analyzing-phishing-email-headers
Analyzing Phishing Email Headers
Overview
Email headers contain critical metadata that reveals the true origin, routing path, and authentication status of emails. Analyzing these headers is a foundational skill for identifying phishing attempts, verifying sender authenticity, and gathering threat intelligence. This skill covers systematic extraction and interpretation of email headers using both manual techniques and automated tools.
Prerequisites
- Basic understanding of SMTP protocol and email delivery
- Familiarity with DNS records (MX, TXT, SPF, DKIM, DMARC)
- Python 3.8+ installed
- Access to email client that can export raw headers (Outlook, Gmail, Thunderbird)
Key Concepts
Critical Header Fields
- Received: Chain of mail servers the message passed through (read bottom to top)
- From / Return-Path / Reply-To: Sender identity fields (often spoofed)
- Authentication-Results: SPF, DKIM, DMARC verification outcomes
- X-Originating-IP: Original sender IP address
- Message-ID: Unique identifier; anomalies indicate spoofing
- X-Mailer / User-Agent: Email client used to compose the message
More from mukul975/anthropic-cybersecurity-skills
acquiring-disk-image-with-dd-and-dcfldd
Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through
119analyzing-api-gateway-access-logs
Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR attacks, rate limit bypass,
103analyzing-android-malware-with-apktool
Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source
99analyzing-cyber-kill-chain
Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify which phases
90analyzing-email-headers-for-phishing-investigation
Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify
83analyzing-active-directory-acl-abuse
Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and
83