received more emails while I was on phone to friend checking that they were not real.  They do not show in his sent folder.  I can’t block his address otherwise won’t receive his legitimate emails. what can he do? what can I do?

Reply

gravatar

From Lara on November 08, 2018 :: 3:50 pm


The title says it already.

Reply

gravatar

From Josh Kirschner on November 09, 2018 :: 12:09 pm


While it is best practice to set up up SPF records for a domain and the vast majority of senders do it, not everyone does. So the SPF will show as “none”. In this case, you can’t confirm that it is legitimate nor tell if it is spoofed from the SPF record. So you should use common sense regarding the content of the email and, if you’re still not sure, contact the sender directly to confirm the legitimacy (and yell at them for not having an SPF record).

Reply

gravatar

From john on November 10, 2018 :: 8:09 pm


Too many moving parts on this site/page caused freeze on my mac-mini! Took about 5 minutes just to get here to tell you. I was going to share this on FB and Twitter but wouldn’t want to expose contacts to what seems like a malicious site in itself.

Reply

gravatar

From Josh Kirschner on November 12, 2018 :: 7:35 pm


We monitor the performance of the site regularly to manage performance across devices. However, it’s possible that one of our ad partners was delivering a new ad that may have impacted performance, especially if you’re running on an old device. I’ll keep an eye on things to see if I can spot the issue. But rest assured, there is nothing malicious going on with the site.

Reply

gravatar

From Skeeter Sanders on November 12, 2018 :: 4:23 pm


I use Microsoft Outlook (formerly Hotmail) as my primary email service. I’ve noticed that every time I get a “spoofed” email, the sender’s address shows up right in the heading.

I’mot sure if Microsoft’ anti-phishing system is configured to expose the sender’s true email adress to its users, but there have been plenty of instances in which an email supposedly coming from a major company (i.e., PayPal) shows a reutrn address that shows anything BUT “paypal.com.” I immediately report it to Microsoft as a “Phishing Scam,” using Outlook’s drop-down reporting menu.

Microsoft has long had a very aggressive anti-spam filter—far more aggressive than either Gmail or Yahoo Mail—so why would it not also have an aggressive anti-phishing filter that exposes the sender’s true email address? I’ve used Hotmail/Outlook for more than a decade and I’ve never been fooled by spam or malware-infected email.

Reply

gravatar

From JBof4 on November 16, 2018 :: 5:09 am


I too received this email introducing himself, expalining how he hacked my sbc email through router, asking for 800.00 bitcoins, the threats don’t concern me, but the fact he said he would give proof by noting my password at the time of hack, it was correct (well a few letters were missing but he had the remaining exactly.  He said he hacked my email summer 2018.  Im ignorant as to my next steps, change password again, but he said he’s following me and will still get new password, said he’s got access to my camera and takes pic of me.  Creepy.  I know its a scam, Im a middle age mom & do not watch pornography, what worries me, is he referring to my iPhone or Mac or both and how did he get my password, and can he get my new password once I change it?
Thank you.

Reply

gravatar

From Josh Kirschner on November 19, 2018 :: 1:57 pm


Your password was likely revealed as part of one of the many massive credential hacks that have taken place over the years. I highly doubt your individual system was hacked. I discuss this in more detail in our story on the porn blackmail scam.

If the password he sent you is one that you’re still actively using, however, that is very bad. It means your accounts are highly insecure and you need to change your passwords immediately. Going forward, make sure you always use strong, unique passwords for each of your logins. One of our recommended password managers makes it easy to do that.

Reply

gravatar

From JBof4 on November 19, 2018 :: 2:46 pm


Thanks for your reply.  I just got nervous when he wrote he hacked my email through my router and said not to bother changing my email password because he said he can follow to new password.  It’s no wonder why I’m getting 40-60 scam emails in my inbox recently.

Reply

gravatar

From Marcelo Von Atzingen Trevisani on December 06, 2018 :: 2:17 pm


Eu moro aqui no Brasil e recentemente recebi esta ameaça também e me senti terrivelmente ameaçado. Depois eu procurei pelo Bitcoin: 1122NYbAT2KkZDZ5TFvGy4D2Ut7eYfx4en e soube que ja constava na lista do https://www.bitcoinabuse.com/reports/1122NYbAT2KkZDZ5TFvGy4D2Ut7eYfx4en

Isto me tranquilizou um pouco. já estava indo para a Policia Federal do Brazil para fazer um boletim.

Ainda estou assustado, espero que seja mentira mesmo, pois é horrivel se sentir ameaçado.

Marcelo von

Reply

gravatar

From Jose Hicks on March 01, 2019 :: 3:03 pm


I try to have an optimal configuration in addition to that I have managed to mitigate trying to misuse my mail servers is the blocking of full ranges of addresses ips with which I have no relationship whatsoever. and above all, as you comment, do not forget to trust your instinct. Jose Hicks

Reply

gravatar

From DF on May 14, 2019 :: 9:10 pm


I got a scam email whose “Received” section shows some random website but the “Received-SPF” section shows “Pass”, with additional info including “envelope-from=” followed by yet a third website. Does this mean a scammer did hack a legitimate sender domain to send this? Should this concern me?

Reply

gravatar

From Josh Kirschner on May 17, 2019 :: 11:49 am


It depends how the SPF records are set up for the domain. If not set up properly, you might see a “pass” even if it shouldn’t be. Without more information, it’s hard to say for sure. Either way, spoofing or hacking, you know it’s not valid so treat it accordingly.

Reply

gravatar

From Ant on August 11, 2019 :: 11:47 pm


I received a Phishing message in my junk folder from my address plus my profile image. I believe it is spoofed because of the header info. I changed my password. Is there any other course of action I should take?

Reply

gravatar

From Josh Kirschner on August 13, 2019 :: 10:29 am


If your email has been spoofed (and it sounds likely given what you say about the header info and the fact your email provider sent it to junk), then there is nothing you need to do. Changing your password won’t make a difference since spoofing isn’t account hacking, it’s just someone using a tech trick to pretend to be you.

If your email is a business account, you can prevent spoofing by setting up your SPF and DKIM records properly, but this doesn’t apply to personal email accounts.

Reply

gravatar

From g saturn on August 13, 2019 :: 4:34 pm


I send hundreds of offers of porn nude pics male enhancement, update car warranty, health, life insurance ( something I looked for on amazon and the insane list goes on. here are some of the spoofed return emails I get.

————————————————-
ManPlus <ED_Solution@73165784.thenewsletters.club>
reply-to:
  .(JavaScript must be enabled to view this email address)

to:  .(JavaScript must be enabled to view this email address)

date:  Aug 13, 2019, 2:58 PM
subject:  * Drive Your Partner Crazy in Bed Tonight*
security:    thenewsletters.club did not encrypt this message


Warning<returen@chechss.keyword-on.net>via sub4.gleeze.com

reply-to:  .(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address)

to:  .(JavaScript must be enabled to view this email address)

date:  stcroix.raven - SOMEONE TRIED TO LOG INTO YOUR ACCOUUNT Alert: #851
subject:  sub4.gleeze.com
mailed-by:    Standard encryption (TLS) Learn more

security: 

Melissa <edu@educationsplans.com>,
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),
.(JavaScript must be enabled to view this email address),———————————————————————————

I know they are fake because my son said do not reply you will not get removed from any list you will simply get more. These are in my trash because I filtered with ” is spam, then delete”
here’s the problem Gmail will not delete them they just keep filling my trash day after day most are from the UK.  when you look up how to make them go away forever you get ” click the little upside triangle and click on block to block these or any user you do not want to get email from” its a lie there is no ” block sender” why does Google lie and why do they allow it to keep happening? they can stop some of it but they will not. I think they make money so there will never be a fix. you may write to them, however, they don’t care. the mail will not automatically delete from trash for 30 days. why is it not possible to delete all (since it is only manual), at one time, or set up an auto delete forever?
also, there are many pages when a search is done that have a green box with the word ad in it and you get the following error… This site can’t be reached http://www.googleadservices.com refused to connect.
Try:

Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED. BS, why are they blocking any search?
you can not ask them they never reply, they do not care. any help from anyone would be apreciated. thank you

Reply

gravatar

From Josh Kirschner on August 14, 2019 :: 3:23 pm


First, you shouldn’t move spam to trash because then it will get mixed with your valid emails when you’re doing searches - just mark it is as spam and it should go to the spam folder. Either way, all messages in your trash and spam folders will autodelete after 30 days. You can always select all and delete everything manually if you want, but I really don’t see why you would bother since the messages are segregated into a spam folder that you would never be interacting with, anyhow.

For blocking senders, open an email and click on the three vertical dots in the upper right and you will see the option to Block “[SENDER NAME]”.

Reply

gravatar

From Ant on August 13, 2019 :: 8:57 pm


Thanks!

Reply

gravatar

From tazmo8448 on October 17, 2019 :: 3:42 pm


One way I use is to hover over the sender and see if it looks legit. If it doesn’t I send it to the company it is trying to spook like spoof at paypal dot com.

Reply

gravatar

From Dan Chien on October 25, 2019 :: 10:57 pm


First, this is in US patent 9674145.
There are many Received. Attacker may inject a Received in the header.  The one you need to look is the last one (usually the first one at top) that is written by your SMTP.

Thanks

Dan

Reply

gravatar

From DouInAmbler on April 10, 2020 :: 12:59 pm


A friend with Yahoo mail sends a legit email, but my reply gets strangely addressed to ‘uniforeverom at gmail’, which neither of us have ever heard of.
This problem can be seen in the header at “return-path=uniforever….”.
He found and deleted the unwanted ReplyTo option, and his next email was “clean”. But 30 minutes later the bogus To: address was back. There must be malware periodically resetting this parameter?
Very bad because all cc addresses plus email content is sent to parts unknown via hasty ReplyAll. Any history of this? I couldn’t find. Thanks

Reply

gravatar

From Josh Kirschner on April 10, 2020 :: 5:12 pm


Assuming he changed his reply to address in the Yahoo Mail settings (https://help.yahoo.com/kb/make-reply-to-address-blank-sln22036.html) and it still changed back, then the only other answer I have is that his email may be hacked. And whoever hacked it received a notification of the change and reset it. Your friend should definitely take the steps we outline for what to do when your email gets hacked.

I don’t have a good alternate answer for you.

Reply

gravatar

From DougInAmbler on April 10, 2020 :: 1:03 pm


Correction: the header shows parameters:
Return-Path: (legit name)
Reply-To: (bogus name)

Reply

gravatar

From DougInAmbler on April 10, 2020 :: 1:57 pm


If opinion is allowed here, I think the “Reply-To” email setting is an unnecessary vulnerability for individuals.

My understanding is that the only legit use is for bounced emails, so the bounces go to a separate mailbox typically within your organization. Furthermore it only makes sense to use it when sent from a “no-reply” mailbox, because a “manual” reply address would look surprising unless it closely resembled the original. And it’s extremely suspicious if the Reply-To address goes to a strange name in a different domain (like in my case comes in from @yahoo, goes back to @gmail.)

Therefore it’s only of use to bulk-mailers, spammers, and (legitimately) to owners of larger private email groups who want this convenient way to find bounces (there are plenty of other ways).

Outgoing SMTP servers should detect a domain-mismatch, at least, in the Reply-To parameter in the header, and flag the email before sending.

Reply

gravatar

From DougInAmbler on April 10, 2020 :: 2:26 pm


A very legit use of Reply-To is when we join email lists. All our replies must be directed not to the sender but to the group. But that still does not make it a good setting in an individual’s account.

Reply

gravatar

From DougInAmbler on April 10, 2020 :: 6:51 pm


Josh, thanks. My friend is elderly and remote, hard to help. I have told him to scan, and of course change Yahoo password. Results may come tomorrow, he is in Asia.
I will update with the outcome.

Reply

gravatar

From dona on June 26, 2020 :: 9:27 pm


so i got an email from someone from my own domain it says mail-by mydoamin.com sign by Hotmail
and as I said I checked original header I found my webmail Ip.. as long as I know I set my spf records to reject and all did as it supposes to be..  some spoor guy send me an email from my own domain ..t says mail by my own domain.com.. is there any way to stop they do that?

Reply

gravatar

From Gordon on July 30, 2020 :: 1:20 am


Hi Josh,

Great piece. Very useful.

Question: is it possible to find the domain/IP and Received field info in an email that has been forwarded to you?

I’m looking into a phishing case and asked the victim to send me an email from the person conducting it. When I look into the header of the email the victim sent me I only see info about the forwarder, not the original sender.*

Is there a way to dig deeper?

Any help would be appreciated.

Cheers,
Gordon

(* To view the full header I forwarded the forwarded email to my own Gmail account because that’s how I know to look at a full header. Can’t do it in Protonmail.)

Reply

gravatar

From Josh Kirschner on July 30, 2020 :: 10:03 am


From what I’ve seen, the original sender info doesn’t get transferred when someone forwards a message to you. The best option is probably to have the victim screenshot the info and send it to you. Though, realistically, I would be surprised if the person doing the phishing wasn’t using TOR or a VPN to anonymize their location.

Reply

gravatar

From Gordon on July 30, 2020 :: 7:26 pm


Thanks, that’s what I thought…
I also suspect the phisher would be disguising their origin and identity but I need to confirm that.
I already know they have cloned two email addresses to look like Yahoo addresses but they have both been spoofed. I’m trying to work out what the real addresses are.
Cheers and thanks for your time. I’m learning a lot from this site. I teach fact checking and verification to journalism students and this stuff is very useful.
Cheers,
Gordon

Reply

gravatar

From Josh Kirschner on July 31, 2020 :: 1:23 am


Since you teach fact checking, I need to fact check my earlier answer, which wasn’t quite accurate. It is likely that the sender is using an anonymizing service, like TOR, to access the sending account (to avoid tracing by law enforcement). But the email header wouldn’t contain the IP address associated with the sender’s IP address (hidden or otherwise); it would have the IP address/domain of the sender’s email server. That server would almost certainly be another dead end, since it was probably hacked or set up on a sketchy shared server provider and hidden behind an anonymous registration. Though you could always get lucky….

gravatar

From Micki on September 25, 2020 :: 3:28 pm


So I get this email from Techlicious.com this morning with the following subject title:

“How to Tell if an Email is Real of Spoofed”

Yes - typo included!  I chuckled because the first thing I look for in an email that’s trying to get me to click on links is GRAMMAR and SPELLING!

So I did not click on this particular email’s link - instead, I just went to Techlicious.com to send you this comment.

Thanks for the smile today!

Reply

gravatar

From Melle on October 20, 2020 :: 8:56 pm


Hi, I received an email addressed to .(JavaScript must be enabled to view this email address).  I dont have aol. It showed up in a personal email that I do NOT use for sales-y stuff and never get spam.  When I try to dig into the actual address that it was sent to, I cannot find anything.  Im sure its spoofed but I’m used to seeing this on the FROM field, not TO.  How do I verify?

Reply

gravatar

From Ronnie Walker on October 30, 2020 :: 7:08 am


I used the tool on an email in my inbox not spam or junk folder and the results come back as being sent from google

Here is the header

Will send header over next two post to long to put in one comment

Delivered-To: .(JavaScript must be enabled to view this email address)
Received: by 2002:a05:6504:1389:0:0:0:0 with SMTP id k9csp822192lto;
      Wed, 28 Oct 2020 15:49:13 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJy+l41b7KnNPYWAgmqCfM5sdYMCJbkOEWfBtGM8EduYFZIi91MMz6cPfVXGDzEEFZVLWknQ
X-Received: by 2002:a9f:2261:: with SMTP id 88mr1460064uad.32.1603925353509;
      Wed, 28 Oct 2020 15:49:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1603925353; cv=none;
      d=google.com; s=arc-20160816;
      b=giz+u1SthNR88z9tqnygiEVhrgsad9U2sk/H4hEl7TizvwBFSGUMlAovhpKHUeFzp4
      tecCj8ar3qHmdOxmUDbHQXtsSEWIcnStOWqhA5Id4PLD3xrZISeFQHcGe2yIkMy2YQAX
      JtB2CYKnfmfk1GoMTEXSnDgwzgn1S6rFbmzwKUGXgjRPxsx+YxErDtU5dWGSKs6CSjUN
      W+/S/k4L0kte41BYXIx8NXMPU41fkq+/42+6bGfeMC5PqpJDbVWjDguH0vcWJA+1j3JJ
      8Wb+NqQdbSlhRrUteUZKnpEeg22+iIEO7fvH5lgiXnb3ngNtSrbwbkqdtRsTC7v/Ts2P
      I54A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
      h=to:subject:message-id:date:from:in-reply-to:references:mime-version
      :dkim-signature;

Reply

gravatar

From Ronnie Walker on October 30, 2020 :: 7:14 am


bh=sTpYoulaPmI9U+Bch5KOodhbOExc9+NWTfL6zkreoI0=;
      b=vARFuHgw56TYc0Swos6SbH9ly6+X26bKYzE85Ur8ko0Dd9ItIpFk7WgeF+Bgw9L/Wk
      +S1zMgyRYfZWk2dZsw8XXQKmZ15OXLoeuh3in/dn3NRXoKT6C3IltO9f+IXf7DXcuqdB
      1jiXD2YHSWYCNYl3ABdmqu3sTU+TBPjmxL5Rv0YvF4N96FahWE+NzoIUZ+Wy8eGQHK5w
      hGrrfdm6IuFhTKhceEI9dObEq27W0PLDdIs7wfUbik2X1TGyLfHBB41EnQp9PtVTIP7C
      QyK5rVUewd/snYmViTnCfdzr+CwTVKR1Z6aQ24YkZ329eRatsSgpW6B/s3bcfxknDp+b
      r4Pw==
ARC-Authentication-Results: i=1; mx.google.com;
    dkim=pass header.i=@gmail.com header.s=20161025 header.b=“W2C9/WKO”;
    spf=pass (google.com: domain of .(JavaScript must be enabled to view this email address) designates 209.85.220.41 as permitted sender) smtp.mailfrom=rosenroncame@gmail.com;
    dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <rosenroncame@gmail.com>
Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41])
      by mx.google.com with SMTPS id h5sor348115vsm.22.2020.10.28.15.49.13
      for <rjw75092@gmail.com>
      (Google Transport Security);
      Wed, 28 Oct 2020 15:49:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of .(JavaScript must be enabled to view this email address) designates 209.85.220.41 as permitted sender) client-ip=209.85.220.41;
Authentication-Results: mx.google.com;
    dkim=pass header.i=@gmail.com header.s=20161025 header.b=“W2C9/WKO”;
    spf=pass (google.com: domain of .(JavaScript must be enabled to view this email address) designates 209.85.220.41 as permitted sender) smtp.mailfrom=rosenroncame@gmail.com;
    dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
      d=gmail.com; s=20161025;
      h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
      bh=sTpYoulaPmI9U+Bch5KOodhbOExc9+NWTfL6zkreoI0=;
      b=W2C9/WKOz+2HUTQhBg78b+RVzu5BTp/9Pxioq1Xw7WeC1AZjeg3YcpOCtmRSt/3uhw
      QqwIKE6C9516U7xfw1B5SxNmik9bRuVuoRP9xMwdjWygNCYgA1N+9ghqsCMB9xWMuaxG
      ClnuqGWGECzyAMY0DTboZH0ijgLJZ3vLw9FzExS9uj3Yf/179prG6pl3hbixM3y1WoCv
      yxxINEDr2F/4XKNmowVOGemH6dcx/2/bAqo87yOciDdGxseT3VWgimOlHnbRa+7ZJNP7
      AYvd0gdyon4KUuKJ5WlcFaVLCBC8SNwsB1+tIEqzGRedLVjRXHIDzPpzwqpv4MwkLhnY
      Arhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
      d=1e100.net; s=20161025;
      h=x-gm-message-state:mime-version:references:in-reply-to:from:date
      :message-id:subject:to;
      bh=sTpYoulaPmI9U+Bch5KOodhbOExc9+NWTfL6zkreoI0=;
      b=SEhjCUmtR2OA6C3HQKCzrn7csOfXd2uS0eOFf5ezTWNqCGbI2RyykMORl11hUkGgxO
      7VIIcM3rns5dt65Ck5i5G3QWvrWLGNe0LxuuZWJpYAxyYkJLope2FX6II7UASM3qFU4k
      oGQpeYuyrqPlOQBSmsN7UgrPv7cvz968e0hk02sQiQaP8eQLtjCvb8J9PM5enztplCSA
      +q7NbVXLdemYSy6gQFYfHzy65F1m5Uy4TMphoUEUMYsXaCdIt/g8AhoH8mgEGg4IjkG1
      FZMeAa+og4T4Nge0yR+zcMxi4SqAwI2ouX+rCHV3FHAJjWMZno7RLPvF9hCaiEALiEB/
      ga2Q==
X-Gm-Message-State: AOAM5322+yZCcBIh/4JlUjAAf5e8SbIvPWe1+AZTAxjyMuD+2QLutv15 XBbR3zHS3xX9y6iCoSFIpCQB14GzO7PR3m19UzE=
X-Received: by 2002:a05:6102:3c8:: with SMTP id n8mt1239210vsq.31.1603925353150; Wed, 28 Oct 2020 15:49:13 -0700 (PDT)
MIME-Version: 1.0
References: <CAGkt0=tG4uvQ266r_L+5Z1Zk-Vtr_VTobSCWhqAbH=eVFcwgpw@mail.gmail.com>
In-Reply-To: <CAGkt0=tG4uvQ266r_L+5Z1Zk-Vtr_VTobSCWhqAbH=eVFcwgpw@mail.gmail.com>
From: Stephanie Ly <rosenroncame@gmail.com>
Date: Thu, 29 Oct 2020 04:49:01 +0600
Message-ID: <CAGkt0=t3Ue_n00eZ-4t8KXVvxFzkc6Rq91wX+BG58i5MXsmWLg@mail.gmail.com>
Subject: Re:
To: undisclosed-recipients:;
Content-Type: multipart/alternative; boundary=“000000000000ec68f705b2c2f8ce”
Bcc: .(JavaScript must be enabled to view this email address)

Reply

gravatar

From Ronnie Walker on October 30, 2020 :: 7:15 am


—000000000000ec68f705b2c2f8ce
Content-Type: text/plain; charset=“UTF-8”
Content-Transfer-Encoding: quoted-printable

On Thu, Oct 29, 2020 at 4:47 AM Stephanie Ly <rosenroncame@gmail.com> wrote=
:

> *Hey baby I just started telling you about myself and what my plans are I
> want one woman I want I’m a ladies man and you know I want a relationship
> I’m fixing to buy a house in another year I’m in recovery I don’t drink.
> But it’s cool if you drink I don’t drink or drugs no no good but I*
>
>
> *=F0=9F=91=97=F0=9F=91=99=F0=9F=91=99=F0=9F=91=9D=F0=9F=92=AC=F0=9F=97=A8=
=F0=9F=91=84=F0=9F=92=8B[?][?]=F0=9F=92=91=F0=9F=92=9E*
>
> *  Sent from my iPhone   *
>

—000000000000ec68f705b2c2f8ce
Content-Type: text/html; charset=“UTF-8”
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr”>
</div>
<div class=3D"gmail_quote”><div dir=3D"ltr” =
class=3D"gmail_attr”>On Thu, Oct 29, 2020 at 4:47 AM Stephanie Ly <<a >rosenroncame@gmail.com</a>> wrote:<=
br></div><blockquote class=3D"gmail_quote” style=3D"margin:0px 0px 0px 0.8e=
x;border-left:1px solid rgb(204,204,204);padding-left:1ex”><div dir=3D"ltr”=
><div style=3D"text-align:center”><font color=3D”#444444”>Hey baby I jus=
t started telling you about myself and what my plans are I want one woman I=
want I'm a ladies man and you know I want a relationship I'm fixin=
g to buy a house in another year I'm in recovery I don't drink. But=
it's cool if you drink I don't drink or drugs no no good but I</fo=
nt>
</div><div style=3D"text-align:center”><font color=3D”#444444”><b=
r></font>
</div><div style=3D"text-align:center”><font color=3D”#4444=
44”>
</font>
</div><div><div style=3D"text-align:center”><font col=
or=3D”#444444”>=F0=9F=91=97=F0=9F=91=99=F0=9F=91=99=F0=9F=91=9D=F0=9F=92=AC=
=F0=9F=97=A8=F0=9F=91=84=F0=9F=92=8B=F3=BE=93=A6=F3=BE=93=A6=F0=9F=92=91=F0=
=9F=92=9E</font>
</div><div style=3D"text-align:center”><font color=
=3D”#444444”>
</font>
</div><div style=3D"text-align:center”><font=
color=3D”#444444”>=C2=A0 Sent from my iPhone=C2=A0 =C2=A0</font>
</div>=
</div></div>
</blockquote></div>

—000000000000ec68f705b2c2f8ce—

Reply

gravatar

From justina on December 02, 2021 :: 4:41 am


my Received from says google, but the sender domain is not google, its their website name. but the SPF says pass. does this just mean they are hosted by google? or that they have a personal email this is forwarded to?? also every time i look up the ip on different sites, i sometimes get different locations but it says google on the reverse lookup

i am new to this, learning as i go, so hopefully i provided the right information and its not a silly question..

Reply

gravatar

From dawn chappel on July 28, 2022 :: 10:28 am


This person hacked into my back account

BpVA

ARC-Authentication-Results: i1; mx.google.com;

dkin pass header.i-spiration.com heuder.ssl header.b-KoPVVpt; dkim=pass header.i=@sender id.info header.smtpapi head.b-Cox,

spf-pass (google.com: domain of bounces+1381704-bce5-artkitten2-gmail.com@mail.spiration.com designates 167 89.21.38 as permitted winder) st dman-pass ( BEJECT spaNNE di=NONE) freader from aspiration.com

Return-Path: <bounces+1381784-bces .(JavaScript must be enabled to view this email address) Received: from 02.email.uspiration.com (02.email.aspiration.com. [167.89.21.301)

by mx.google.com with FSHTPS k1251502896pk 145.2021 6.11.06.01.05. for .(JavaScript must be enabled to view this email address)>

(version=TI 1-3 cipher-TUS_AES_178 GCM_SHA256 bits=128/128);

Fri, 11 Jun 2021 00:01:05 0700 (PDT) Received-SPF: poss (noogle.com: domain of bounces 1381200-125 pikitten Cominal aspiration.com designates 167 m.21.30 a permitted sender)

Authentication-Results: m.google.com

dkimepass .(JavaScript must be enabled to view this email address) header.sss reader.b-kohvat;

dkim-pass header sendgrid Info ader.s-sinspapiider, 5-015qoui spf=pass (google.com domain of bounces+1381704 bces-artkitter .(JavaScript must be enabled to view this email address)/designates 167.89.21.29 as permitted under) sp

dmarc-pass (DREJECT sp=NONE UE) header.from-aspiration.com DKIM-Signature: v 1; a=rsa-sha256; c=relaxed/relaxed; deaspiration.com, -content-transfer-encoding:content-type from mire version:subject:

x-feedback ditug s=s1; bh=pacpte TVBBMeAuvox 32T SEzXu Berishibor=;

b-KPVhVptver V6U833my1zqk2Ukpmg/Yx37, NO±6ka=ySTOTYRT IbeGqEAUPatting Voi3d5apexjOFE

DKIM Signature: v=1; a=rsa-sha256; relased/relaxed; desenegrid_res hecontent transfer-encoding:content-type: from mixer Coruj

x-feedback-idito;

VYY 2m WTQ&Mohdintys; EevZP2xeaked twgyE5nk/G=1VUBA VALDXXG

B How

NASDAQ-40

Reply

gravatar

From JAMES N on March 22, 2023 :: 5:45 am


Hi,

I keep receiving mail from people I know and also strangers with spoofed email IDs.
The issue is the content of emails, which are from different email addresses that I sent emails to years ago, and contain the content I have sent out in the original mail to the sender.
So someone has my mail contents and is using them as a template to phish.
how can this happen?

Reply

gravatar

From Josh Kirschner on March 22, 2023 :: 11:53 am


It’s hard to diagnose what is actually happening without seeing the specific emails in question. However, if there is something going on that makes you think someone has access to your email content, the safest thing to do would to follow our advice on securing your email in our story on What to Do when Your Email Gets Hacked.

Reply

gravatar

From Mark Anderson on August 29, 2023 :: 4:03 am


Thanks for the article, most interesting.

As you say the SPF is not a particiualry accurate means of validating an email as it is a bit of a lottery.

I am however interested in the Receive: from field.

Could you let me know if that field is Always accurate ?

For example
a)
If .(JavaScript must be enabled to view this email address) sends an email
or .(JavaScript must be enabled to view this email address) sends an email

is that field guaranteed to contain
hotmail.com
bobo.com
respectively ?

b)
If say a scammer sent an email to .(JavaScript must be enabled to view this email address) from an email I recognize, say .(JavaScript must be enabled to view this email address)
but his SMTP is smtp.scammy.com
Is it guaranteed that the Receive: from fleld will contain smtp.scammy.com and there is no way that can be fiddles with ?

Thank you

Reply

gravatar

From fox on October 18, 2023 :: 11:15 pm


With Outlook on line, the three dots anywhere; any of them show the options for File and then Properties and I checked every other possibility to locate them as well.

This is the problem with most instructions like this.  Their stated procedures to follow in no way reflect the actual product.  I don’t understand where you guys get this stuff.  I just don’t.

Reply

gravatar

From Suzanne Kantra on October 19, 2023 :: 7:10 am


There’s an ad between the Outlook app instructions and the Outlook.com instructions, making it look like the app instructions are for both platforms.

So you have the Outlook.com instructions here:

Open the email. Click on the more icon (three dots) and select “View” and then “View message source.” The headers will show in a pop-up box.

Reply

gravatar

From Echo on November 03, 2023 :: 10:24 pm


That do this stuff. I’d like to kick em where it hurts!

Reply

Home | About | Meet the Team | Contact Us
Media Kit | Newsletter Sponsorships | Licensing & Permissions
Accessibility Statement
Terms of Use | Privacy & Cookie Policy

Techlicious participates in affiliate programs, including the Amazon Services LLC Associates Program, which provide a small commission from some, but not all, of the "click-thru to buy" links contained in our articles. These click-thru links are determined after the article has been written, based on price and product availability — the commissions do not impact our choice of recommended product, nor the price you pay. When you use these links, you help support our ongoing editorial mission to provide you with the best product recommendations.

© Techlicious LLC.