How can I identify the ESP used to send a spam email using the email headers?
Summary
What email marketers say8Marketer opinions
Email marketer from EmailDeliverabilityPro shares to correlate the IP addresses found in the 'Received:' headers with known IP ranges used by various ESPs to identify the sender.
Email marketer from Reddit explains that you can perform a reverse IP lookup on the sending server's IP address (found in the 'Received:' headers) to identify the organization or ESP associated with that IP.
Email marketer from EmailBlackListCheck explains to examine the 'Authentication-Results' header, if present, as it often contains information about the DKIM and SPF checks, which can indicate the ESP.
Email marketer from StackExchange explains that examining the SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) records in the email headers can help identify the authorized sending sources and potentially reveal the ESP.
Email marketer from EmailDripGuru shares to look for specific identifiers or server names commonly associated with well-known ESPs within the header information.
Email marketer from EmailSecurityFAQ explains that analyzing the Return-Path header often reveals the domain used by the ESP for bounce handling, which can help identify the ESP.
Email marketer from Mailhardener shares to use header analysis tools to identify ESP or brand names embedded within the headers. This includes examining DKIM signatures, SPF records, and other custom header fields that often contain identifying information.
Email marketer from EmailGeekForum explains that using online header analyzer tools to automatically parse and interpret email headers can make identifying the ESP easier, as these tools highlight relevant information and relationships.
What the experts say6Expert opinions
Expert from Word to the Wise explains the 'Authentication-Results' header provides details on the DKIM, SPF, and other authentication checks performed on the email, potentially revealing the sending ESP if they are properly configured.
Expert from Spam Resource explains that the 'Received:' headers are key to tracing an email's origin, as they contain the IP addresses and hostnames of the servers that processed the email. By examining these, you can often identify the ESP used.
Expert from Email Geeks offers to help identify the ESP from email headers if a sample is provided.
Expert from Word to the Wise shares that when analyzing email headers, understanding which entity controls the underlying infrastructure that sent the email (servers, IP addresses) is critical to identifying the ESP.
Expert from Spam Resource shares that once you've identified an IP address from the 'Received:' headers, perform a reverse DNS lookup to determine the hostname. This hostname often contains the name of the ESP or sending organization.
Expert from Email Geeks shares that they have a tool to identify the ESP based on the IP address and offers to check samples or IPs.
What the documentation says5Technical articles
Documentation from RFC Editor explains the structure and meaning of 'Received:' headers, which contain valuable information about the path an email takes, including server addresses and timestamps, and can assist in pinpointing the originating ESP.
Documentation from IANA explains that examining SMTP extensions used during the email sending process (often visible in the headers) can sometimes indicate the ESP, as different ESPs might use specific extensions.
Documentation from Microsoft Support shares that in Outlook, you can view internet headers by opening the email, clicking 'File,' then 'Properties,' and looking under the 'Internet headers' section to analyze the routing information.
Documentation from MXToolbox explains that you can use MXToolbox's Email Header Analyzer to paste the full email headers and identify the sending mail servers, which may help determine the ESP.
Documentation from Google Workspace Admin Help explains that you can trace an email's origin by examining the full email headers, particularly the 'Received:' lines, which show the path the email took through various servers.