How to Read and Analyse Email Headers: A Practical Guide for NZ Businesses

Email headers are the hidden metadata behind every message that lands in your inbox. They tell the real story of where an email came from, how it got there, and whether it passed critical security checks like SPF, DKIM and DMARC. For New Zealand businesses battling phishing, invoice fraud and spoofed domains, learning to read email headers is one of the most valuable security skills you can develop.

This guide will walk you through how to view, interpret and analyse email headers — no deep technical background required.

What Are Email Headers?

Email headers are a block of text attached to every email that records its journey across the internet. Think of them like the postmarks and routing stickers on a parcel: each mail server that handles the message adds its own stamp.

Headers include information such as:

  • The original sender and their IP address
  • Every server the message passed through
  • Authentication results (SPF, DKIM, DMARC)
  • Timestamps for each hop
  • Message IDs and subject lines

While most users never see them, headers are essential when investigating suspicious emails, deliverability issues, or potential spoofing.

How to View Email Headers in Common Clients

Before you can analyse headers, you need to know how to find them.

Gmail

  1. Open the email.
  2. Click the three dots (⋮) in the top right.
  3. Select Show original.

Outlook (Microsoft 365)

  1. Open the email.
  2. Click FileProperties.
  3. Copy the text from the Internet headers box.

Apple Mail

  1. Open the email.
  2. Click ViewMessageAll Headers (or press ⌥⌘U).

The Key Headers You Need to Understand

A raw header can look overwhelming, but you really only need to focus on a handful of fields.

1. From, Reply-To and Return-Path

These three fields identify the sender — and they don't always match.

From: "IRD" <noreply@ird-nz-refunds.com>
Reply-To: accounts@suspicious-domain.xyz
Return-Path: <bounce@mailer-xyz.ru>

If the display name says "Inland Revenue" but the domain is something odd like ird-nz-refunds.com, that's a major red flag. Mismatches between From, Reply-To and Return-Path are classic signs of a phishing attempt.

2. Received Headers

Received: lines document every server the message touched, listed in reverse order (newest at the top). Read them from the bottom up to trace the email's journey.

Received: from mail.example.co.nz (mail.example.co.nz [203.0.113.25])
    by mx.google.com with ESMTPS id abc123
    for <you@yourcompany.co.nz>;
    Tue, 12 Nov 2024 10:14:32 +1300 (NZDT)

Look for:
- The originating IP address (bottom-most Received line).
- Whether the IP geolocates to a region you'd expect (e.g. an email claiming to be from a Wellington supplier but originating in Eastern Europe).
- Unusual delays between hops.

3. Authentication-Results

This is the single most important header for security analysis. It shows whether the message passed SPF, DKIM and DMARC.

Authentication-Results: mx.google.com;
    spf=pass (google.com: domain of sender@yourcompany.co.nz designates 203.0.113.25 as permitted sender) smtp.mailfrom=sender@yourcompany.co.nz;
    dkim=pass header.i=@yourcompany.co.nz header.s=selector1;
    dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=yourcompany.co.nz

What to look for:

  • spf=pass — the sending IP is authorised by the domain's SPF record.
  • dkim=pass — the message's cryptographic signature is valid and unmodified.
  • dmarc=pass — the domain's DMARC policy was satisfied.

If you see spf=fail, dkim=fail or dmarc=fail, treat the email with caution.

4. Message-ID

A unique identifier for the email. Legitimate mail servers generate consistent Message-IDs that usually contain the sending domain.

Message-ID: <CABx123xyz@mail.yourcompany.co.nz>

A Message-ID that doesn't match the claimed sending domain can indicate spoofing or a misconfigured mail system.

A Step-by-Step Analysis Workflow

Here's a simple process you can follow whenever you need to investigate a suspicious message.

  1. View the full headers using the steps for your email client above.
  2. Check the From, Reply-To and Return-Path — do they align with a legitimate domain?
  3. Review Authentication-Results — did SPF, DKIM and DMARC pass?
  4. Trace the Received chain — does the originating IP make sense for the claimed sender?
  5. Check the Message-ID — does the domain match?
  6. Look for anomalies — unusual timestamps, unexpected routing through foreign servers, or missing authentication headers entirely.

A Real-World NZ Example

Imagine you receive an "invoice" claiming to be from a Christchurch supplier. The headers show:

From: accounts@christchurch-supplier.co.nz
Return-Path: <noreply@mailblast-promo.info>
Received: from 185.220.101.47 (tor-exit.unknown-host)
Authentication-Results: spf=fail dkim=none dmarc=fail

Even without deep expertise, the signals are clear: the Return-Path points to an unrelated domain, the originating IP is a Tor exit node, and all three authentication checks failed. This email should be reported and deleted — and ideally your mail gateway should have blocked it before it arrived.

Why This Matters for New Zealand Businesses

Kiwi businesses are increasingly targeted by Business Email Compromise (BEC), fake invoice scams and brand impersonation. CERT NZ regularly reports losses running into millions of dollars per quarter, much of it tied to emails that look genuine on the surface but fall apart under header analysis.

Training your team to spot red flags — and configuring strong SPF, DKIM and DMARC records on your own domain — dramatically reduces your exposure.

Check Your Own Domain with xteam MailCheck

Reading headers tells you about emails you receive. But what about the emails your business sends? If your SPF, DKIM or DMARC records aren't configured correctly, your legitimate mail may fail authentication — or worse, attackers may be able to spoof your domain.

Try xteam MailCheck for free to instantly analyse your domain's email authentication setup. You'll get a clear report on your SPF, DKIM, DMARC and BIMI records, plus practical recommendations to improve deliverability and block spoofing — built specifically for New Zealand businesses.

Understanding headers is the first step. Securing your own domain is the next one.