What is email header analysis?
Email header analysis examines the technical metadata attached to every email message. Headers contain the complete routing path from sender to recipient, IP addresses of every mail server that handled the message, timestamps at each hop, authentication results for SPF, DKIM and DMARC and the true originating server. This data reveals where an email actually came from regardless of what the From field displays.
Can you trace where an email came from?
Yes. The Received headers in an email document every mail server that processed the message from origin to delivery. By analyzing these headers bottom to top, you can identify the originating IP address, the sending mail server and the geographic region. SPF, DKIM and DMARC results further verify whether the claimed sender domain actually authorized the message.
What does a suspicious email header look like?
SPF (Sender Policy Framework) verifies that the sending server is authorized to send email for the claimed domain. DKIM (DomainKeys Identified Mail) uses cryptographic signatures to verify the message was not altered in transit. DMARC (Domain-based Message Authentication, Reporting and Conformance) combines SPF and DKIM results to enforce a domain owner's anti-spoofing policy. Failures in any of these indicate potential spoofing.
Is the email analyzer free?
Yes. The Sherlock Forensics Email Header Analyzer is completely free and runs entirely in your browser. No installation, no account required. Header text is parsed locally in your browser. The public IP addresses in the Received chain are queried client-side against ip-api.com to plot each hop on a map. Public IP addresses are public by design. Anyone with the headers can look them up. We do not collect, store or transmit your analysis.
How do I get email headers?
In Gmail, open the email, click the three-dot menu and select Show Original. In Outlook, open the message, click File then Properties and copy the Internet Headers. In Apple Mail, select View then Message then All Headers. Copy the full header text and paste it into the Sherlock Forensics Email Header Analyzer.
Can email headers be faked?
The From field can be trivially spoofed by anyone. However, Received headers added by legitimate mail servers are much harder to forge because each server in the chain adds its own entry. SPF, DKIM and DMARC authentication provide additional verification. A skilled analyst can identify forged headers by examining inconsistencies in timestamps, IP addresses and header ordering.
Is this tool suitable for legal proceedings?
The Sherlock Forensics Email Header Analyzer provides a structured view of email header data suitable for preliminary analysis. For court proceedings, engage a qualified forensic examiner to analyze the original email source files, document chain of custody and produce a formal forensic report. Contact Sherlock Forensics at 888.883.4550 for
expert witness and forensic analysis services.
What is email forensics?
Email forensics is the discipline of analyzing email messages as digital evidence: header forensics on the Received chain, SPF DKIM DMARC authentication review, URL extraction with threat scoring and attachment metadata surfacing. Email forensics supports phishing investigation, incident response, legal hold preservation, compliance audits and phishing campaign attribution. Sherlock Forensics Email Analyzer is the free browser-based email forensics tool for the header-analysis and SPF DKIM DMARC layer; for the full deep email forensics chain see our PST Viewer for mailbox-level work and PDF Editor for attachment threat scanning.
How do I investigate a phishing email forensically?
Phishing email investigation follows a four-step forensic workflow. Step 1 header forensics: cross-correlate the From, Reply-To, Return-Path and Received chain fields for spoofing signatures. Step 2 SPF DKIM DMARC authentication: read pass/fail results to see whether the claimed sender domain actually authorized the message. Step 3 URL extraction: collect every link in the body, unwrap shorteners and trace redirect chains. Step 4 attachment metadata: surface filename, claimed MIME type, declared size and attachment count from the headers. Sherlock Forensics Email Analyzer covers steps 1-3 inline and attachment-metadata surfacing. For the actual file-byte inspection (magic-byte validation, embedded macros, JavaScript or VBA payloads, PDF threat scanning) hand the attachment to the appropriate downstream Sherlock tool.
What is the difference between SPF, DKIM and DMARC?
SPF validates the sending IP against the claimed domain's authorized-sender list (the SPF record). DKIM validates the email content via a cryptographic DKIM signature using the sending domain's published public key. DMARC combines SPF and DKIM results with a published policy (p=reject, p=quarantine or p=none) that tells recipient mail servers what to do when SPF and DKIM both fail. The three authentication protocols answer different questions: SPF asks "is this IP allowed?", DKIM asks "is this content unchanged?", DMARC asks "what should I do if SPF or DKIM say no?"
Can Sherlock Forensics Email Analyzer detect spoofed sender addresses?
Yes. Sherlock surfaces three spoofing-detection signals: From-field versus Return-Path mismatches (the most common spoofing tell), SPF DKIM DMARC authentication failures from the claimed sending domain and Received chain anomalies (unexpected hop counts, geographic drift, time-zone inconsistencies). Header forensics on a spoofed phishing email typically lights up multiple signals simultaneously, which is the practical detection pattern. A skilled examiner reading the email analyzer output can distinguish a properly authenticated legitimate sender from a spoofed phishing email in under a minute.
Is email header analysis admissible as evidence in court?
Email header analysis output is regularly used as evidence in civil and criminal litigation, but admissibility depends on procedure. The forensic posture matters: preserve the original email source file (not just the rendered message), document the email chain of custody from acquisition through analysis, surface the SPF DKIM DMARC authentication results from the headers as delivered (not re-queried against current DNS) and produce the analysis output as a forensic report with examiner attestation. Sherlock Forensics Email Analyzer provides the analysis surface; for court-ready email chain of custody documentation engage a qualified forensic examiner at 888.883.4550 for a formal forensic report.
How do I check if an email is legitimately from the claimed sender?
Read the Authentication-Results header. A legitimate email from a properly configured sender shows SPF=pass, DKIM=pass with the signing domain matching the From-field domain and DMARC=pass with strict alignment. Any of these failing is a phishing email warning signal. Then check the Received chain: legitimate transactional mail typically hops through the claimed sender's own mail infrastructure and the recipient's; a phishing email often shows intermediate hops through unrelated bulk-mail providers or attacker-controlled servers. The combined signal classes give you a fast yes/no on sender legitimacy.
What is the difference between DMARC p=reject and p=quarantine?
A DMARC policy of p=reject tells recipient mail servers to drop messages that fail both SPF and DKIM authentication (or fail DMARC alignment); the message never arrives at the recipient mailbox. A DMARC policy of p=quarantine tells recipient mail servers to route failing messages to the spam or junk folder rather than the inbox. A DMARC policy of p=none means monitor only (no enforcement action), useful for measuring SPF DKIM DMARC implementation before enforcement. From a forensic perspective: a phishing email that arrives in the inbox with a DMARC p=reject result is itself a finding (either the recipient mail server did not honor the policy or the message bypassed the check).
Can Sherlock Forensics Email Analyzer analyze email attachments?
Sherlock Forensics Email Analyzer surfaces attachment metadata (filename, claimed MIME type, declared size, attachment count) from the email headers. For deeper attachment inspection (file-type validation against magic bytes, embedded macro detection, JavaScript or VBA payload analysis, PDF threat scanning) hand the attachment to the appropriate downstream Sherlock tool: PDF attachments go to Sherlock Forensics PDF Editor for PDF JavaScript and PDF embedded action analysis, image attachments go to Sherlock Forensics Metadata Inspector for EXIF and embedded payload checks. The email forensics workflow chains naturally from the email analyzer through these cross-product tools.