Somebody sent you a strange email. Maybe they’re threatening to blackmail you if you don’t send them a specific amount in ransom, or they claim to know you, but you can’t remember knowing them. Their email address, however, reveals nothing. In any case, you want to know who sent you the email so you know how to respond better. In this article, we will show you how to trace an email address to its owner using the email header.
Why Do You Need to Trace an Email Address?
First, why bother to trace email IP addresses? We live in a time when email spam, phishing emails, scams, and malware are all too prevalent. Finding the source of that email will give you a chance to find out who and where the email is coming from. This will also help you block those pesky sources of spam and/or abusive content that you are getting to your email or website, allowing you to have your inbox free of those.
Using Email Headers to Trace the Email Address Owner
Luckily, your email already provides the necessary means to trace the email owner in the email header.To open the email header and find the message sender on different email providers go to:
Gmail
- Open your Gmail account
- Select the email you wish to trace
- Next, in the top-right corner of the email, click on the three dots to open a drop-down menu
- Click the Show Original to open the email header
Yahoo Mail
- Open your Yahoo Mail account
- Open the email message you want to inspect
- Above the message pane, click on the More icon
- Select View Raw Message. This opens a new tab where you can see the email header
Microsoft Outlook
- Open your Outlook email account
- Double-click on the email message that you want to look at
- Go to File>Properties
- You’ll find what you’re looking for in Internet Headers
Apple Mail
- Open your Apple Mail account
- Select and open the email message you want to trace back to its owner
- Then go to View>Message>Raw Source to open the email header
What’s in the Email Header?
Before we dive into the email header to learn how to trace an email address to its owner, we need to understand what data the email header contains.
- From: This is the email sender. However, don’t rely on this as this information can be forged (if only it was that easy)
- Reply-To: This is the email address that you send the response to
- Subject: Obviously the subject of the email
- To: Who the intended recipient of your email is
- Received: Read this from bottom to top, where the bottom is the original email sender. This then goes through a list of email servers that the message went to get to you
- Delivered To: The final recipient of the email. You.
- MIME-Version: MIME stands for Multipurpose Internet Mail Extensions and represents the email format standard currently in use. This will probably be 1.0. Read about S/MIME here.
- Content-Type: Let the email client or the browser know how to “read” the email contents. This will probably be either a UTF-8 character set or an ISO-8859-1
- Authentication-Results: This is the record of all performed authentication checks
- DKIM Signature: DKIM or Domain Keys Identified Mail serves to authenticate what domain was the email sent from. DKIM is an important tool in preventing email fraud
- ARC Authentication-Results: ARC identifies the email forwarders. It stands for Authenticated Receive Chain
- ARC Message Signature: Validates the email header info, much like DKIM does
- ARC Seal: Verifies the contents of the authentication results and the message signature
- Received SPF: The SPF or Sender Policy Framework is a part of the email authentication that prevents email sender address forgery
- Return Path: This is where bounce or non-send emails go
- X Received: Not the same as Received. Instead, it shows a temporary address like a Gmail SMTP server or a mail transfer agent
- X Google SMTP Source: This shows if the email was using the Gmail SMTP server to transfer
How to Trace the Email IP Address?
Now that you have a slightly better idea of what different data in the email header represent, let’s see how to use email headers to trace email IP addresses:
- Open the email header as we showed above (Open Email>More>Show Original)
- Find the Received line. This will probably be the second line in the email header after Delivered To:
- You’ll find the IP address of the email server that sent the email as Original IP or X Originating IP
- Copy/paste the IP address into an IP lookup tool like WhoisXMLAPI.com. This tool will show you the location of the email server, including the country, region, city, latitude, longitude, postal code, time zone offset by UTC, and Geonames ID for the IP address in question
- You can also use an Email Header Analyzer Tool
Why Are There Multiple “Received” Lines in Your Email Header?
You’ll probably notice that there are several Received lines in your email header.What do they mean and which is the “real” one? You’ll see several Received lines whenever the email message goes through more than one email server. A spammer will often use multiple fake Received lines to make it harder to trace them. However, even with several Received lines thrown out there, you can still find the original sender. It just takes a bit more work to do so.
- Begin with the last Received line and follow the next Received lines up through the email header
- Make sure that the by and from locations match
- The IP address you’re looking for will be in the last Received line with the valid information
How do Different Email Providers Display IP Addresses?
Each email provider has its own method of displaying the IP address in the email header.
- Gmail will show only the IP address of the email server in the Received line and not the actual IP address of the email sender
- Yahoo emails will show the IP of the email sender in the last Received
- Outlook shows the IP address in the 1st Received line in the email header
Conclusion
And that’s it. An email header is a powerful tool in fighting spam and phishing and understanding who sent you the email in the first place. With this knowledge, it should be quite easy for you now to trace email IP addresses back to its owner and discover their identity and location. However, keep in mind that you won’t always be able to find the identity of the sender if they make an extra effort to remain anonymous. Do you want to be anonymous? Sign up for Listmonk today. Listmonk doesn’t store, log, or monitor your IP address, allowing you complete privacy and anonymity as you send and receive emails.