Updated on 9/24/2023 with information on how to view email headers for Outlook, Yahoo!, Proton Mail, and Apple Mail.
There are numerous email scams that land in your inbox every day, from malware-ridden attachments supposedly from a friend to IRS impersonators to fake invoices from Geek Squad. And what makes many of these scams harder to recognize is that they rely on a “spoofed” email address to make it appear that they are coming from someone you trust (or even your own email address) rather than a scammer 6,000 miles away. So learning how to tell if an email has been spoofed is critical to protecting yourself.
Part of the reason why spoofed emails are so prevalent is that it is incredibly easy to spoof an address. Any mail server can be set up to send from a given domain (e.g. irs.gov), and there are even websites that will let you send one-off emails using any email address for free. But both of these methods leave telltale tracks that give it away as spoofed.
To find these tracks, you need to look at the email header. The header contains critical components of every email – From, To, Date, and Subject – as well as detailed information about where the email came from and how it was routed to you. Importantly, it also contains the results of the verification process your email provider used to determine if the sending server has permission to send using that domain (i.e., Is this server authorized to send emails from irs.gov?).
How to find email header information
Showing your email headers varies depending on which email service you’re using. The instructions below are all for your computer or the "desktop view" using your phone's browser.
How to show email headers for Gmail
For Gmail, open the email and click on the three vertical dots next to the reply arrow and select “Show Original”.
How to show email headers for Outlook and Outlook.com
For Outlook, open the email. Click on "File" and then "Properties." The headers will show in the "Internet headers" box.
For Outlook.com, open the email. Click on the more icon (three dots) and select "View" and then "View message source." The headers will show in a pop-up box.
How to show email headers for Proton Mail
For Proton Mail, open the email. Click on the more icon (three dots) and select "View headers." The headers will show in a new window.
How to show email headers for Apple Mail
For Apple Mail, open the email. Click View > Message > All Headers. The headers will show in the window below your inbox.
How to show email headers for Yahoo! Mail
For Yahoo! Mail, open the email. Click on the more icon (three dots) and select “View raw message.” The headers will show in a new window.
How to find the header information that shows an email is spoofed
Below is an example of a spoofed email I sent from an online spoofing service pretending that it came from my own address. Looks pretty real. It says it came from my email address, and if I reply, it will go to that same address. In fact, unless it was filtered into my spam box by Gmail, the email will even show up in my Sent folder, which could leave me to believe, incorrectly, that my email was hacked.
But the header information gives it away as spoofed. There’s a lot of technical stuff in here, but you can ignore most of it. The two things that matter the most are the domain name and IP address in the “Received” field and the validation results in the Received-SPF field.
As you can see above, the domain name this email is being sent from is emkei.cz (the email spoofing site), not Techlicious.com, so that’s a dead giveaway. But if the domain name is similar or it’s listed as just an IP address, you should check the IP address, too, and see if that passes the smell test. To do that, go to Domain Tools and enter the “from” IP address in the Received field into the Whois Lookup. When I do that with 184.108.40.206 from the example above, it tells me this is a host called emkei.cz out of the Czech Republic – not what I would expect to see if this were really an email sent by Techlicious.
Next, if we look at the Received-SPF field and see that it is a soft fail. Sender Policy Framework (SPF) is a way for a domain (e.g., Techlicious.com) to specify what servers are permitted to send mail on its behalf. Mail sent from permitted servers will show up as “Pass” in the Received-SPF field, which is a very strong indicator that the email is legitimate. If the results show “Fail” or “Softfail”, that’s a sign the email may be spoofed, though it’s not 100% certain since some domains don’t keep their SPF records up to date, resulting in validation failures.
Taken together, the sending IP address and the SPF validation will give you a very good sense of whether an email truly comes from the person purported to be sending it. And don’t forget to trust your gut. If an email sounds implausible, it probably is. Don’t respond directly or open any attachments. If it is a company, bank or government organization, find their contact information on the web and contact them directly to see if the email is legit.
[Image Credit: BigStock-Woman at Computer]