Skip to content

Use Case

There is far more to emails than meets the eye. The subtopic will teach you how to analyze the extensive metadata which documents an email’s origin, the servers it traveled through, information about possible spam checks, and much more. This metadata can form a crucial part of any in-depth investigation into potentially malicious emails.

Use this skill after or alongside the Triage subtopic within this learning path. Some of these skills may be necessary as part of the triage process in order to decide if a message is suspicious.

Since email headers can contain references to other domains and infrastructure, practitioners should first be familiar with Subtopic 4, which looks at analyzing domain and IP info, prior to tackling this one.

Objectives

After completing this subtopic, practitioners should be able to do the following:

  • Extract full headers from an email that they have received or are analyzing;
  • Analyze the extracted headers, paying particular attention to
    • The identity of the server or servers which sent the email;
    • Any information about SPF or DKIM data which those headers contain;
    • The possibility that any of the information in the header was spoofed

Every email has headers, which contain crucial metadata about the sender, recipient, and email itself. In this section, we will look at email headers, how you can analyze them, and how emails could be spoofed. This requires some background knowledge

Foundation Knowledge

Read the resources and documents below to familiarize yourself a bit with (or recap your knowledge on) email headers, SPF, and DKIM.

  • Understand what email headers are and how we can view them in multiple systems
  • Understand the basics of email spoofing and using SPF and DKIM to combat it
    • Learn about email spoofing / learn to identify spoofed emails
    • Learn about the Sender Policy Framework and how it aims to prevent sender address forgery.
      • Use dig / doggo to lookup a valid SPF record (you can do so by running the dig command with the txt argument), analyze its content (see here for a guide) and answer the following questions.
        • What is the SPF version used?
        • Which domains are authorized email senders for the domain?
        • Which mechanism (or policy) was used for all “other” senders?
        • Are there any other mechanisms (or policies) defined in the record?
      • Use https://mxtoolbox.com/spf.aspx to conduct a lookup and test on an SPF protected domain. You can look up the records for your own organization, for example, by checking its main domain.
    • Learn about DomainKeys Identified Mail (DKIM) and how, as an authentication standard, it is used to prevent email spoofing.
  • (Advanced) Familiarize yourself with various techniques and mechanisms spam filters use to identify spam / spoofed emails.

Main Section

Analyzing headers

The Nebraska GenCyber Team created a quick and relatively comprehensive course on email headers : we recommend it to all who want to learn about the topic.

As you analyze headers, you will learn quite a bit about the different domains involved in setting up the email. Once you have a list of those domains, you can use the same tools we used in the previous section (dig, whois, geoIP, and others) to learn more about them.

Systems administrators who use workplace domains such as Google Workspace and Microsoft 365 often have access to powerful logging and log search tools: they can use those to search their systems for identifiers which were found in email headers (such as suspicious domains), which can help them figure out who, if anyone, has been targeted in their organization. See Google’s and Microsoft’s documentation on searching through logs. Do note that those search features are usually restricted to business or enterprise accounts.

Practice

After reading through all of the materials in the Nebraska GenCyber email header analysis course, do the exercises linked therein. The site has a link issue, with the exercises often being unavailable directly on it, but they can also be downloaded here.

Skill Check

Find an email in your inbox or spam folder. Alternatively, ask for a peer or mentor to send you the headers of an email which they have recently received. Analyze the headers of the email using the same techniques as were outlined in the practice exercise, including by loading them in the Google Admin Toolbox Message Header tool. Then, answer questions 1, 2, 3, and 5 outlined in the investigation section of the Nebraska GenCyber email header analysis course, this time using the headers from the email you found rather than the email attached to the course.

Learning Resources

What are email headers?

Free

A good introduction to email headers. Highlights three important groupings of email headers. Includes a list of step-by-step guides for different MUAs.

Languages: English
Visit Site

Viewing full email headers

Free

How to view email headers in multiple email systems (Gmail, Outlook, Apple Mail, Thunderbird, etc).

Languages: Multiple
Visit Site

Checking SPF headers using the dig tool

Free

This piece offers a quick guide on how to check SPF headers using dig, a tool installed on most Unix-like systems.

Languages: English
Visit Site

How to check and read a Sender Policy Framework record for a domain

Free

This piece shows how to check SPF headers using nslookup, an alternative tool to dig, and describes how to interpret the results.

Languages: English
Visit Site

The Nebraska GenCyber Team course on email headers

Free

A comprehensive course on how to analyze email headers when investigating potential cases of phishing.

Languages: English
Visit Site

Exemples d'exercices pour le cours ci-dessus.

Free

Exercices hébergés sur GitHub.

Languages: English
Visit Site

Checking email headers in Proton Mail

Free

A guide on how to check email headers in Proton Mail.

Languages: English
Visit Site

Viewing email headers on Zoho

Free

A guide on how to view email headers on Zoho.

Languages: English
Visit Site

Tools for analyzing email headers, part 1

Free

Links to several tools which can extract and dissect email headers, crucial for any analysis of potentially malicious emails.

Languages: English
Visit Site

Tools for analyzing email headers, part 2

Free

Links to several tools which can extract and dissect email headers, crucial for any analysis of potentially malicious emails.

Languages: English
Visit Site

Tools for analyzing email headers, part 3

Free

Links to several tools which can extract and dissect email headers, crucial for any analysis of potentially malicious emails.

Languages: English
Visit Site

Tools for analyzing email headers, part 4

Free

Links to several tools which can extract and dissect email headers, crucial for any analysis of potentially malicious emails.

Languages: English
Visit Site

Introduction to email spoofing, article 1

Free

Several articles describing email spoofing basics.

Languages: Multiple
Visit Site

Introduction to email spoofing, article 2

Free

Several articles describing email spoofing basics.

Languages: English
Visit Site

Introduction to email spoofing, article 3

Free

Several articles describing email spoofing basics.

Languages: English
Visit Site

Evaluating 'Received' headers

Free

How to use email headers to find the server that sent the email.

Languages: English
Visit Site

Analyzing potentially forged 'Received' headers

Free

How to identify fake ‘received’ headers.

Languages: English
Visit Site

Looking at a potential phishing email's headers

Free

A closer examination of email headers in phishing messages.

Languages: English
Visit Site

Find messages with Email Log Search

Documentation free, tools only available to business & enterprise users

Describes how administrators of Google business and enterprise accounts can monitor message logs.

Languages: English
Visit Site

Monitoring, reporting, and message tracing in Exchange Online

Documentation free, tools only available to enterprise users

Describes how administrators of Microsoft enterprise accounts can monitor message logs.

Languages: English
Visit Site