Can you trace an email back to its originating IP address?
Finding the originating IP address from which an email was sent can be helpful – to see the origin of spam or a suspected phishing email, for example. And while it is possible to do that in some circumstances, in many others – if not most – it simply is not.
In this post, we look at how to trace an email back to its originating IP address and discuss the situations in which this can be achieved and the ones in which it is simply impossible. Along the way, you’ll better understand how emails travel over the Internet.
Let’s get started.
To trace an email back to the sender’s IP address, you’ll have to look at that email’s full header. The email header is where the sender and receiver IP addresses are stored – those parts of the header are always displayed when the email is opened. But the header contains a lot more information than that.
We’ll look at a full header example, but before that, let’s go over how to display the full email header for some of the more popular email services.
How to view full email headers by service
Each email service is different, each email client is different, and they all have different ways of accessing full headers. They also vary in what they display and how they display it. Here’s how to view the full headers with some popular email services:
Gmail
- Log into your Gmail account.
- Open the email you want to trace.
- Click the drop-down menu in the top-right corner (three vertical dots).
- Select Show original.
- The full header of that email is displayed.
Outlook
- Launch Outlook.
- Open the email you want to trace.
- Go to File > Properties.
- The information is displayed under internet headers.
Apple Mail
- Launch Apple Mail.
- Open the email you want to trace.
- Go to View > Message > Raw Source.
- The full header of that email is displayed.
Yahoo Mail
- Log into your Yahoo Mail account.
- Open the email you want to trace.
- Click on the More button (three dots).
- Select View Raw Message.
- The full header of that email is displayed.
ProtonMail
- Log into your ProtonMail account.
- Open the email you want to trace.
- Click on the More button (three dots).
- Select View Headers.
- The full header of that email is displayed.
Here’s the full header of a spam email I received from Zoom trying to sell me a subscription. The email service used is Gmail (with a custom domain).
It’s busy, so the full headers are never displayed by default. We’ll review what’s included here to understand better how to find the originating IP address (if possible). An email header is read chronologically, from the bottom to the top.
We’re going to define the elements we’ve highlighted in blue:
- Content-type: Instructs your browser/email client on how to interpret the contents of the email in question. The most common are UTF-8 and ISO-8859-1. In my screenshot, the Content-Type is listed as multipart/alternative. It combines multiple data sets in a single body, hence “multipart.”
- Reply-To: The email address used if you reply to the email.
- MIME-Version: Displays the standard email format used. The most common MIME-Version, when it comes to email, is 1.0, as in my screenshot.
- Subject: The email’s subject line. This is the same as the subject line displayed by default when you open an email.
- To: The email address(es) of the recipient(s).
- From: This field displays the sender’s email address. This field is trivial to spoof.
- DKIM-Signature: A cryptographic signature that’s created for each sent message, as well as a domain signature, added to the message header. The receiving email service uses the signature to verify that the domain owner actually sent the message.
- Received: The “Received” lines list the servers through which the email travels before reaching your inbox. Multiple “Received” lines exist because emails hop through multiple servers before reaching their final destination.
- Authentication-Results: Displays the authentication methods used to ensure the integrity of the email. It can list multiple authentication methods.
- Received-SPF: Displays the Sender Policy Framework (SPF), which is part of the email authentication process to try and prevent sender address forgery.
- Return-Path: Lists the email account where bounced messages will be stored.
- ARC-Authentication-Results: Displays the Authenticated Receive Chain, also part of the authentication process. ARC confirms the identities of email intermediaries and servers that forward emails to their final destination.
- ARC-Message-Signature: A snapshot of the message header information for further validation.
- ARC-Seal: The verified ARC authentication results and the message signature.
- X-Received: Similar to “Received,” but where “Received” is a header defined in the standard, “X-Received” is a non-standard header added by some user agents or mail transfer agents like the Google mail SMTP server.
- X-Google-Smtp-Source: Indicates the email was transferred using a Gmail SMTP server.
- Delivered-To: The email’s final destination (my inbox).
Received
The “Received” field is the one we’re interested in, as it provides an originating IP address – but it might not be the one you’re looking for…
As I mentioned above, different providers list varying information in their headers. Some email providers—such as Yahoo Mail—may list the sender’s originating IP address in this field, but most do not. Gmail, for example, lists the IP address of the last server through which your email transited, while the secure email service ProtonMail lists nothing at all.
So, tracing an email back to its sender’s IP address with GMail or ProtonMail is impossible. You can try it with other services, but go in knowing that your mileage may vary.
Are there other ways to trace an email back to its sender?
There are other ways, but they’re not guaranteed to work either. Using an IP address information website, you can obtain more information about the IP address of the last email server that transferred your email. That could shed some critical light on who the sender might be.
The last Received entry in our header displays the IP address of the previous server through which the email transited. You can paste that IP into a site like ipinfo.io. You can make IP address lookups on its site for free – but there’s a daily cap.
Here’s what it looks like:
And here’s all the information provided if you scroll through the content.
- Ip: “13.111.204.227”,
- Hostname: “mta5.e.zoom.us”,
- City: “Washington”,
- Region: “District of Columbia”,
- Country: “US”,
- Loc: “38.8951,-77.0364”,
- Org: “AS14340 Salesforce.com, Inc.”,
- Postal: “20004”,
- Timezone: “America/New_York”,
- Is_anycast: false,
- Is_mobile: false,
- Is_anonymous: false,
- Is_satellite: false,
- Is_hosting: false,
- Asn: Object,
- Asn: “AS14340”,
- Name: “Salesforce.com, Inc.”,
- Domain: “salesforce.com”,
- Route: “13.111.0.0/16”,
- Type: “business”,
- Company: Object,
- Name: “Salesforce.com, Inc.”,
- Domain: “salesforce.com”,
- Type: “business”,
- Privacy: Object,
- Vpn: false,
- Proxy: false,
- Tor: false,
- Relay: false,
- Hosting: false,
- Service: “”,
- Abuse: Object,
- Address: “US, IN, Indianapolis, 20 North Meridian St., Suite 200, 46204”,
- Country: “US”,
- Email: “abuse@c.exacttarget.com”,
- Name: “ExactTarget Abuse”,
- Network: “13.108.0.0/14”,
- Phone: “+1-317-423-3928”,
That’s a lot of information. And if you have a hunch about who the email may have come from, the above might be enough for you to make an educated guess.
Then we have the email tracing sites, like ipaddress.com/trace-email-address:
These sites appear promising at first glance, but when you enter an email address and perform a search, you’re redirected to a “people finder” site. There, you’ll be greeted with a progress bar animation (which is meant to illustrate all the research being done on the address), only to be asked for some cash to view the results.
The above takes you to the oh-so-dodgy Spokeo site.
So I’d stay away from these.
Some of these sites, like the above, also allow you to paste your email headers for analysis. I would advise against that, as your email address is in the headers, and these sites collect as much PII as possible.
Also, bear in mind that these services don’t use magic. If your email service only lists the IP address of the servers through which your email is transited (as most do), it won’t find the sender’s IP.
Another thing you can try is using a site like who.is to translate the sender’s email domain to an IP address and run that IP address through an IP information site, like ipinfo.io.
To do that:
- Go to who.is
- Type in the sender’s email domain and click the Search button.
- A preliminary results page is displayed. Click the Diagnostics button (you’ll have to fill in a CAPTCHA). This pings the domain and runs a traceroute on it, revealing its IP address in the process. The domain’s IP address is displayed in both the Ping and Traceroute boxes.
- From here, you can copy the IP address and run a search in ipinfo.io to get more information about that IP.
Wrap up
So, can you trace an email back to its originating IP address? Again, the best answer I can give you is ‘maybe’ – and I know how unsatisfying that is.
Here’s the deal:
- If you use an email service that displays originating email addresses in their full headers (like Yahoo Mail), you can simply open the full headers and grab the IP address.
- If you already have some auxiliary information that allows you to limit the scope of where the email could have come from, an IP address information site/service may provide you with what you need to make a determination.
Tracing an email back to its source IP address will be extremely difficult outside of those two scenarios. Also, remember that if the sender is using a proxy server or a VPN, even if your email provider lists the origin IP addresses in their header, it will be the VPN IP address, so that won’t get you very far.
That’s the lowdown on tracing emails back to their origination IP. It can be done in certain circumstances, but it’s not guaranteed.
But hey, now you know the context and have the knowledge to attempt it at the very least. Just steer clear of people-finder sites—surveillance capitalism is not your ally.
Related:
Source link