Tracing back emails to their source IP addresses helps identify scams, spam, phishing, and spoofing emails by linking you back to fraudulent senders. The drill includes examining the email header containing routing details and email metadata.

Apart from aiding in phishing and spoofing prevention, tracing back emails to their source IP addresses supports digital forensics and law enforcement. 

It’s important to note that while tracing back emails to their source IP addresses can provide valuable information, it may not always lead to the direct identification of the responsible individual due to the use of anonymizing services, VPNs, or compromised systems. 

Nevertheless, it remains a valuable tool in the overall cybersecurity toolkit. So, let’s see how it’s done.

Tracing Back an Email

To trace back an email, you need to evaluate the full email header, which is generally hidden or half-displayed, as it contains details that are too technical for many people. The way to access or unhide the full email header differs from email client to email client; however, it’s an easy job.  

We are sharing the way to open a full email header for the common mailbox providers-

Gmail

Open the email you want to trace, select the drop-down menu in the top-right corner, and choose ‘Show original.’

Outlook

Double-click on the email you have to trace and go to ‘Properties’ under the ‘File’ section. The information will appear in the internet headers.

Apple Mail

Open the email and go to View > Message > Raw Source.

Yahoo Mail

Open the email you want to trace and select ‘View Raw Message’ by clicking on the three-dot icon.

Learning to Read the Data in a Full Email Header

Once you will open a full email header, you will come across a lot of information. The basic Gmail email header lines are explained here-

• Reply-To: The designated email address for your response.
• From: Displays the sender of the message, but this section can be easily manipulated.
• Content-type: Informs your browser or email client on how to interpret the email content, commonly utilizing character sets like UTF-8 or ISO-8859-1.
• MIME-Version: Declares the standard email format, typically set to “1.0.”
• Subject: Represents the topic of the email content.
• To: Lists the intended recipients of the email; may reveal additional addresses.
• DKIM-Signature: DomainKeys Identified Mail authenticates the sending domain, safeguarding against email spoofing and sender fraud.
• Received: Enumerates the servers the email traversed before reaching your inbox; read from bottom to top, with the bottom-most line indicating the origin.
• Authentication-Results: Contains a log of authentication.
• Received-SPF: Part of the email authentication process, Sender Policy Framework (SPF) thwarts sender address forgery.
• Return-Path: Designates where undeliverable or bounce messages are directed.
• ARC-Authentication-Results: Authenticated Receive Chain is an additional authentication standard verifying the identities of email intermediaries and servers forwarding the message.
• ARC-Message-Signature: Captures a snapshot of message header information for validation, akin to DKIM.
• ARC-Seal: “Seals” ARC authentication results and the message signature, and confirms their integrity, which is similar to DKIM.
• X-Received: Unlike “Received,” which is considered non-standard, it might not be a permanent address, potentially representing a mail transfer agent or Gmail SMTP.
• X-Google-Smtp-Source: Indicates the email transfer using a Gmail SMTP server.
• Delivered-To: Specifies the ultimate recipient of the email within this header.

Tracing the IP Address

Start by checking out the first ‘Received’ header line, and alongside it would be the sending server’s IP address. This will be displayed as X-Originating IP or Original-IP. Then, you will have to perform a reverse DNS lookup and MX Toolbox is one of the right platforms to do that. The tool will display a variety of details linked to the sender’s server.

Messageheader by Google and WhatIsMyIPAddress are other third-party tools that you can use to decipher IP addresses from an email header. 

Tracing is Also Possible Through Social Media

Yes, you read it right; however, this method doesn’t have a high success rate as it’s only doable if the sender uses the same email address for their social media and has a public profile. The chances of finding the sender on LinkedIn are higher than spotting them on Instagram and Facebook.

Tracing doesn’t always work, especially if the sender uses a VPN or other anonymizing services like a proxy server. Also, hackers are smart, which means they don’t use phishing email addresses for their social media accounts!