How to check out email headers

Did you receive a suspicious email 'from KVK'? Send it to valse-email@kvk.nl. You can also check the email yourself, by viewing the email header. Find out how to do that.

Where can I find the email header?

Open the email in Outlook and go to File -> Properties (or Bestand -> Eigenschappen) in the top left corner. 

Do you use a different email programme? Use Google Search to find out how to find the email headers in your software. 

How do you read the headers?

Go to MxToolbox:

https://mxtoolbox.com/EmailHeaders.aspx

Copy all the text under Internetheaders (in the properties of your email message), paste it into MxToolbox and click Analyze Header.

This will present the email headers in an easy-to-read overview.

How do you tell a real email from a fake one? 

If you do this exercise with a real email and a fake one, you will spot several differences. 

FLAG 1

  • First of all, the Delivery Information. It looks much more neat and tidy in the real email than in the fake one. 

Note: In this case, the KVK does not meet the DKIM Authenticated standard, due to a hash. The DMARC Compliant and the SPF are more important, and they meet the standard. KVK also has DKIM Alignment, the fake mail does not.

FLAG 2

  • Relay Information tells you where the email was sent from. The real email comes from a KVK mail server: kvk-maildns1.kvk.nl. The fake email was sent from horizon.websitewelcome.com.

Notice that websitewelcome.com is blacklisted (the red x on the right). The KVK mail server is not.

FLAG 3

  • The SPF is Flag number 3. The fake email fails on this count. 

What this means is: the domain websitewelcome.com is not on the KVK's SPF list. Nor is the IP address 91.90.124.19. Therefore, these domains and IP addresses are not allowed to send emails using @kvk.nl. A good email programme will spot this at once and place the fake email in the spam folder.  

FLAG 4

  • Flag 4 is the so-called ‘helo’. The helo tells an emailserver from which domain someone wants to send an email. See https://www.computerhope.com/jargon/h/helo.htm. If you look at the fake email, under Authentication Results it says:

Authentication-Results s3; spf=neutral (sender IP is 192.185.149.62) smtp.mailfrom=noreply@kvk.nl smtp.helo=gateway34.websitewelcome.com

This means: I am emailing with the email address noreply@kvk.nl, but I am from the mail server gateway34.websitewelcome.com.

The real email says: 

Received-SPF Pass (protection.outlook.com: domain of kvk.nl designates 176.117.57.201 as permitted sender) receiver=protection.outlook.com; client-ip=176.117.57.201; helo=kvk-maildns1.kvk.nl;

In other words: I am emailing from the email address noreply@kvk.nl, and from the mail server maildns1.kvk.nl. Also, I am a permitted sender and authorised to mail from this email domain (kvk.nl). The fake email does not mention this. 

These pointers can help you find out if an email was really sent from the email address mentioned, or is likely to be a spoofing mail. 

In short: Check the headers in MxToolbox, and pay attention to the DMARC and SPF authentications. That usually tells you enough.