We're often asked what email headers are most important and why more people are learning about them. Here's the Too-Long-Didn't-Read (TL;DR) breakdown:
You can compare email headers to the ending credits of any movie you've ever watched. The credits tell you who made the movie, when it was made, and where it was shown. Email headers are like the credits of the email world because they provide us with similar information.
Basic Email Headers
Who Sent The Email?: The FROM header tells you the email address of the sender.
Who Is The Email For?: The TO header tells you who the email is addressed to.
When Was The Email Sent?: The DATE header shows you when the email was sent.
What Is The Email About?: The SUBJECT header provides a brief summary of the email's content.
Where Did The Email Come From?: The RECEIVED headers show the different servers the email passed through on its way to you.
Technical Email Headers
Sender Policy Framework (SPF): Checks if the email was sent from an authorized server.
DomainKeys Identified Mail (DKIM): Verifies the email's authenticity using digital signatures.
Domain-based Message Authentication, Reporting, & Conformance (DMARC): Sets policies for handling emails that fail SPF or DKIM checks.
Analyzing Email Headers
Not every email analyzer tool will display the same exact information - there are numerous different email headers and a full list of can be viewed on the Internet Assigned Numbers Authority (IANA).
With that being said, the following five email headers are the most common that experts will start with when conducting their investigation:
DMARC Compliance: A way to check if an email is authentic and hasn't been tampered with. If an email is DMARC Compliant, it means it's likely a real email from the person or company it claims to be from. If it's not compliant, it might be fake or malicious.
SPF Alignment: This shows that the domain name in the "SENDER" or "FROM" address of the email matches the domain name listed on the SPF record. Just because an email passes this check, does not mean the email is legitimate. In other words, SPF alignment alone does not indicate whether an email is legitimate or illegitimate.
SPF Authenticated: This confirms whether the email has passed the SPF check by looking at the sender's IP address to determine if it's authorized to send emails on behalf of the domain. Similarly to the SPF alignment, this alone cannot prove whether an email is legitimate or not. However, one of the key indicators that an email has been spoofed is by looking to see if the email has failed this check.
DKIM Alignment: This check ensures that the domain name in the "DKIM-Signature" header matches the domain name in the "FROM" address of the email. This particular header is only valuable if the company the email claims to be from has set up DKIM on their side of things. Most well-known companies, like PayPal for example, will have valid DKIM signatures. This particular email header is commonly used to determine an email's legitimacy when it claims to be from a well-known company.
DKIM Authenticated: This check determines if the email has been altered or modified AFTER it was signed by the DKIM-Signature. This is one of the most powerful headers that email providers utilize to automatically reject, delete, or flag an email as spam before it actually reaches your inbox.
