How to Check Email Sender

When an e-mail is sent across the internet, there is header information in the data packets that tell where it originally came from. This information can usually be checked to determine if the email came from where it appears to be from.

View Email Headers in Outlook

outlook mailbox
  1. Right click the email in the pane that shows the list of emails which is the pane on the right or the upper right.
  2. Select Options.
  3. A dialog box like the one below will appear.
    message options

    View Email Headers in Outlook Express

    1. Right click the email in the list of emails in the large pane on the right.
    2. Select “Properties”.
    3. Click on the “Details” tab.

    The Internet headers for Outlook and Outlook Express are similar but not exactly the same. In Outlook, even though this is called “Options” at the bottom under the label “Internet Headers” it shows your Internet Mail header information. The examples shown are from Outlook. The first example below is from a spam email.

    Microsoft Mail Internet Headers Version 2.0
    Received: from ([]) by with Microsoft SMTPSVC(5.0.2195.6713);
    	 Wed, 1 Sep 2004 21:09:08 -0400
    Message-ID: <c9b601c49087$8c1697ca$>
    From: Vanessa J. Smith <>
    Subject: Cheap software
    Date: Thu, 02 Sep 2004 00:54:37 +0000
    MIME-Version: 1.0
    Content-Type: multipart/related;
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
    X-OriginalArrivalTime: 02 Sep 2004 01:09:09.0621 (UTC) FILETIME=[7384AA50:01C49089]
    Content-Type: multipart/alternative;
    Content-Type: text/plain; charset=iso-8859-1
    Content-Transfer-Encoding: 7bit
    Content-Type: text/html; charset=iso-8859-1
    Content-Transfer-Encoding: 7bit

    If you attempt to perform a “ping -a IP_ADDRESS” command (from the command prompt) to the send from address and get no resolved domain name then it is likely that the email sender is being faked. This is commonly done by both viruses and spammers. An example is shown below. As you can see the domain name was not resolved


    Legitimate Email Header Example

    Hide My IP

    The email shown below is a legitimate email from my CDW representative. Notice that the domain names of the servers show they are using the domain.

    Microsoft Mail Internet Headers Version 2.0
    Received: from ([]) by with Microsoft SMTPSVC(5.0.2195.6713);
    	 Thu, 9 Sep 2004 10:06:44 -0400
    Received: from (Not Verified[]) by with NetIQ MailMarshal (v5.5.6.6)
    	id <BB024cd70a> Thu, 09 Sep 2004 09:06:43 -0500
    Received: by with Internet Mail Service (5.5.2653.19)
    	id <SAD9A9VK> Thu, 9 Sep 2004 09:06:36 -0500
    Message-ID: <>
    From: Account Rep <>
    To: "''" <>
    Subject: Just FYI
    Date: Thu, 9 Sep 2004 09:06:43 -0500 
    MIME-Version: 1.0
    X-Mailer: Internet Mail Service (5.5.2653.19)
    Content-Type: multipart/mixed;
    X-OriginalArrivalTime: 09 Sep 2004 14:06:44.0247 (UTC) FILETIME=[3CBBE270:01C49676]
    Content-Type: text/plain;
    Content-Type: application/octet-stream;
    	name="Account Rep (E-mail).vcf"
    Content-Disposition: attachment;
    	filename="Account Rep (E-mail).vcf"