Understanding Email Headers: A Guide to Identifying Legitimate Communications

Categories: Cybersecurity, Latest Cyber News, Resources
Help raise awareness by sharing this page:

In the digital age, email security is paramount. We often hear about phishing scams and illegitimate emails, but how do we differentiate between a safe email and a potential threat? One key tool at your disposal is understanding email headers. Let’s demystify this aspect of emails using a real-world example – a Microsoft account password reset email.

What is an Email Header?

Think of an email header as the digital fingerprint of an email. It’s a detailed log of the path an email has taken, which servers it has passed through, and various authentication checks it underwent before landing in your inbox. However, to the untrained eye, email headers can appear complex and intimidating. Let’s break it down into simpler terms.

Delivered-To: [recipient's email]
Received: by 2002:a25:de05:0:0:0:0:0 with SMTP id f5csp1234567qka;
        Tue, 3 Mar 2023 07:36:12 -0800 (PST)
X-Google-Smtp-Source: ABdhPJz/R33J+6T7X7x5DZ6QJxyz12345
X-Received: by 2002:a37:bacd:: with SMTP id x13mr12345678qke.12.1583242572281;
        Tue, 03 Mar 2023 07:36:12 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1583242572; cv=none;
        d=google.com; s=arc-20160816;
        b=H0D12345F...
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:subject:message-id:to:from:date;
        bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
        b=I123nL...
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@example.com header.s=201215 header.b="G123H";
       spf=pass (google.com: domain of sender@example.com designates 203.0.113.123 as permitted sender) smtp.mailfrom=sender@example.com
Return-Path: <sender@example.com>
Received: from mail.example.com (mail.example.com. [203.0.113.123])
        by mx.google.com with ESMTPS id e12si12345678qkb.123.2023.03.03.07.36.11
        for <[recipient's email]>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 03 Mar 2023 07:36:12 -0800 (PST)
Received-SPF: pass (google.com: domain of sender@example.com designates 203.0.113.123 as permitted sender) client-ip=203.0.113.123;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@example.com header.s=201215 header.b="G123H";
       spf=pass (google.com: domain of sender@example.com designates 203.0.113.123 as permitted sender) smtp.mailfrom=sender@example.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=example.com; s=201215;
        h=date:from:to:message-id:subject:mime-version:content-transfer-encoding;
        bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
        b=G123H...
Received: by mail.example.com (Postfix, from userid 123)
        id 4A123BCD12; Tue,  3 Mar 2023 07:36:10 -0800 (PST)
Date: Tue, 3 Mar 2023 07:36:10 -0800 (PST)
From: Sender Name <sender@example.com>
To: [recipient's email]
Message-ID: <1234567890.12345.1583242570890.JavaMail.root@mail.example.com>
Subject: Sample Email Subject
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

[Email content]

Key Components of an Email Header

  1. Return-Path and From Address: This part of the header tells you who sent the email. For example, a password reset email from Microsoft might come from an address like “account-security-noreply@accountprotection.microsoft.com”.
  2. Received Headers: These lines trace the journey of the email across the internet, from server to server, until it reaches you. Legitimate emails from big companies usually pass through servers associated with that company.
  3. Authentication Results: This section is crucial. It includes information about SPF, DKIM, and DMARC authentications. These are technologies that help prevent email spoofing and phishing. If an email from a reputable company passes these checks, it’s a good sign.
  4. Microsoft-Specific Headers: For emails from Microsoft, you might notice some specific headers. These indicate the email has been processed through Microsoft’s internal systems, adding to its legitimacy.

Case Study: Microsoft Account Password Reset Email

Let’s apply this knowledge to a typical Microsoft account password reset email. If you receive such an email:

  • Check the sender’s email address and domain.
  • Look at the ‘Received Headers’ to see if the email journeyed through servers like “outlook.com”.
  • Verify that it passes SPF, DKIM, and DMARC checks.
  • Look for Microsoft-specific headers indicating the email passed through their system.
  • Finally, check the content for legitimate links (like those leading to “account.live.com” for Microsoft).

What to Do If You Didn’t Request a Password Reset

If you receive a password reset email without having requested it, proceed with caution:

  • Do not click any links or use any codes from the email.
  • Visit the company’s official website directly and check your account for any unusual activity.
  • Consider changing your password and enabling two-factor authentication for added security.
  • Contact the company’s support if you’re unsure.

Conclusion

Understanding email headers is a powerful skill in maintaining your online safety. It empowers you to identify legitimate communications and differentiate them from potential threats. Remember, when in doubt, it’s always safer to verify by contacting the company through official channels. Stay safe and informed in your digital interactions!

«
»