Enroll Course

100% Online Study
Web & Video Lectures
Earn Diploma Certificate
Access to Job Openings
Access to CV Builder



Online Certification Courses

How to Trace Emails Back to Their Source IP Address

How to Trace Emails Back to Their Source IP Address. 

Why Trace an Email Address?

Before learning how to trace an email address, let us consider why you would do it in the first place.

In this day and age, malicious emails are all too frequent. Scams, spam, malware, and phishing emails are a common inbox sight. If you trace an email back to its source, you have a slight chance of discovering who (or where!) the email comes from.

In other cases, you can trace the origin of an email to block a persistent source of spam or abusive content, permanently remove it from your inbox; server administrators trace emails for the same reason.

How to Trace an Email Address

You can trace an email address to its sender by looking at the full email header. The email header contains routing information and email metadata information you don’t normally care about. But that information is vital to tracing the source of the email.

Most email clients don’t display the full email header as standard because it is full of technical data and somewhat useless to an untrained eye. However, most email clients do offer a way of checking out the full email header. You just need to know where to look, as well as what you’re looking at.

  • Gmail Full Email Header: Open your Gmail account, then open the email you want to trace. Select the drop-down menu in the top-right corner, then Show original from the menu.
  • Outlook Full Email Header: Double-click the email you want to trace, the head to File > Properties. The information appears in the internet headers
  • Apple Mail Full Email Header: Open the email you wish to trace, then head to View > Message > Raw Source.

Of course, there are countless email clients. A quick internet search will reveal how to find your full email header in your client of choice. Once you have the full email header open, you’ll understand what I meant by “full of technical data.”

Understanding the Data in a Full Email Header

It looks like a lot of information. However, consider the following: you read the email header chronologically, from bottom to top (i.e., oldest information at the bottom), and that each new server the email travels through adds Received to the header.

Gmail Email Header Lines

There’s a lot of information. Let’s break it down. First, understand what each line means (reading from bottom to top).

  • Reply-To: The email address you send your response too.
  • From: Displays the message sender; it is easy to forget.
  • Content-type: Tells your browser or email client how to interpret the content of the email. The most common character sets are UTF-8 (seen in the example) and ISO-8859-1.
  • MIME-Version: Declares the email format standard in use. The MIME-Version is typically “1.0.”
  • Subject: The subject of the email contents.
  • To: The intended recipients of the email; may show other addresses.
  • DKIM-Signature: DomainKeys Identified Mail authenticates the domain the email was sent from and should protect against email spoofing and sender fraud.
  • Received: The “Received” line lists each server that the email travels through before hitting your inbox. You read “Received” lines from bottom to top; the bottom-most line is the originator.
  • Authentication-Results: Contains a record of the authentication checks carried out; can contain more than one authentication method.
  • Received-SPF: The Sender Policy Framework (SPF) forms part of the email authentication process that stops sender address forgery.
  • Return-Path: The location where non-send or bounce messages end up.
  • X-Received: Differs to “Received” in that it is considered non-standard; that is to say, it might not be a permanent address, such as a mail transfer agent or Gmail SMTP server.
  • X-Google-Smtp-Source: Shows the email transferring using a Gmail SMTP server.
  • Delivered-To: The final recipient of the email in this header.

You don’t have to understand what all of these things mean to trace an email. But if you learn to look through the email header, you can quickly begin to trace the email sender.

Tracing the Original Sender of an Email

To trace the IP address of the original email sender, head to the first Received in the full email header. Alongside the first Received line is the IP address of the server that sent the email. Sometimes, this appears as X-Originating-IP or Original-IP.

Find the IP address, then head to MX Toolbox. Enter the IP address in the box, change the search type to Reverse Lookup using the drop-down menu, then hit Enter. The search results will display a variety of information relating to the sending server.

Unless the originating IP address is one of the millions of private IP addresses. In that case, you will meet the following message:

The following IP ranges are private:

  • 0.0.0-10.255.255.255
  • 16.00-172.31.255.255
  • 168.0.0-192.168.255.255
  • 0.0.0-239.255.255.255

IP address lookups for those ranges will not return any results.

3 Free Tools to Trace Emails and IP Addresses

Of course, there are some handy tools out there that automate this process for you. Check out these tools

  • GSuite Toolbox Message header
  • MX Toolbox Email Header Analyzer
  • IP-Address Email Header Trace(email header analyzer + IP address tracer)
Corporate Training for Business Growth and Schools