Verify the Sender of an Email Message with MXToolBox
Objectives
By the end of this, you should be able to:
- Explain what an email header is and how it can be used to trace the origin and route of an email message.
- Identify the key components of an email header, such as the sender, recipient, subject, date, and authentication results.
- Use MXToolBox, a free online tool, to analyze the email header and check the sender’s reputation, domain, and IP address.
- Understand what DMARC is and how it can help protect you from spoofing and phishing attacks.
- Verify the DMARC information of an email message and interpret the results.
What is an Email Header?
An email header is a section of metadata that contains information about the sender, recipient, subject, date, and other details of an email message. It also includes the technical details of how the message was transmitted, such as the email servers and protocols involved. An email header can be used to trace the origin and route of an email message, and to verify the authenticity and integrity of the sender.
How to Access the Email Header in Outlook
To access the email header in Outlook, follow these steps:
- Open the email message that you want to analyze.
- Click on the File tab and select Properties.
- In the Properties dialog box, you will see the Internet headers section at the bottom. This is where the email header is located.
- You can copy the entire email header by clicking inside of the headers box and pressing Ctrl+A to select all, then press Ctrl+C to copy, or right-click and select copy.
How to Analyze the Email Header Using MXToolBox
To analyze the email header using MXToolBox, follow these steps:
- Open a web browser and go to https://mxtoolbox.com/, a free online tool that provides various email and network diagnostics.
- Click on the Analyze Headers tab at the top of the page.
- Paste the email header that you copied from Outlook into the text box and click Analyze Header.
-
You will see a report that shows the summary and details of the email header analysis. The report will include the following information:
- The sender’s email address, domain, and IP address.
- The recipient’s email address and domain.
- The subject and date of the email message.
- The email servers and protocols that were used to deliver the message.
- The authentication results, such as SPF, DKIM, and DMARC, that indicate whether the message passed or failed the verification checks.
- The sender’s reputation, which is a score that reflects the trustworthiness and quality of the sender based on various factors, such as spam complaints, blacklists, and email volume.
- The sender’s geolocation, which is the approximate physical location of the sender based on the IP address.
- The sender’s history, which is a list of previous messages that were sent from the same IP address or domain.
- The sender’s blacklist status, which is a list of blacklists that have flagged the sender as a potential source of spam or malicious emails.
What is DMARC and How Does it Work?
DMARC, which stands for Domain-based Message Authentication, Reporting, and Conformance, is an email authentication protocol that helps protect email users from spoofing and phishing attacks. Spoofing is when a sender pretends to be someone else by using a forged email address or domain. Phishing is when a sender tries to trick the recipient into clicking on a malicious link or providing sensitive information, such as passwords or credit card numbers.
DMARC works by allowing the domain owner to publish a policy that specifies how the recipient should handle messages that fail the authentication checks. The policy can instruct the recipient to reject, quarantine, or accept the message, and to send a report back to the domain owner. The policy also defines the alignment level, which is how strict the recipient should be when comparing the sender’s domain with the SPF and DKIM domains. The alignment level can be either relaxed or strict.
How to Verify the DMARC Information of an Email Message
To verify the DMARC information of an email message, you can use the email header analysis report from MXToolBox. The report will show the DMARC result, which is the outcome of the DMARC verification. The DMARC result can be one of the following values:
- pass: The message passed the DMARC verification and aligned with the sender’s domain and policy.
- fail: The message failed the DMARC verification and did not align with the sender’s domain and policy.
- none: The message did not have a DMARC record or policy, or the recipient did not perform the DMARC verification.
- neutral: The message had a DMARC record or policy, but the recipient could not determine the outcome of the DMARC verification.
- temperror: The message had a temporary error during the DMARC verification, such as a network or DNS issue.
- permerror: The message had a permanent error during the DMARC verification, such as an invalid or malformed DMARC record or policy.
The report will also show the DMARC policy, which is the instruction that the sender’s domain provided to the recipient on how to handle messages that fail the DMARC verification. The DMARC policy can be one of the following values:
- none: The sender’s domain did not specify any action for the recipient to take. The recipient can decide whether to accept, reject, or quarantine the message.
- reject: The sender’s domain instructed the recipient to reject the message and not deliver it to the inbox.
- quarantine: The sender’s domain instructed the recipient to quarantine the message and deliver it to a separate folder, such as spam or junk.
- custom: The sender’s domain instructed the recipient to take a custom action that is not defined by the DMARC protocol.
The report will also show the DMARC alignment, which is the level of strictness that the recipient used to compare the sender’s domain with the SPF and DKIM domains. The DMARC alignment can be one of the following values:
- relaxed: The recipient accepted the message as long as the sender’s domain and the SPF or DKIM domain had the same organizational domain. For example, if the sender’s domain was user@example.com, and the SPF or DKIM domain was mail.example.com, the recipient accepted the message because they both had the same organizational domain, which is example.com.
- strict: The recipient accepted the message only if the sender’s domain and the SPF or DKIM domain were exactly the same. For example, if the sender’s domain was user@example.com, and the SPF or DKIM domain was mail.example.com, the recipient rejected the message because they were not exactly the same.
How to Interpret the DMARC Information of an Email Message
To interpret the DMARC information of an email message, you can use the following guidelines:
- If the DMARC result is pass, it means that the message is likely authentic and trustworthy, and that the sender’s domain and policy are consistent and valid. You can safely open the message and follow the instructions or links in it.
- If the DMARC result is fail, it means that the message is likely spoofed or phishing, and that the sender’s domain and policy are inconsistent or invalid. You should be cautious and suspicious of the message and avoid opening any attachments or clicking on any links in it.
- If the DMARC result is none, neutral, temperror, or permerror, it means that the message is uncertain or unknown, and that the sender’s domain and policy are missing or unclear. You should be careful and vigilant of the message and verify the sender’s identity and intention before opening any attachments or clicking on any links in it.