How to Trace (and Report) a Spammy Email

Who Really Sent That Email?

There are times when it’s useful to trace the path that an email traveled to land in your inbox. The most common situation is suspected spam, when you want to discover the true source of an email. Delays in receiving emails can also be diagnosed by tracing the path that emails take to you. But tracing emails on your own can be pretty frustrating. Here's why.

Every email contains hidden information about the path it took to reach you, called “header information.” To most people, it looks like 100 or so lines of gibberish, which is why it's hidden by your email program. Here is just a small part of a typical example:

With the possible exception of the "From" and "To" lines, ordinary mortals struggle to make sense out of email headers like this snippet. Geeks who run email servers or those who hunt down spammers for fun may get eyestrain looking at raw headers, too. But there are many online tools that parse email headers to make them more legible by humans.

The MxToolBox Email Header Analyzer is a free online tool provided by MX Tools, Inc., a Texas-based firm that primarily serves network administrators and ISPs. You don't need to be a Certified Network Professional to use the Analyzer, though. Just copy and paste a block of header information into the tool’s form and click the “Analyze Header” button.

The results include a bar graph, indicating any delays in the hops that the message took to reach you. It will also show you if any of the mail servers that relayed the message are on a spam blacklist. If the sender's server is on a blacklist, that's a big red flag that the message may be suspicious, malicious, fictitious, or pernicious.

Wrapping Your Head Around Headers

I mentioned above that the email headers are hidden from view by email programs. So where do you find those hidden headers? Google provides brief, clear instructions on how to find message headers in Webmail messages, including Gmail, AOL, Yahoo! Mail, Excite Webmail, and Hotmail (now Outlook.com). Instructions for finding headers in desktop clients such as Microsoft Outlook, Apple Mail, Mozilla Thunderbird, and Opera are also given.

The Google Apps Toolbox also includes a message header analyzer. Its main purpose is to highlight delays in message relays and pinpoint their possible sources. (Typically, email messages are received within seconds, even if they must travel half-way around the globe.)

IPTracker is an email header tool that's more suited for non-techie users. In addition to showing the IP address of the sender, it also shows the name of the sender's Internet service provider, and the city and country of origin on a map.

Interpreting Email Headers is another Google tutorial, for those who want to read raw email header info. It walks you through each line of a sample header, explaining in plain English what it means.

Here are some bits of information that can be gleaned by analyzing the headers of an incoming email message:

• Sender information: From and Reply-To addresses (either may be forged)
• Recipient information: In addition to the "To" address, you can see if there were Cc: (Carbon copy) or Bcc: (Blind copy) recipients. A long list of Cc or Bcc adddresses is a red flag for spam.
• Spam/Virus Flags: You may find X-Spam-Status, X-Spam-Flag, and X-Virus-Scanned flags, indicating whether the email was flagged as spam or scanned for viruses.
• Validation: SPF, DKIM and DMARC headers will show PASS/FAIL values, to indicate if the From: address may have been forged
• Client Headers: X-Mailer and User-Agent headers may reveal the software used to send the email.

Identifying a Spammer

If a sender forges the "From" line, you may not be able to find the email address of the actual sender. But analyzing the email headers will show you at least that it WAS forged, and give you an indication where it originated. According to Statista, Russia is the top spam-producing country, where 32.5% of all spam originated in 2025. China ranked second, with 19.1 percent.

It's also important to keep in mind that a lot of spammy emails are sent from ordinary home computers that are compromised by malware. The spamming masterminds can use networks of infected personal computers that number in the millions, to send their detestable dispatches anonymously. So don't assume that the person in the From: line of an email has any knowledge of having sent it.

For extra credit, you can paste the IP address found on the first "Received" line into the MaxMind GeoIP tool, to learn the approximate geographic location of the sender. (Note that first "Received" line is the one closest to the bottom of the headers. As messages travel over the Internet, the header lines stack up, so you need to read them in reverse order.)

For example, I got a classic 419 Scam email from a spammer recently, showing this: "Received: from User (UnknownHost [105.112.26.217]) by vdt.com …" Sure enough, the MaxMind tool confirmed my suspicion that the sender was in Lagos, Nigeria.

If you think a message is from a spammer or a scammer, don't reply to it. You'll only be confirming to the bad guys that your address is valid, and possibly embroiling yourself in a heap of trouble.

Keep in mind that anonymizing tools like VPNs (virtual private networks), proxy servers, forwarding services, and TOR can be used to hide or mask the IP address of an email sender. So your attempt to trace an email back to the actual sender may lead down a rabbit hole.

How to Report Suspicious Mail

Most major mail services make this easy now. In Gmail, Outlook, Yahoo, and similar services, you can usually use the spam, phishing, or block options right from the message menu, which helps train the system to catch similar mail in the future. If the message is clearly bogus, reporting it is often more useful than trying to track down the sender yourself, since the mail provider can use that report to improve filtering for you and other users.

If you can determine from the headers that the outgoing mail server is a well-known internet service provider (Xfinity, AT&T, Verizon, and Spectrum are examples) you can forward the suspect message, with full headers exposed, to abuse@[isp-name].com and often they will disable the sender's account.

Don’t bother forwarding unwanted emails to the FTC at spam@uce.gov – that address was phased out in 2004. You can, however file a report with the FTC, just don't expect a reply. They will share your report with local, state, federal and foreign law enforcement partners. The FTC does not resolve individual complaints, but your report might be used to investigate cases.

Some Email Authentication Tips

Modern email services use SPF, DKIM, and DMARC to help spot fake messages. In plain English, these checks help your mail program decide whether an email really came from the domain it claims to use.

You don't need to be a techie to make use of them. In Gmail, for example, you can open a message and choose “Show original” to see whether those checks passed or failed. If any of them fail, that's a sign the message may be spoofed or suspicious. Here's an example from a spammy email I just got:

A pass does not guarantee the sender is safe, but a fail is a red flag. If the message looks fishy and the authentication checks do not line up, it's best to delete it and move on.

Personally, I find it more satisfying to just hit the DELETE button and move on with my life. Your thoughts on this topic are welcome. Post your comment or question below...