How to Check Email Sender

Hide My IP

When an e-mail is sent across the internet, there is header information in the data packets that tell where it originally came from. This information can usually be checked to determine if the email came from where it appears to be from.

View Email Headers in Outlook

outlook mailbox
  1. Right click the email in the pane that shows the list of emails which is the pane on the right or the upper right.
  2. Select Options.
  3. A dialog box like the one below will appear.
    message options

    View Email Headers in Outlook Express

    1. Right click the email in the list of emails in the large pane on the right.
    2. Select “Properties”.
    3. Click on the “Details” tab.

    The Internet headers for Outlook and Outlook Express are similar but not exactly the same. In Outlook, even though this is called “Options” at the bottom under the label “Internet Headers” it shows your Internet Mail header information. The examples shown are from Outlook. The first example below is from a spam email.

    Microsoft Mail Internet Headers Version 2.0
    Received: from 210.206.95.108 ([10.10.1.1]) by mailserver.mydomain.org with Microsoft SMTPSVC(5.0.2195.6713);
    	 Wed, 1 Sep 2004 21:09:08 -0400
    Message-ID: <c9b601c49087$8c1697ca$7efe63e8@seznam.cz>
    From: Vanessa J. Smith <mella@seznam.cz>
    To: me@mydomain.org
    Subject: Cheap software
    Date: Thu, 02 Sep 2004 00:54:37 +0000
    MIME-Version: 1.0
    Content-Type: multipart/related;
        type="multipart/alternative";
        boundary="----=_NextPart_000_0000_7771E9BA.5106F578"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
    Return-Path: mella@seznam.cz
    X-OriginalArrivalTime: 02 Sep 2004 01:09:09.0621 (UTC) FILETIME=[7384AA50:01C49089]
    
    ------=_NextPart_000_0000_7771E9BA.5106F578
    Content-Type: multipart/alternative;
        boundary="----=_NextPart_001_0001_C8B7EFF7.E0F8597E"
    
    ------=_NextPart_001_0001_C8B7EFF7.E0F8597E
    Content-Type: text/plain; charset=iso-8859-1
    Content-Transfer-Encoding: 7bit
    
    ------=_NextPart_001_0001_C8B7EFF7.E0F8597E
    Content-Type: text/html; charset=iso-8859-1
    Content-Transfer-Encoding: 7bit
    
    
    ------=_NextPart_001_0001_C8B7EFF7.E0F8597E--
    
    
    
    ------=_NextPart_000_0000_7771E9BA.5106F578--
    

    If you attempt to perform a “ping -a IP_ADDRESS” command (from the command prompt) to the send from address and get no resolved domain name then it is likely that the email sender is being faked. This is commonly done by both viruses and spammers. An example is shown below. As you can see the domain name was not resolved

    ping

    Legitimate Email Header Example

    The email shown below is a legitimate email from my CDW representative. Notice that the domain names of the servers show they are using the CDW.com domain.

    Microsoft Mail Internet Headers Version 2.0
    Received: from apache.cdw.com ([10.10.1.1]) by mailserver.mydomain.org with Microsoft SMTPSVC(5.0.2195.6713);
    	 Thu, 9 Sep 2004 10:06:44 -0400
    Received: from VHEXIMC1.corp.cdw.com (Not Verified[10.19.0.60]) by apache.cdw.com with NetIQ MailMarshal (v5.5.6.6)
    	id <BB024cd70a> Thu, 09 Sep 2004 09:06:43 -0500
    Received: by vheximc1.corp.cdw.com with Internet Mail Service (5.5.2653.19)
    	id <SAD9A9VK> Thu, 9 Sep 2004 09:06:36 -0500
    Message-ID: <A4114C4157F1ED4D9E304BAE62BA9F1F16624D@zeus.corp.cdw.com>
    From: Account Rep <AcctRep@cdw.com>
    To: "'me@mydomain.org'" <me@mydomain.org>
    Subject: Just FYI
    Date: Thu, 9 Sep 2004 09:06:43 -0500 
    MIME-Version: 1.0
    X-Mailer: Internet Mail Service (5.5.2653.19)
    Content-Type: multipart/mixed;
    	boundary="----_=_NextPart_000_01C49676.3C0849E0"
    Return-Path: AcctRep@cdw.com
    X-OriginalArrivalTime: 09 Sep 2004 14:06:44.0247 (UTC) FILETIME=[3CBBE270:01C49676]
    
    ------_=_NextPart_000_01C49676.3C0849E0
    Content-Type: text/plain;
    	charset="iso-8859-1"
    
    ------_=_NextPart_000_01C49676.3C0849E0
    Content-Type: application/octet-stream;
    	name="Account Rep (E-mail).vcf"
    Content-Disposition: attachment;
    	filename="Account Rep (E-mail).vcf"
    
    
    ------_=_NextPart_000_01C49676.3C0849E0--