Email tracing is a process of finding the source of an email and determining its date and time. Email tracing can be used to identify who sent an email, when an email was sent, and who received it. Email tracing can also be used to determine the identity of the person or organization that sent or received an email. To trace an email’s origin, you first need to identify the email address that was used to send the email. You can do this by looking at the sender’s contact information and checking whether it matches any of the addresses that are associated with the sender’s company or organization. If you’re not sure which address was used to send an email, you can use a service like Google AdWords or Facebook Ads to find out. Next, you need to find the date and time that the email was sent. You can do this by looking at the sender’s calendar or by checking their website for information about when they will be doing events or releases. Once you have these dates and times, you can use them as a starting point in your search for emails that were sent from that address. Finally, you need to determine who received an email from that address. This can be done by looking at their contact information on their website or by checking their social media accounts for posts about emails they have received from that address. Once you have this information, you can use it as a starting point in your search for emails that were sent from that address.

Just because an email shows up in your inbox labeled Bill.Smith@somehost.com, doesn’t mean that Bill actually had anything to do with it. Read on as we explore how to dig in and see where a suspicious email actually came from.

Today’s Question & Answer session comes to us courtesy of SuperUser—a subdivision of Stack Exchange, a community-drive grouping of Q&A web sites.

The Question

SuperUser reader Sirwan wants to know how to figure out where emails actually originate from:

Let’s take a look at these email headers.

The Answers

SuperUser contributor Tomas offers a very detailed and insightful response:

Two other contributors, Ex Umbris and Vijay, recommended, respectively, the following services for assisting in decoding of email headers: SpamCop and Google’s Header Analysis tool.

First, in Gmail, use show original:

Then, the full email and its headers will open:

The headers are to be read chronologically from bottom to top — oldest are at the bottom. Every new server on the way will add its own message — starting with Received. For example:

Now, to find the real sender of your email, your goal is to find the last trusted gateway — last when reading the headers from top, i.e. first in the chronological order. Let’s start by finding the Bill’s mail server. For this, you query MX record for the domain. You can use some online tools, or on Linux you can query it on command line (note the real domain name was changed to domain.com):

You can trust this because this was recorded by Bill’s mail server for domain.com. This server got it from 209.86.89.64. This could be, and very often is, the real sender of the email — in this case the scammer! You can check this IP on a blacklist. — See, he is listed in 3 blacklists! There is yet another record below it:

but you cannot actually trust this, because that could just be added by the scammer to wipe out his traces and/or lay a false trail. Of course there is still the possibility that the server 209.86.89.64 is innocent and only acted as a relay for the real attacker at 168.62.170.129, but then the relay is often considered to be guilty and is very often blacklisted. In this case, 168.62.170.129 is clean so we can be almost sure the attack was done from 209.86.89.64.

And of course, as we know that Alice uses Yahoo! and elasmtp-curtail.atl.sa.earthlink.netisn’t on the Yahoo! network (you may want to re-check its IP Whois information), we may safely conclude that this email was not from Alice, and that we should not send her any money to her claimed vacation in the Philippines.

Have something to add to the explanation? Sound off in the the comments. Want to read more answers from other tech-savvy Stack Exchange users? Check out the full discussion thread here.