Internet emails are designed to carry the IP address of the computer from which the email was sent. This IP address is stored in an email header, delivered to the recipient along with the message. Email headers can be thought of like envelopes for postal mail. They contain the electronic equivalent of addressing and postmarks that reflects the routing of mail from source to destination.
How to find the IP addresses in an E-Mail Header
I have noticed that people forgot or don’t know where they can find the Header information in an E-Mail. To do that open your E-Mail and follow the Path: File > Properties. Here you can spot the Internet headers like shown in the picture below:
Internet email headers contains several lines of text. Some lines start with words Received: from. Following these words are an IP address, such as in the following fictitious example:
Received: from mta41.email2.microsoft.com (126.96.36.199)
by mail1.abstergo.com with SMTP; 18 Jul 2018 07:23:47 -0000
These lines of text are automatically inserted by email servers that route the message. If only one “Received: from” line appears in the header, a person can be confident this is the actual IP address of the sender.
Understanding Multiple ‘Received: from’ Lines
However, in some situations, multiple “Received: from” lines appear in an email header. This happens when the message passes through multiple email servers. Alternatively, some email spammers will insert additional fake “Received: from” lines into the headers themselves in an attempt to confuse recipients.
To identify the correct IP address when multiple “Received: from” lines are involved requires a small bit of detective work. If no faked information was inserted, the correct IP address is contained in the last “Received: from” line of the header. This is a good simple rule to follow when looking at mail from friends or family.
Internet Tools for analysing Headers
There are many tools out there in internet where we can analyse our E-Mail Header. I personally recommend you the MX Toolbox https://mxtoolbox.com . By opening the Page, we can see on the top the option Analyse Headers.
Here we simply copy our E-Mail Header from the Outlook we got and click Analyse Header.
As a result, we get a report about all information from the sender and E-Mail. Here we can see information about the trace route which the E-Mail has done or some other information shown in the picture below:
Understanding Faked Email Headers
If faked header information was inserted by a spammer, different rules must be applied to identify a sender’s IP address. The correct IP address will be not normally contained in the last “Received: from” line, because information, faked by a sender always appears at the bottom of an email header.
To find the correct address in this case, start from the last “Received: from” line and trace the path taken by the message by travelling up through the header. The “by” (sending) location listed in each “Received” header should match with the “from” (receiving) location listed in the next “Received” header below. Disregard any entries that contains domain names or IP addresses not matching with the rest of the header chain. The last “Received: from” line containing valid information is the one that contains the sender’s true address.
Note that many spammers send their emails directly rather than through Internet email servers. In these cases, all “Received: from” header lines except the first one will be faked. The first “Received: from” header line, then, will contain the sender’s true IP address in this scenario.