Analyzing Phishing Email Headers

Overview

Email headers contain critical metadata that reveals the true origin, routing path, and authentication status of emails. Analyzing these headers is a foundational skill for identifying phishing attempts, verifying sender authenticity, and gathering threat intelligence. This guide covers systematic extraction and interpretation of email headers using both manual techniques and automated tools.

Prerequisites

Basic understanding of SMTP protocol and email delivery
Familiarity with DNS records (MX, TXT, SPF, DKIM, DMARC)
Python 3.8+ installed
Access to email client that can export raw headers (Outlook, Gmail, Thunderbird)

Key Concepts

Critical Header Fields

Received: Chain of mail servers the message passed through (read bottom to top)
From / Return-Path / Reply-To: Sender identity fields (often spoofed)
Authentication-Results: SPF, DKIM, DMARC verification outcomes
X-Originating-IP: Original sender IP address
Message-ID: Unique identifier; anomalies indicate spoofing
X-Mailer / User-Agent: Email client used to compose the message

Red Flags in Headers

Mismatched From and Return-Path domains
SPF/DKIM/DMARC failures in Authentication-Results
Suspicious Received chains with unfamiliar relay servers
X-Originating-IP from unexpected geographies
Missing or malformed Message-ID
Unusual X-Mailer values (e.g., mass-mailing tools)

Implementation Steps

Step 1: Extract Raw Email Headers

Gmail: Open email -> Three dots -> "Show original"
Outlook: Open email -> File -> Properties -> Internet Headers
Thunderbird: View -> Message Source (Ctrl+U)

Step 2: Parse Headers with Python

Use the scripts/process.py script to automate header analysis including IP geolocation, authentication validation, and anomaly detection.

Step 3: Validate Authentication Chain

Check SPF alignment: Does the sending IP match the domain's SPF record?
Check DKIM signature: Is the cryptographic signature valid?
Check DMARC policy: Does the message pass DMARC alignment?

Step 4: Trace Mail Route

Read Received headers from bottom to top
Map each hop's IP to organization/location
Identify unexpected relays or delays

Step 5: Correlate with Threat Intelligence

Look up originating IP on AbuseIPDB, VirusTotal
Check sending domain age on WHOIS
Search for known phishing infrastructure patterns

Tools & Resources

MXToolbox Header Analyzer: https://mxtoolbox.com/EmailHeaders.aspx
Google Admin Toolbox: https://toolbox.googleapps.com/apps/messageheader/
AbuseIPDB: https://www.abuseipdb.com/
VirusTotal: https://www.virustotal.com/
PhishTank: https://phishtank.org/

Validation

Successfully parse headers from 3 different email providers
Correctly identify authentication pass/fail status
Accurately trace email routing path
Detect at least 3 phishing indicators in a sample phishing email

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC6.1 (Logical Access), CC7.2 (Anomaly Detection)
ISO 27001: A.7.2 (Information Security Awareness), A.13.2 (Information Transfer)
NIST 800-53: AT-2 (Awareness Training), SI-8 (Spam Protection), SC-7 (Boundary Protection)
NIST CSF: PR.AT (Awareness & Training), DE.CM (Continuous Monitoring)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add analyzing-phishing-email-headers

# Or load dynamically via MCP
grc.load_skill("analyzing-phishing-email-headers")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Analyzing Phishing Email Headers

Overview

Prerequisites

Basic understanding of SMTP protocol and email delivery
Familiarity with DNS records (MX, TXT, SPF, DKIM, DMARC)
Python 3.8+ installed
Access to email client that can export raw headers (Outlook, Gmail, Thunderbird)

Key Concepts

Critical Header Fields

Received: Chain of mail servers the message passed through (read bottom to top)
From / Return-Path / Reply-To: Sender identity fields (often spoofed)
Authentication-Results: SPF, DKIM, DMARC verification outcomes
X-Originating-IP: Original sender IP address
Message-ID: Unique identifier; anomalies indicate spoofing
X-Mailer / User-Agent: Email client used to compose the message

Red Flags in Headers

Mismatched From and Return-Path domains
SPF/DKIM/DMARC failures in Authentication-Results
Suspicious Received chains with unfamiliar relay servers
X-Originating-IP from unexpected geographies
Missing or malformed Message-ID
Unusual X-Mailer values (e.g., mass-mailing tools)

Implementation Steps

Step 1: Extract Raw Email Headers

Gmail: Open email -> Three dots -> "Show original"
Outlook: Open email -> File -> Properties -> Internet Headers
Thunderbird: View -> Message Source (Ctrl+U)

Step 2: Parse Headers with Python

Use the scripts/process.py script to automate header analysis including IP geolocation, authentication validation, and anomaly detection.

Step 3: Validate Authentication Chain

Check SPF alignment: Does the sending IP match the domain's SPF record?
Check DKIM signature: Is the cryptographic signature valid?
Check DMARC policy: Does the message pass DMARC alignment?

Step 4: Trace Mail Route

Read Received headers from bottom to top
Map each hop's IP to organization/location
Identify unexpected relays or delays

Step 5: Correlate with Threat Intelligence

Look up originating IP on AbuseIPDB, VirusTotal
Check sending domain age on WHOIS
Search for known phishing infrastructure patterns

Tools & Resources

MXToolbox Header Analyzer: https://mxtoolbox.com/EmailHeaders.aspx
Google Admin Toolbox: https://toolbox.googleapps.com/apps/messageheader/
AbuseIPDB: https://www.abuseipdb.com/
VirusTotal: https://www.virustotal.com/
PhishTank: https://phishtank.org/

Validation

Successfully parse headers from 3 different email providers
Correctly identify authentication pass/fail status
Accurately trace email routing path
Detect at least 3 phishing indicators in a sample phishing email

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC6.1 (Logical Access), CC7.2 (Anomaly Detection)
ISO 27001: A.7.2 (Information Security Awareness), A.13.2 (Information Transfer)
NIST 800-53: AT-2 (Awareness Training), SI-8 (Spam Protection), SC-7 (Boundary Protection)
NIST CSF: PR.AT (Awareness & Training), DE.CM (Continuous Monitoring)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add analyzing-phishing-email-headers

# Or load dynamically via MCP
grc.load_skill("analyzing-phishing-email-headers")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Prerequisites

Analyzing Phishing Email Headers

Overview

Prerequisites

Key Concepts

Critical Header Fields

Red Flags in Headers

Implementation Steps

Step 1: Extract Raw Email Headers

Step 2: Parse Headers with Python

Step 3: Validate Authentication Chain

Step 4: Trace Mail Route

Step 5: Correlate with Threat Intelligence

Tools & Resources

Validation

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Analyzing Malicious Url with URLScan

Detecting Business Email Compromise

Detecting Spearphishing with Email Gateway

Implementing Anti Phishing Training Program

Implementing DMARC DKIM SPF Email Security

Implementing Email Sandboxing with Proofpoint

Prerequisites

Analyzing Phishing Email Headers

Overview

Prerequisites

Key Concepts

Critical Header Fields

Red Flags in Headers

Implementation Steps

Step 1: Extract Raw Email Headers

Step 2: Parse Headers with Python

Step 3: Validate Authentication Chain

Step 4: Trace Mail Route

Step 5: Correlate with Threat Intelligence

Tools & Resources

Validation

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Analyzing Malicious Url with URLScan

Detecting Business Email Compromise

Detecting Spearphishing with Email Gateway

Implementing Anti Phishing Training Program

Implementing DMARC DKIM SPF Email Security

Implementing Email Sandboxing with Proofpoint