A Practical Approach of Phishing Detection Using Email Header

Azhar Ghafoor
4 min readApr 26, 2022


What is phishing?

One of the most common attack vectors used by cybercriminals is phishing emails. They might be used to deliver a malicious payload or steal account information from their target. It happens when an attacker poses as a reliable source and convinces the victim to engage with a spoofed email, instant chat, or text message. As a result of clicking a malicious link, malware could be installed, the victim’s computer could be frozen as part of a ransomware attack, or the recipient could (unknowingly) send his private data stored on his computer to the hacker.

Phishing: attacker sends a disguised email to a victim, and the victim easily becomes a victim

Spear phishing emails are meant to be more precise and credible to their potential victims. A phisher increases their chances of success by developing a highly tailored justification for their target. A phishing email, on the other hand, must seem trustworthy in order to be taken seriously. Choosing the appropriate tone for the pretext is a key aspect of creating a phishing email. Another part of a successful spear phishing attack is making the email seem to be from a reliable source, and here the header comes into play, playing a vital role in making the assault successful.

Email Header

Among the most important elements of an email, the “body” is the first part that always shows up because it is comprised of the content the sender wants to share with anyone on the internet, and the second one is the “header,” which is the most difficult yet interesting part and directly related to this post. The below picture shows a portion of the email’s headers. It contains information on the email’s path to its recipient as well as the results of authentication checks. Examining these headers may aid in the detection of fraudulent emails.

How to check for header information in Outlook

Majority of header elements are optional and typically hidden from email users, some are required to be added and are visible, such as the Date, To, and From fields. Given the significance of the header, I shall now delve into the subject at hand. In figure given below I have added header element I am interested in with brief explanation.

How to detect phishing emails using header information ?

Email headers may be used to detect phishing emails since they provide a wealth of information. Understanding the function and purpose of other header information is required for effective use. Mismatched addresses, an unusual route between sender and receiver, and usage of an inaccurate message id are all indications of an email being a phishing scam. In the coming sections, I will discuss different header identifiers that we can use to detect phishing attacks.

X-Mailer & Z-AuthUser:

This information is retrieved from the header and makes it crystal clear if the email is a phishing attempt or a genuine message. In this instance, X-Mailer informs us about the original sender of the email, which in our instance is not the corporation (XYZ), but Gophish, which is often used to send spoofed emails in environments where email servers lack security measures to detect spoofed or changed emails. The X-AuthUser attribute also gives the original email address of the person who is sending the emails and trying to do bad things.

DKIM and SPF Verification:

Using both protocols, email spoofing may be avoided in a number of ways. DKIM provides keys to authenticate the sender, and an SPF record gives an authorized list of domains that may send email on behalf of a certain domain. In other words, mailbox providers may not be able to send or receive emails from your brand if they come from a non-SPF-compliant domain.

A server’s legitimacy as a genuine sender is verified using the SPF criteria it uses to produce emails. To discover whether the email passed or failed the SPF test, check the ‘Received SPF’ field in the email header. It also shows an IP address and whether or not that IP address has been identified as an acceptable sender in this section. So, from the image above, we can clearly see that it states, “the domain of the company does not designate IP as a permitted sender.” It means this is a phishing email posing as one from a legitimate user.


Email headers provide a wealth of information about the sender as well as the route the email took between the sender and the recipient. This information can be used to look for anything that doesn’t seem right, like bogus content or phishing attacks.

Installing an internal email server and configuring SPF and DKIM may help avoid domain spoofing. To protect against spoofing efforts, many email providers may be configured to identify emails from untrustworthy addresses or emails with mismatched From and X-AuthUser headers. In part two, I will present a practical demonstration of how we can detect phishing emails using email header information.



Azhar Ghafoor

Cybersecurity Researcher | Ethical Hacking | Data Analyst