How to detect spoofing from headers?

Spoofed emails pretend to come from someone they don't. Headers reveal the deception. Here's what to check:

Authentication failures: Legitimate senders usually pass SPF, DKIM, and DMARC. Failures (especially dkim=fail or dmarc=fail) are red flags. Check Authentication-Results.

From vs Return-Path mismatch: While these can legitimately differ, wild mismatches (From shows your-bank.com, Return-Path shows random-domain.xyz) indicate spoofing.

Received header analysis: Read the earliest Received header (bottom). The originating IP and hostname should make sense for the claimed sender. An email claiming to be from bigcorp.com shouldn't originate from a residential IP in an unrelated country.

IP reputation: Look up the originating IP in reputation databases. Spammers often use IPs with poor reputation or known spam sources.

Header anomalies: Missing standard headers, unusual X-headers, inconsistent date formats, or malformed Message-IDs suggest automated spam tools rather than legitimate mail systems.

Display name vs address: From: "Amazon Support" <random123@malicious.com> uses a familiar name with an unrelated address. The headers make this obvious even when the email client only shows the display name.

Spoofed ships fly false flags. Inspecting the documentation reveals they're not who they claim to be.