Tracing an Email

Martin Brinkmann
Jan 21, 2006
Updated • Mar 14, 2014

Yesterday I posted an article about tracing hackers that try to get in your system. Today I give you one about tracing an emails back to the original sender.

The first thing you have to do is to enable email headers. The site (no longer available, link removed) shows you how to do so using Gmail, Yahoo Mail and MSN Hotmail. All desktop clients should support this feature as well. Email Headers show you additional information about the email, for example the first server that received the email from the sender or IP addresses.

Here is an example of how to display headers on Gmail. Open the email that you want to check, and click on the small down arrow icon in the "from" line. A menu pops up, and you need to select "show original" from it to display all email headers.


After explaining how to configure your mail software to display email headers, the site explains the important headers in detail.This is necessary to understand how to use them to trace an email message back to its original sender. Finally the last part of the article shows you how to trace the sender looking upr the senders IP address on the Internet. Its again only helpful if the email was not relayed through botnets, cracked servers or other means of disguising the spammer's original IP address.

Update: You can enable all email headers in Mozilla Thunderbird the following way: Click on View > Headers > All. This should enable detailed headers that you can use to analyze where the email is coming from.

thunderbird email headers

Once you have configured email headers, you need a basic understanding of what you should be looking for to use them effectively. What you basically need to understand is that the sender of an email is not sending it directly to you. The email instead is first send to the sender's email provider from where it is usually send through a number of servers before it reaches your email provider's server from where you can retrieve it in your email client.

To find the sender's IP address, you need to look for the header X-Originating-IP. If that header is not displayed, you need to look at the first received server to find the IP address of the sender. Keep in mind that the IP can still be fake, e.g. if a proxy was used.

Update 2: The original site is no longer available on the Internet, and we have removed the link pointing to it from this article as a consequence.


Tutorials & Tips

Previous Post: «
Next Post: «


There are no comments on this post yet, be the first one to share your thoughts!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.