How to perform header forensics?
Obtain full headers: most clients have "view original" or "show headers" options. Copy complete header text for analysis. Headers read bottom to top chronologically.
Trace routing: examine Received headers from bottom (origin) to top (destination). Identify each server in the chain. Unknown or suspicious servers warrant investigation.
Verify authentication: check **Authentication-Results** for **SPF**, **DKIM**, **DMARC** outcomes. Failures suggest **spoofing**. Cross-reference claimed domains with actual routing. Tools like MxToolbox header analyzer help interpretation.
Was this answer helpful?
Thanks for your feedback!