How to trace emails to their source IP address

The first thing you do when you hear this email notification is verify the sender, right? This is the fastest way to determine who the email is from, as well as likely content.

But did you know that each email contains a lot more information than what appears in most email clients? The email header contains a wealth of information about the sender that you can use to trace the email back to the source.

Here’s how to trace this email where it came from and why you might want it.

READ ALSO: 7 sites to check if your Email password has been hacked or compromised

Why trace an email address?

Before you learn how to trace an email address, let’s consider why you would do it in the first place.

Malicious emails are all too common these days. Scams, spam, malware and e – Phishing emails are a common sight in the inbox. If you trace an email back to its source, you have a slight chance of finding out who (or where!) The email came from.

In other cases, you can trace the origin of an email to block a persistent source of spam or abusive content , by permanently deleting it from your inbox; server administrators track emails for the same reason.

How to trace an email address

You can trace an e-mail address to its sender by consulting the head full e mail . The email header contains routing information and email metadata – information that is not normally of interest to you. But this information is essential to find the source of the email.

Most email clients don’t display the full email header as standard as it is full of technical data and somewhat unnecessary to the inexperienced eye. However, most email clients provide a way to verify the full header of the email. You just need to know where to look as well as what to watch.

  • Infull gmail mail head : Open your Gmail account, then open the email you want to track. Select the drop-down menu in the upper right corner, then Show original in the menu.
  • Infull head of Outlook email : double click on the email you want to follow, head on File> Properties . The information appears in the internet heads
  • Full Apple Mail email header: open the email you want to track, then navigate to View> Message> Raw Source .

Of course, there are countless email clients. A quick internet search will show you how to find your complete email header in the client of your choice. Once the full email header is opened, you will understand what I meant by “full of technical data”.

Understand the data in a full email header

This sounds like a lot of information, but take into account the following: you read chronologically from the bottom up (i.e. the oldest information at the bottom) and that each new server through which the email browse adds Received to the header. Check out this example email header taken from my Gmail account:

Gmail email header lines

There is a lot of information. Let’s break it down. First, understand what each line means (reading low in high ).

  • Reply-To: the email address to which you also send your response.
  • From: displays the sender of the message; very easy to forge.
  • Content type: tells your browser or email client how to interpret the content of the email. The most common character sets are UTF-8 (seen in the example) and ISO-8859-1.
  • MIME-Version: declares the email format standard used. The MIME version is usually “1.0”.
  • Subject: subject of the e-mail content.
  • To: the intended recipients of the email; can display other addresses.
  • DKIM-Signature: Domain Keys Identified Mail authenticates the domain from which the email was sent and must protect against identity theft and sender fraud.
  • Received: The “Received” line lists each server through which the email travels before reaching your inbox. You read the “Receipt” lines from bottom to top; the lowest line is the initiator.
  • Authentication-Results: contains a record of the authentication checks performed; can contain multiple authentication methods.
  • Received-SPF: The Sender Policy Framework (SPF) is part of the email authentication process that stops sender address spoofing.
  • Return-Path: The place where bounce or bounce messages end.
  • ARC-Authentication-Results: Tea ATuthenticated Receive VShain is another authentication standard; ARC verifies the identity of email intermediaries and servers that deliver your message to its final destination.
  • ARC-Message-Signature: the signature takes a snapshot of the message header information for validation; similar to DKIM.
  • ARC-Seal: “Seals” the results of the ARC authentication and the message signature, verifying their content; similar to DKIM.
  • X-Received: differs from “Received” in that it is considered non-standard; that is, it may not be a permanent address, such as a mail transfer agent or Gmail SMTP server. (See below.)
  • X-Google-Smtp-Source: displays the email forwarded using a Gmail SMTP server.
  • Delivered-To: final recipient of the email in this header.

Finding the original sender of an email

For trace the IP address of the sender of the original email , go to the first received in the header of the full email. Next to the first line received is the IP address of the server that sent the email. Sometimes it appears as X-Originating-IP or Original-IP .

Find the IP address, then head to MX Toolbox . Enter the IP address in the box, change the type of research in reverse search using the drop-down menu, then press Enter. The search results will display a variety of information related to the sending server.

Unless the original IP address is one of the millions of private IP addresses. Then you will come across the following message:

The IP address ranges, 172.16.00-,, and are private. Searches for IP addresses for these ranges will not return any results.

3 useful header analyzers and IP tracers

Of course, there are handy tools that automate this process for you. It’s handy to learn more about full email headers and their contents, but sometimes you need quick information.

Check out the following header parsers:

However, the results do not always match. In the example below, I know the sender is far from the place presumed to be Ashburn, Virginia:

SEE ALSO: 3 types of emails you should never open

Can you really find someone’s address?

There are cases where tracing an IP address through the email header is useful. A particularly irritating spammer perhaps, or the source of regular phishing emails. Some emails will only come from certain locations; your PayPal emails will not originate from China, for example.

However, how easy it is to spoof e-mail headers , take whatever results you find with a pinch of salt.