dom4in.net
← All guides
Email security

Read email headers to spot a spoofed message

Open the original headers and read three lines — Authentication-Results, Return-Path, and Received — and a fake usually gives itself away in under three minutes.

~2 min read 0:00 on this page

The process

The whole inspection path in Gmail. Crumbs link to each step in Directions.

Directions

1Open the suspicious message

Open the email, but do not click any links or attachments. You only need to read it, not interact with it.

3Choose Show original

Click Show original (Gmail) to open the raw message in a new tab. The top summary box shows SPF, DKIM, and DMARC each as PASS or FAIL — your fastest signal.

4Read Authentication-Results

Find the Authentication-Results line. Three PASS values that align with the visible From: domain is a strong sign of authenticity. A FAIL on DMARC, or DKIM signing a different domain than the one shown, is a red flag.

Authentication-Results: mx.google.com;
  spf=pass  dkim=pass header.d=paypal.com  dmarc=pass (p=REJECT)

5Check Return-Path and Received chain

Compare the Return-Path / envelope-from to the visible From:. A mismatch (display name says your bank, Return-Path is a random domain) is classic spoofing. Read the Received: lines bottom-to-top to see the real origin server — a brand-name email originating from an unrelated host is suspicious.

Common issues & fixes

Everything says PASS but it still feels fake.

Authentication only proves the sending domain controls its DNS — a lookalike domain (paypa1.com) can pass all three. Read the actual From: domain character by character.

DKIM passes but header.d is a different domain.

The message was signed by someone else's domain, not the brand it claims to be. Treat as spoofed.

No Authentication-Results line at all.

Some internal or older servers don't add it. Fall back to the Received chain and Return-Path comparison.

Display name looks right but you're unsure.

Display names are free text and trivially faked. Always judge by the domain after the @, never the display name.

Written and maintained by Ben McDaniel. Drafted with AI assistance and human-reviewed against each vendor's current setup flow. Vendor interfaces change — if a step looks different, the underlying record is what matters.