The first thing you do when you hear that email notification is check the sender, right? It is the quickest way to figure out who the email is from, as well as the likely content.
But did you know each email comes with a lot more information than what appears in most email clients? There’s a host of information about the sender included in the email header—information you can use to trace the email back to the source.
Here’s how to trace that email back to where it came from, and why you might want to.
Before learning how to trace an email address, let’s consider why you would do it in the first place.
In this day and age, malicious emails are all too frequent. Scams, spam, malware, and phishing emails are a common inbox sight. If you trace an email back to its source, you have a slight chance of discovering who (or where!) the email comes from.
In other cases, you can trace the origin of an email to block a persistent source of spam or abusive content, permanently removing it from your inbox; server administrators trace emails for the same reason.
You can trace an email address to its sender by looking at the full email header. The email header contains routing information and email metadata—information you don’t normally care about. But that information is vital to tracing the source of the email.
Most email clients don’t display the full email header as standard because it is full of technical data and somewhat useless to an untrained eye. However, most email clients do offer a way of checking out the full email header. You just need to know where to look, as well as what you’re looking at.
Of course, there are countless email clients. A quick internet search will reveal how to find your full email header in your client of choice. Once you have the full email header open, you’ll understand what I meant by “full of technical data.”
It looks like a lot of information but consider the following: you read in chronologically from bottom to top (i.e., oldest information at the bottom), and that each new server the email travels through adds Received to the header. Check out this sample email header taken from my MakeUseOf Gmail account:
There’s a lot of information. Let’s break it down. First, understand what each line means (reading from bottom to top).
To trace the IP address of the original email sender, head to the first Received in the full email header. Alongside the first Received line is the IP address of the server that sent the email. Sometimes, this appears as X-Originating-IP or Original-IP.
Find the IP address, then head to MX Toolbox. Enter the IP address in the box, change the search type to Reverse Lookup using the drop-down menu, then hit Enter. The search results will display a variety of information relating to the sending server.
Unless the originating IP address is one of the millions of private IP addresses. Then you will meet the following message:
IP ranges 10.0.0.0-10.255.255.255, 172.16.00-172.31.255.255, 192.168.0.0-192.168.255.255, and 18.104.22.168-22.214.171.124 are private. IP address lookups for those ranges will not return any results.
Of course, there are some handy tools out there that automate this process for you. It is handy to learn about full email headers and their contents, but sometimes you need quick information.
The results don’t always match up though. In the below example, I know that the sender is nowhere near the alleged location stated as Ashburn, Virginia:
There are instances where tracing an IP address through the email header is useful. A particularly irritating spammer perhaps, or the source of regular phishing emails. Certain emails will only come from certain locations; your PayPal emails won’t originate in China, for instance.
However, as it is trivially easy to spoof email headers, take all the results you find with a pinch of salt.