1 Introduction
Email remains the number one attack vector in cybersecurity. A suspicious email can carry phishing links, malware attachments, or social engineering attempts designed to trick you into revealing sensitive information. Learning to analyze an email's technical details is essential for any cybersecurity analyst.
Think of an email like a physical letter. The content you read is just the message inside the envelope. But the envelope itself carries valuable information: the return address, the postmark, the stamps. In email, this envelope information is contained in the email headers -- hidden metadata that reveals the true origin and path of the message.
The three pillars of email authentication
SPF
Which servers are allowed to send email for this domain?
DKIM
Has the message been tampered with in transit?
DMARC
What should happen if SPF or DKIM fails?
2 How It Works
Paste the full headers of a suspicious email into the analyzer below to inspect its authentication results and origin.
Key email headers to examine
From
The displayed sender address. This is trivially easy to forge -- never trust it alone. Always compare it to the actual sending infrastructure revealed in other headers.
Reply-To
Where replies are sent. A mismatch between From and Reply-To is a classic phishing indicator. The attacker spoofs the From but wants replies at their own address.
Received
A chain of "Received:" headers shows every server the email passed through. Read from bottom (origin) to top (your inbox). The bottom-most Received header reveals the true sending server.
Message-ID
A unique identifier for the message. The domain in the Message-ID should match the sending domain. A mismatch suggests the email was sent from elsewhere.
How SPF, DKIM, and DMARC work together
SPF (Sender Policy Framework)
The domain owner publishes a DNS record listing which IP addresses are authorized to send email on their behalf. The receiving server checks if the sending IP is on the list.
v=spf1 include:_spf.google.com ~all
DKIM (DomainKeys Identified Mail)
The sending server digitally signs the email. The receiving server verifies the signature using a public key published in DNS. If the message was modified in transit, the signature breaks.
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1;
DMARC (Domain-based Message Authentication)
Ties SPF and DKIM together and tells receiving servers what to do when authentication fails: do nothing (none), quarantine, or reject the message.
v=DMARC1; p=reject; rua=mailto:[email protected]
3 Detailed Analysis
Step-by-step email investigation
Check the From address carefully
Look beyond the display name. "Bank of America <[email protected]>" shows a suspicious domain, not the real bank.
Examine the authentication results
Look for the "Authentication-Results" header. SPF=pass, DKIM=pass, and DMARC=pass are good signs. Any failures are red flags.
Trace the Received headers
Read from bottom to top. The originating IP should match the claimed sender's infrastructure. An email "from Google" that originates from a VPS in Eastern Europe is forged.
Inspect links without clicking
Hover over every link to see the real URL. Check if it matches the claimed sender. Use a URL analysis tool for further investigation.
Analyze attachments safely
Never open suspicious attachments directly. Check the file hash against threat intelligence databases, or use a sandboxed environment for analysis.
Authentication results cheat sheet
| Result | SPF | DKIM | Risk level |
|---|---|---|---|
| Pass / Pass | Authorized server | Signature valid | Low |
| Softfail / Pass | Not explicitly authorized | Signature valid | Medium |
| Fail / Fail | Unauthorized server | Signature invalid | Critical |
| None / None | No SPF record | No DKIM signature | High |
Try it on mlab.sh
Upload an .eml file or paste email headers to parse SPF, DKIM, and DMARC results, trace the sending path, and identify spoofing indicators automatically.
Parse email headers on mlab.sh4 Red Flags
Here are the warning signs that an email may be malicious:
From and Reply-To mismatch
The email appears to come from your CEO but the Reply-To points to a Gmail address. This is a classic Business Email Compromise (BEC) indicator.
SPF or DKIM failure
Authentication failures mean the email was sent from an unauthorized server or was tampered with in transit. This is a strong indicator of spoofing.
Generic greeting
"Dear Customer" or "Dear User" instead of your actual name. Legitimate services that have your account information will address you by name.
Unexpected attachment
Especially dangerous file types: .exe, .scr, .js, .vbs, .iso, .img, or password-protected .zip files. These are common malware delivery methods.
Urgency and threats
"Your account has been compromised", "Pay immediately or face legal action". Pressure tactics are designed to make you act before you think.
Grammar and formatting errors
Professional organizations proofread their communications. Multiple grammar mistakes, odd formatting, or mixed languages suggest a mass phishing campaign.
Related Modules
Source: mlab Academy — Cybersecurity Awareness Platform
URL: https://academy.mlab.sh//page/suspicious-email
Module: Analyzing a suspicious email — Phishing & Social Engineering
Disclaimer: This content is for awareness purposes only.