Viewing Email Header Information

While I'm no expert on this, I'll try to give some hopefully helpful advice since I've talked to a couple of people about this recently. A lot of people are aware of how to identify a fake email because it's usually part of mandatory training at the company you work for, but a lot of people aren't.

Email scammers have gotten better over time, and although our email servers are pretty good at catching most of them and dumping them into your spam folder, a few still get through. Sometimes it's easy to spot a fake email, but sometimes they do a pretty good job of making it "appear" real and they make you wonder if you should be concerned with that they're saying.

So, if an email does get in your Inbox and you’re worried it might be real and you might need to act there are ways to do it. First thing is if it’s from a company or website/business you do deal with like PayPal, then go to your account and check the transactions. Another way is to look at the header, which I talk about below.

To go behind the scenes:
It might show that it's coming from a trusted email address, like "service@paypal.com" like in the photo at the top of this page, and it might show your email address in the section you're normally used to viewing (in this case the email address isn’t who it was actually sent to), but all of that information can be faked. Some of the links in the email might be valid, but usually the link they're asking you to action isn't what it seems.

If it's showing a receipt for a product or a transaction and giving you the option to dispute it if it wasn't you that made the transaction/purchase, then the email is fake. If you're concerned, the easiest way to know for sure is if it's a real PayPal transaction then look at your PayPal account from the official website, or if it's your credit card or bank account then log into those and check for the transactions there. Sophisticated scams might actually show the last 4 digits of your credit card or bank account to make you even more concerned it's real. Never call numbers in the email, and never click on any links, and don't open any attachments even if they may look harmless.

The best way to know if an email is coming from the actual company is to check the header information. What you see when you are viewing an email is the result of code being processed from the raw email which puts it in a nice format easy to view.

A friend sent me the information in the screenshot at the top of this page so I could look at it. The "From" field looks legit and it passed the SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) tests which are both in place to help detect spoof emails, but in this case the scammer was able to somehow trick those tests to make them pass which makes it more likely to be delivered to your Inbox instead of your Spam folder.

The "To" section is a very strange email address, and it's not the email address of my friend, so that is a red flag, but everything else on that section of the header looks ok since it's a valid From and it passed the 2 tests but that still doesn't mean it's real.

You have to analyze the full email header in order to help determine where it actually came from and who the replies actually go to.

A guide on how to view email headers on various email services:
https://support.google.com/mail/answer/29436?hl=en#zippy=%2Cother-mail-services%2Cgmail

Once you have the header opened you will need to copy the information down to the line that reads "Content-Length". There is a lot more information below that, but it isn't part of the header.

I like MX Toolbox's Message Header Analyzer tool because it gives you the red flags and a lot more information:
https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx?huid=9980abcd-ac0c-4698-9273-3bfaa6ed7a1e

Google also has an analyzer tool: https://toolbox.googleapps.com/apps/messageheader/analyzeheader

In the MX Toolbox tool sometimes there might be red x’s on things in the top part, even if it’s a valid email. If there are more than one then that’s a red flag, but scroll down to the bottom of the information and take a look at the “Headers Found” section. Pay attention to the “X-Apparently-To” section and compare it to the “To” section as they should be the same. Take a look at the “From” and “Reply To” sections, the domains should be the same.

Another good resource with more information:
https://intezer.com/blog/incident-response/automate-analysis-phishing-email-files/