Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How Can I Trace Where Email Came From?

You may not be able to, but there may be clues

A good rule of thumb is to begin at the bottom and work your way up in the headers to determine where an email is from.
Email header
Email header (Image: askleo.com)

I frequently get questions that boil down to “How can I trace where this email came from?” or “Can I determine the IP address of the sender of an email?”

The answer is both yes, maybe, and it may not do you any good. However there is a lot of interesting information in your email that you normally don’t see, and the trail of mail servers is part of that.

So let’s interpret some email headers.

Become a Patron of Ask Leo! and go ad-free!

Getting headers

First, there’s the challenge of even getting to the real email headers. Depending on your email program or interface, look for items like “Show Original” or “Show headers” or something similar.

Here’s a rather lengthy example:

Delivered-To: ********@gmail.com

Received: by 2002:a2e:3e0c:0:0:0:0:0 with SMTP id l12csp752208lja;

Sun, 28 May 2023 10:44:56 -0700 (PDT)

X-Google-Smtp-Source: ACHHUZ54blmJD8AQENwkYNHp33YnOyRQNQwVl8ZBExeKdc+EPqr9SRF3c2bObVySjxshz/Fvijqae7a3vS8=

X-Received: by 2002:a50:d0cc:0:b0:514:8e05:8b31 with SMTP id g12-20020a50d0cc000000b005148e058b31mr1747632edf.1.1685295894999;

Sun, 28 May 2023 10:44:54 -0700 (PDT)

Authentication-Results: mx.google.com;

spf=pass (google.com: domain of lnotenboom@hotmail.com designates 40.92.23.30 as permitted sender) smtp.mailfrom=lnotenboom@hotmail.com;

dkim=pass header.i=@hotmail.com header.s=selector1 header.b=rqvwjPBG

Received-SPF: pass (google.com: domain of lnotenboom@hotmail.com designates 40.92.23.30 as permitted sender) client-ip=40.92.23.30;

Received: by 2002:a05:6402:2883:b0:514:9bd6:ceb0 with POP3 id eg3-20020a056402288300b005149bd6ceb0mf2877206edb.1;

Sun, 28 May 2023 10:44:54 -0700 (PDT)

X-Gmail-Fetch-Info: leo@pugetsoundsoftware.com 8 mail.pugetsoundsoftware.com 995 leo@pugetsoundsoftware.com

Return-Path: <lnotenboom@hotmail.com>

X-Original-To: leo@pugetsoundsoftware.com

Delivered-To: leo-pugetsoundsoftware.com@ec21.pugetsoundsoftware.com

Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12olkn2030.outbound.protection.outlook.com [40.92.23.30]) by ip-172-31-17-218.us-west-2.compute.internal (Postfix) with ESMTPS id 110B43EDA7 for <leo@pugetsoundsoftware.com>; Sun, 28 May 2023 10:44:31 -0700 (PDT)

Authentication-Results: ip-172-31-17-218.us-west-2.compute.internal; dkim=pass (2048-bit key; unprotected) header.d=hotmail.com header.i=@hotmail.com header.a=rsa-sha256 header.s=selector1 header.b=rqvwjPBG; dkim-atps=neutral

ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nMpyQYEpO8XO662sHkSehsUO6bGLK5ayE+QlmBDkRgg4WaJt4erHl9ncGXfHn8bu5w0LLrQopczGi34GzJ8jIduOCnDzZ65471C4dXnWxTiXNrCleKv5QZwE+TRO2+Zbhx/x0XgOgYQT7JctNJo/9jD5PHRyUxu7r2bDuegg88Q1YO/1ADIxqUmxtRq8LhXo1SaQokF1pG0aagfHZd/th6rBk1RQPWf7GGk5Ff69GFp3Wp+BY16usQNcaZJ0DQqaNJxLZ05jNIIe3jc/b8DNWzyCNVZrYXuupTZej7t2rsSpKcFDWmeUXaIn7KHhI8MJwXPoDFWPVgOmJyzRidYIHQ==

ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=+Lh76dB/N6CxzAWlwUtgFiqBtyHhR4SRmOHu5IjfHRc=; b=WjDLpWOLqfggv/2SQ1kE8874i+9SMYQ/MEpCgqopqbmCbe/xGHDitwYUjkKI74ivyr2vMo58oY8OwN4fFnX3rSIqHsDinbIyAJBbowWr/scUGxNFx2OsCvQJGIm2muWCsBzZns+rgMoWp/vNMLe32FOmroqQ415EQ+85k4e/ecetVZnBYprt9haRu3VWoaMi5suKp4uTHmeRXAHaFRFC2PF5VT6IYkQ8cxZcAkE846BWfZTkQ8JgMMzw3SoATg3s+Gy5Y/PUpV3p3GSDGVRn4k7VCkimTvyvKOegp3fhH5QRIyncwasuuJ2NE3Agbuz34yweL+d4s1wInUFk4Fqj0w==

ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+Lh76dB/N6CxzAWlwUtgFiqBtyHhR4SRmOHu5IjfHRc=; b=rqvwjPBGkdNEvPb6tAotTTGhaYdiMX7h8fDAoqdW85GTtv3qVOGVGjX77Dwg2NA5hDXrQMg74I16cs0tcgQmLWDXAawh8Yx+Bs5Igs78T/DDL9RhXVyD61MbeX+G/3+uuxg+Xa4Ivj+kSLquUfq1jUvKDd3GccL+H5um0T7kVVjQcsIeSBMSl3SyEH9sJJKF6lpoF6X0TMubBJavAExEuiMx9kVOTHUOESSXGMPXg7I9YXCMAds8NF1gHMPxnKRbjEgjehwkYZsW6TbE8plW0ZllUfgZHIFR/7qAXFEvV6ysw5KErrxKQmyN1ET4xGIJjOc97LQawSv9K7hMc6zoWA==

Received: from MW4PR19MB7031.namprd19.prod.outlook.com (2603:10b6:303:228::16) by SJ0PR19MB6678.namprd19.prod.outlook.com (2603:10b6:a03:44f::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6455.12; Sun, 28 May 2023 17:44:29 +0000

Received: from MW4PR19MB7031.namprd19.prod.outlook.com ([fe80::9f2a:c282:3c86:681d]) by MW4PR19MB7031.namprd19.prod.outlook.com ([fe80::9f2a:c282:3c86:681d%4]) with mapi id 15.20.6455.012; Sun, 28 May 2023 17:44:29 +0000

From: Leo Notenboom <lnotenboom@hotmail.com>

To: “leo@pugetsoundsoftware.com” <leo@pugetsoundsoftware.com>

Subject: This is the subject line of the email.

Thread-Topic: This is the subject line of the email.

Thread-Index: AQHZkYwI0wxJiQ9egkeTpacLL/Q7LA==

Date: Sun, 28 May 2023 17:44:29 +0000

Message-ID: <MW4PR19MB70311D8A4C956B9341595652D2459@MW4PR19MB7031.namprd19.prod.outlook.com>

Accept-Language: en-US

Content-Language: en-US

X-MS-Has-Attach:

X-MS-TNEF-Correlator:

msip_labels:

x-ms-exchange-messagesentrepresentingtype: 1

x-tmn: [45zwzglZHWlrONuqhfOJVC+BHfwdOnYG]

x-ms-publictraffictype: Email

x-ms-traffictypediagnostic: MW4PR19MB7031:EE_|SJ0PR19MB6678:EE_

x-ms-office365-filtering-correlation-id: cc519a00-8b95-4404-b143-08db5fa33053

x-microsoft-antispam: BCL:0;

x-microsoft-antispam-message-info: Glpl3bwWCdU2LoFKHH+wAZ5ANc5tCoVIGiJfD5P1xojHc5cEe+nO6awNXxNR9v3oj6vMSwnvUjf3VcSr7Zgc0IIFZaw4n6nothQ9NYvfL04WhSrmODB3ajRJNl7lF+xERXyBUpQ7SUbEydi2LMTF93HVEsN6SOFConfI/tARzdHuaVkqz6hxW96+Uo3BsQF1p8wcnOrjIrA+8vaKWbYZiYaqyE+/az7lNw8ddy0ByRrSylx8S6XaoI1sBhrJAatq8TitgG9diMsdnU93UC3tfVCJnkvGpBxxQTMVKvgIgOKuEMcwKJks7Lncn7XM0tpQ1H4zui0WP8CL3RiLO9iO0aVJzAn1qD9ZwnFlx+PK2G4d2HK6TRt2PR8LJdSd85VyzGaARfSCHTobHHAcWuYvnXfzhnR5XyJRGm21wc/Y/CbKiwIabffqLNCnW8meiVH4Bz2UZ3fnBkfDU3ejbp9tkrR4A0C7/Z02949kb4PMu6ossWprM1OvjqLjcqBjND6Djrn4QnFEJZptRzLtgXxozexft4rRiQWbezpz27Kz35/0eG+H0Kx0L8X9eQmqvjRNlFM2e9MyGXZRs4cn5SCtzCFSZwuhffAzyC/mYVZhl5E=

x-ms-exchange-antispam-messagedata-chunkcount: 1

x-ms-exchange-antispam-messagedata-0: 7Y9mlcHFcH7x/fiTq/lF9TM6ciVmyxqotiyLtc4pDkaGBvikpP95W0qvwZPgct5NU+Ft1i7npFHo1+pwv+RKdYJtmBFj3mBLHlSNSfFWLzf/q+wEmVV1Om7XYMHOta4OFyJUyBvJXj5U2WNzed0yK8c7QOHNRBbas1uLbPf1SEUQOnlciFiHmrEy/t3VnW9kN0ou5S7WkLC7NFwwSf+cT34IKg4t1xiMys8D9p0r1N55S/DfDgYR4OLkMPfHIuEKgyaj/J48EO19uWoW1xdOCcXPLksJsTz0+1VZ3cNlOI1r702YHR7g7JozrEaHPBk+ECYfOm2rG1j+iFjK0s7CvpYLxvUeguV+Suqx62/Yy1rE52pUYWp0PxJkHMUdyLjgEQriD5i6LBgQjqS1i1a/RW6WawZmebNhvqCRXzNzJIKYSCpvQ2jrOVuGgh5CMR+Tl0GQy5CfrptY9UrnS0o5gYHVJTDqMLE0IGqzVtPbrhZZgwg7+xf0TFJRExCNL+fNmvkkeks9fFJ3uL3f1eaOtWJTrSFaR/QopQWLz/5A1daJt/k+/vZUxxZp5+5H8r8FU1psFLvi16opFmZxVn8bmAQE0POZUpHmxolI4L1fSwmjgoxfdJuE5FHk9Ka8yKHf4SUVAma1xnKNKhynQaz1Ubh9XIMO2u4Cp4MmwE16eLPD1iza2Usi5qqUl5JXFEAO4Q8rbrLabN7myUa8TbX5Wtk4VmKRzZqsJ+41yny/wFkyuoL8uSn1jk5xLQFuEPP2fGu9R034iPhcHUgTV4VTl4+1Oxffykkiq4eLjP6xstmuJLl7gr+YNBrXHuBP3nWJDHDj0vHgEVhFAwfnNt2EtJMnnvCHJi8uhaqevtSg+mR2rsLC+FkOrHbvPOlonT5irp97InOsHsxfZIWN0HBSUN5JWlS579V5i77HEOlYVNwNEOO00YrqRxJRlIpXaguHBglr+7eXXmwqK74rV+c7H1ilhooMRqaMd+boaxyDuFAK99PWTIhlU9YnxShuPMZTwH1j/tY8nfetq8UMJrGll1+eRoU6DWRRzs8APTRAj5uPAUPjRR5vO+9pqyIXnn2J4TruDuY1dEcPDTKTuVgjb9PcOPlpb13+P7XyKCkD//f4PYknin68KyOzP4t5uBa8jAXN4Msl+MayeXxASc/MC90kd8ZPc45E5xGx8VQpL4Rn1btU7lEaiW9sXIKHKO0jbgT/btBpE5Jb7ZQGsNK37A==

Content-Type: multipart/alternative; boundary=”_000_MW4PR19MB70311D8A4C956B9341595652D2459MW4PR19MB7031namp_”

MIME-Version: 1.0

X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-e7757.templateTenant

X-MS-Exchange-CrossTenant-AuthAs: Internal

X-MS-Exchange-CrossTenant-AuthSource: MW4PR19MB7031.namprd19.prod.outlook.com

X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000

X-MS-Exchange-CrossTenant-Network-Message-Id: cc519a00-8b95-4404-b143-08db5fa33053

X-MS-Exchange-CrossTenant-originalarrivaltime: 28 May 2023 17:44:29.7764 (UTC)

X-MS-Exchange-CrossTenant-fromentityheader: Hosted

X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa

X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000

X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR19MB6678

Now yours may look a lot different. It may be longer or shorter, or have additional information, or less. But the basic idea is that there’s a lot of information in the headers that has to do with the administration of getting the email from the sender to the receiver.

Some Individual headers

A detailed reference is much more than I can present here, and quite honestly, probably more than you need. But let’s examine the headers above a little more closely, since it’s a good example of a “normal” email message. They are from a message I sent to my regular email account from my Hotmail account.

A good rule of thumb is to begin at the bottom and work your way up in the headers. That’ll make more sense in just a minute.

Note that headers that begin with “X-” are “non standard”, and may not be used by all mailers, and might even mean different things to different mailers. They’re often just informational.

Highlighting just a few of the headers, working from the bottom:

  • X-MS-Exchange-: The message was sent from my Hotmail account, which is processed by Microsoft using the Exchange email server. These headers are a number of items added by Exchange to the message. The most interseting might be X-MS-Exchange-CrossTenant-originalarrivaltime, the time the message was submitted to Hotmail … in other words, the time I pressed “Send”. In this example the date/time is 28 May 2023 17:44:29.7764 (UTC). The “(UTC)” means that the time is recorded as “Universal Time Coordinated”, sometimes thought of as Greenwich Mean Time or GMT. Since I’m in the Pacific time zone, and daylight savings time is in effect, that means I sent it at roughly 10:44 AM PDT.
  • Content-Type: is how the mailers tell each other what the format of the mail is: plain text, as this example is, or HTML, or something else.
  • Mime-Version: “Mime” stands for Multipurpose Internet Mail Extensions, and is the formatting protocol most  often used to encode attachments and alternate representations in a single email. In this example the type is “multipart/alternative”, meaning that the message may be included more than once, typically once in HTML format, and once again in plain text.
  • Date: This is the more common place you’ll find the date and time that the message was sent. This is added by the sending mailer or email program, and is commonly used by your email client as the “Sent Date”. Interestingly, it need not be accurate. Note that the time zone is specified as an offset (+0000 hours) from UTC. You can use this to calculate the time in the local zone.
  • Subject: As you’d expect, the subject of the email as you typed it.
  • To: Again, as you’d expect, the list of recipient email addresses that this message is addressed to. What most people don’t realize is that the To: line doesn’t define who the email actually goes to, but rather simply lists who the mailer claims it’s to go to. Spammers, for example, can easily create a mail message that has bogus addresses in the To: line, and then send the mail to someone else entirely. That’s known as “spoofing“.
  • From: Just like To:, the “From:” address shows you from whom the mail was supposedly sent. And also like “To:”, it’s very easy for the spammers and virus writers to spoof the From: address to be pretty much anything they want.
  • Received: Herein lies the gold. I’ll get into more detail on that below.
  • Delivered-To: is added by the receiving mail server when it finally delivers the email to a specific email alias or mailbox.
  • Return-Path: is the address that the email, if it fails to be delivered, should be bounced back to.
  • Authentication-Results: and Received-SPF: are headers added that relate to spam detection. DKIM (mentioned within the first) and SPF are two approaches to confirming that the message is being sent by servers authorized to send from the source email address, and that the message has not been tampered with.
  • Delivered-To: In my case I manage my leo@pugetsoundsoftware.com email (the To: address) using a Gmail account, and this logs which account is being used.

Received:

The series of “Received” headers are the trail that tells us from where the message was sent, and along what path or series of servers it  traveled across the internet. And this is why we started at the bottom, as each mail server adds a received header to the top.

The first “Received” header is:

Received: from MW4PR19MB7031.namprd19.prod.outlook.com ([fe80::9f2a:c282:3c86:681d]) by MW4PR19MB7031.namprd19.prod.outlook.com ([fe80::9f2a:c282:3c86:681d%4]) with mapi id 15.20.6455.012; Sun, 28 May 2023 17:44:29 +0000

Or, in something closer English, the email was “Received”:

  • From a server namedMW4PR19MB7031.namprd19.prod.outlook.com
  • At the IP(v6) address: fe80::9f2a:c282:3c86:681d
  • By a server named MW4PR19MB7031.namprd19.prod.outlook.com
  • At the IP(v6) address: fe80::9f2a:c282:3c86:681d
  • With mapi id 15.20.6455.012
  • At the UTC date/time: Sun, 28 May 2023 17:44:29

Some interesting things to note:

  • It was sent from and received by the same server. It’s not that uncommon for email servers to do this for a variety of reasons.
  • The servers don’t list a IPv4 address.
  • “MAPI” is Messaging Application Programming Interface, which is a mail API used within some Microsoft email programs and servers.
  • It was sent at Sun, 28 May 2023 17:44:29, or, in my local time zone, 10:44:29 AM.

Immediately above that is another “Received” line (showing only the relevant portions of the lines):

  • from MW4PR19MB7031.namprd19.prod.outlook.com
  • by SJ0PR19MB6678.namprd19.prod.outlook.com
  • with Microsoft SMTP Server
  • at Sun, 28 May 2023 17:44:29 +0000

This is a different email server, fractions of a second later. Of note in this Received line is that it includes the software used: Microsoft SMTP Server.

Six lines above that, another “Received” line:

  • from NAM12-MW2-obe.outbound.protection.outlook.com
  • by ip-172-31-17-218.us-west-2.compute.internal
  • at Sun, 28 May 2023 10:44:31 -0700 (PDT)

This represents the transmission of the message from the Microsoft outgoing mail server, to my server, two seconds later. This line also includes additional information: different email server software running on my server (Postfix), and the email address for which the message is destined (leo@pugetsoundsoftware.com).

Six lines above that we find a received line that doesn’t include a “from”, only the server actually receiving the message:

  • Received: by 2002:a05:6402:2883:b0:514:9bd6:ceb0
  • with POP3
  • at Sun, 28 May 2023 10:44:54 -0700 (PDT)

Note that it indicates the protocol used: POP3. I have my Gmail account configured to fetch email from my server. Also note that this happened a full 10 seconds after the prior Received. This means the message sat on my server for that amount of time prior to being picked up by Gmail.

By now you can see that Received lines are somewhat consistent, but also vary a great deal. They all include the “by” server and a date/time stamp, most include a “from” server, but they can include additional information as well.

Received in spam

Now lets look at the headers of some SPAM I recently received:

Delivered-To: ********@gmail.com

Received: by 2002:a2e:3e0c:0:0:0:0:0 with SMTP id l12csp802812lja;

Sun, 28 May 2023 14:03:57 -0700 (PDT)

X-Google-Smtp-Source: ACHHUZ4dWy4F8CcN8M6MzHK/cpMVhEiK2rCImNs+OUUFwioak6TMspw8W0GRdRXhRMAk3brfYIeNV+LiTxg=

X-Received: by 2002:a50:c054:0:b0:50b:c79d:5201 with SMTP id u20-20020a50c054000000b0050bc79d5201mr2698809edd.6.1685307834268;

Sun, 28 May 2023 14:03:54 -0700 (PDT)

Authentication-Results: mx.google.com;

spf=neutral (google.com: 5.105.94.40 is neither permitted nor denied by best guess record for domain of unitedairlinesopinionrequested@********.live)

smtp.mailfrom=UnitedAirlinesOpinionRequested@********.live

Received-SPF: neutral (google.com: 5.105.94.40 is neither permitted nor denied by best guess record for domain of unitedairlinesopinionrequested@********.live) client-ip=5.105.94.40;

Received: by 2002:a05:6402:2883:b0:514:9bd6:ceb0 with POP3 id eg3-20020a056402288300b005149bd6ceb0mf3447868edb.1;

Sun, 28 May 2023 14:03:54 -0700 (PDT)

X-Gmail-Fetch-Info: leo@pugetsoundsoftware.com 8 mail.pugetsoundsoftware.com 995 leo@pugetsoundsoftware.com

Return-Path: <UnitedAirlinesOpinionRequested@********.live>

X-Original-To: leo@pugetsoundsoftware.com

Delivered-To: leo-pugetsoundsoftware.com@ec21.pugetsoundsoftware.com

Received: from 0029f27a.********.live (unknown [5.105.94.40]) by ip-172-31-17-218.us-west-2.compute.internal (Postfix) with ESMTP id 7152B3EAAB for <leo@pugetsoundsoftware.com>;

Sun, 28 May 2023 14:02:41 -0700 (PDT)

Received: from 0029f27a.xa9i22izk.********.live ([127.0.0.1]:35729 helo=xa9i22izk.********.live) by xa9i22izk.********.live with ESMTP id 00BMJO29F2MOLY7A; for

<leo@pugetsoundsoftware.com>; Sun, 28 May 2023 14:02:39 -0700

Date: Sun, 28 May 2023 14:02:39 -0700

Message-ID: <31729385271732131729233621471031516000@xa9i22izk.********.live>

To: <leo@pugetsoundsoftware.com>

From: United Airlines Opinion Requested <UnitedAirlinesOpinionRequested@********.live>

Subject: Congratulations! You can get a $50 United Airlines gift card!

Content-Language: en-us

MIME-Version: 1.0

Content-Transfer-Encoding: 8bit

Content-Type: multipart/alternative; boundary=”—-=Part.940.8142.1685307759″

[Note: every instance of “********” is something I changed to either maintain my own privacy, or to avoid giving spammers, or a compromised account, any visibility.]

A couple of interesting things about these headers:

  • The source domain, “********.live”, is clearly and completely unrelated to the subject line referencing United Airlines.
  • The source domain is registered at GoDaddy, but the contact information is hidden.
  • The first Received line (starting from the bottom), is an internal server to same server transfer.
  • The IP address of the source of the email in the second Received line, 5.105.94.40, is hosted in the Ukraine.
  • Received-SPF: neutral isn’t necessarily bad, but it’s also not necessarily good.

So what to make of it all? It is possible that the originating computer hosted in Ukraine, is, in fact, sending out spam on purpose. It’s also possible that this machine has been infected with a virus, and is sending out spam without realizing it. There’s even a possibility that one of these headers has been spoofed (it’s unlikely in the case above, but it is possible).

That the source domain and the topic of the spam don’t match is a red flag, as is the fact that email “from” an email address supposedly registered in the US is coming from a server in the Ukraine.

Do this

While the information in email headers can be interesting, it’s rarely something that will help you track down the true source of spam or other messages intentionally hiding their source. I tend to think of it as “for entertainment purposes only”. Smile

That being said, I do find them occasionally useful to determine where an email might have been delayed. If the timestamps between two “Received” headers differs by a significant amount in indicates the email spent that time waiting on the first before being sent to the second. It doesn’t tell you why, but it at least tells you where.

Want another good source of information? Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

1 thought on “How Can I Trace Where Email Came From?”

  1. I read your article and it was very helpful in my understanding. Do you offer help to anyone seeking to understand the header of an abusive email, and in giving advice as to how to proceed with law enforcement or take a legal route?

    Thanks.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.