Pinterest Stumbleupon Whatsapp
Ads by Google

Most people won’t notice this, but emails actually arrive in your inbox with a “˜receipt’, which contains a lot of information about the sender. In order to find the sender’s identity, we only need to retrieve an IP address, but inside the email header we can also find the originating domain, reply-to address and sometimes even the email client, for example Thunderbird.

Why would you want to find out the identity of the sender? Well, you may have heard of shady email scams or emails supposedly from Paypal inviting you to re-enter your personal information. Now, you can determine if an email is truly from the authentic source.

Accessing the email header is different for every email provider or email application, and sometimes, it is even hidden. In most of the cases however, the option to reveal the full header will be somewhere in the area where the subject and sender name are provided.

For example, the Yahoo! Mail header is in the upper right corner of the sender box, which is pointed out in the screenshot above. When you click Show Original, a text file will open in a new tab. This file contains all the necessary headers at the start. They are highlighted in screenshots.

And this is how the full email header appears in Yahoo! Mail:

Ads by Google

For Gmail, the header is hidden under “˜Show Original’ – which will show you the complete email in plain text, including the header.

The example below is the header from an email I received in GMail.

In order to find out the IP address of the original sender, we need to look closely at the first half of the header. Somewhere in there, you’ll find a domain name and an IP address. Particularly, take a closer look at the term “˜Received: from’:

The first “˜Received: from’ line gives us the IP address of the server which forwarded the email to my Gmail address.

Received: from [])

If we continue our search, the second “˜Received: from’ line gives us the originating IP address.

Received: from unknown (HELO ? (chaz@ with plain)

This means that Chaz, located at sent me an email.

The next line will only appear if the email was sent using an email application residing on the sender’s computer, like Thunderbird or Apple Mail. In our case:

X-Mailer: Apple Mail (2.753.1)

If the user sent the email using the web interface, the string would have looked like this:

Received: from [] by via HTTP

We have the originating IP address . To find out who’s behind that IP address we need to do a reverse DNS lookup using a web service like DomainTools, the command line or from “˜Network Tools’ in Ubuntu.

In our case, we know that someone called Chaz from Atlanta, using Cox Communications – with an IP address, depending on the subnet mask, sent that email.

Alternatively, you could use a tool called Email Trace, that does the whole operation for you after inputing the full email header into the text box. It might not always work, so knowing how to do it the old fashion way might come in handy.

This proves useful if you’re trying to report a spammer to your ISP, find out where a certain person is located at the moment, or help you spot phishing emails. For example, PayPal couldn’t have sent an email from an IP address in China.

If you know other good uses for this procedure, please share it with us in the comments.

Image credit: nekto_nektov

  1. Cristal
    February 20, 2016 at 2:32 pm

    What if there's no second "Received from" line? The Spam that I received only shows IP address of the server which forwarded the email to my Gmail address, but not the originating IP address.
    What can I do?

    • packratz
      June 10, 2016 at 4:21 pm

      I got this problem too

  2. Archer
    December 26, 2015 at 8:56 am

    I want to trace one email and I know its been sent from Romania but IP address always give address from north america California address and yahoo ISP and server.. why is that.. can you trace the mistake

  3. Steve Miller
    August 1, 2015 at 9:41 pm

    On Father's Day, Sunday 6/21/2015 I went to attend a church service at the East End Baptist Tabernacle at 548 Central Avenue Bridgeport, CT. This has to be the most deranged email crime ever. I had attended the prior Sunday 6/14 which was the normal event at any church. I had left 3 voice messages with the church secretary, April prior to 6/14.

    I was arrested on 6/21/2015 by the Bridgeport, CT police. I have never sent any email to pastor Charles Stallworth or anybody associated with him. I had been referred to pastor Stallworth by Bishop John Diamond after I had spoken to Bishop Diamond a few times concerning the murders of black people by cops.

    I offered to treat pastor Stallworth to dinner or lunch at any restaurant of his choice at a time he chose. A few minutes after arriving at the church a Bridgeport police officer named Reid stepped out of a door with paper in his hand. Reid asked if I would step outside to speak. I agreed. Reid asked me about an email he had copied onto the paper.

    I have never sent any email in my life so I didn't have any idea what Reid was talking about. I asked Reid to see the email. He flashed the papers for a second. I offered Reid my ID to verify my identity was different than the sender or recipient of the email Reid held in his hand. He made a call and 3 more patrol cars came to arrest me and charge with harassment, breach of peace under a $25,000 bond. I spent 21 days in jail before a bondsman decided to charge me $1550 to get released. My car was towed and cost $909 storage. My $1065 golf clubs and bag were stolen and a NFL football.

    The police refuse to give me the police report and the email. I need the email traced.

    • packratz
      June 10, 2016 at 4:23 pm

      Sounds like you need a lawyer.

  4. Mavcal
    October 4, 2009 at 12:53 pm

    I have been getting personalized porno and taunting emails from I suspect a neighbor who has an ax to grind. I would like to verify that he is sending them. Does anyone know of a legitimate business that can trace these emails to the source? Thanks

    • heartlessgamer
      October 4, 2009 at 1:53 pm

      Mavcal, the best anyone could do for you outside of a court order, would be to follow the steps mentioned in the article.

      If you can get the header of one of the emails, and I have time, I can dissect it and tell you where its coming from.

      What most likely has happened is the person has signed your email address up for spam mail lists or porn mailing lists. In which case, all we'll ever see is the port mailing lists' originating mail server.

      As a side note, 95%+ of email on the Internet is spam, so to get porn or other junk mail is not that uncommon. However, post a header and we can dissect it.

      • Greg
        November 5, 2009 at 7:23 pm

        Hey can you guys help me out? This is not a phoney post. I am a real person being screwed over by a a cheating wife. My story is not anything new, but nonetheless if someone could assist that would be great.

        My wife has been planning on leaving me for the past 8-9 months. But she wanted to find something on me...well, if you can't dig up dirt..."invent dirt". Mavcal, I am in a similar situation. Before she filed for divorce, she opened a "gay porn site" using a credit card the day right before it was to expire. But, then she cancelled the "porn site account" 10 days later. Everyone says file a police report, but I called the billing co....blah..blah. That would make it seem like I was engaging in "fraud"...and that's what she wants me to do...duh...she was an authorized user.

        She didn't sign up from any of my accounts because she was "traveling" the day the account was registered and doesn't know my passwords.

        The billing company was able to give me an IP
        she uses yahoo as her main email...and I tried tracing bt only came up with an Earthlink provider. Which she uses.

        If anyone can help me nail this low budget ******, I will be happy to provide details. Even if the only thing that pops up is 5miles of where she good enough.

  5. George Zepol
    June 9, 2009 at 1:38 pm

    You need a lot to learn about this ident. matter. Mail m.

  6. PhaoLoo
    June 8, 2009 at 7:23 pm

    Really informative post, I can trace spammers :)

  7. Edo
    June 8, 2009 at 11:23 am

    Duh, nothing can trace an IP address to a street, at least not without access to the ISPs database. To find out if something is spam often just the country is good enough.

  8. Anthem
    June 7, 2009 at 7:43 pm

    there is a great toolbar for firefox that gives you all the info to trace any email... take a look at eMail Analyzer

  9. Dream Meanings
    June 6, 2009 at 1:13 pm

    With all this info, why do the email provider still have problems curtailing email spammers?

  10. Mario
    June 4, 2009 at 11:21 am

    The email tracer you linked is a very nice and handy tool. And its pretty accurate.

  11. matthew
    June 3, 2009 at 8:46 pm

    This is awesome, now I just need to integrate this with a GIS to find out where on a map people are actually sending emails from and respond accordingly. Thanks.

  12. Ooz
    June 2, 2009 at 4:40 am

    Dear Oron, assuming your comment as a reply to my comment, I am not interested in finding spammers, all i want to find out is the origin of the potential customers which sends e-mails and make inquiries through my company's website (i need to know the origin before i send any reply). So i wasn't talking about spammers but the potential customers using gmail, yahoo, hotmail and etc. Thanks a lot.

  13. Oron
    June 1, 2009 at 5:20 pm

    As others have posted above, it's pretty easy to spoof headers and it is common practice amongst spammers. Only the headers within your organisation can be entirely relied upon (assuming no foul play is taking place on your LAN). Header analysis can be useful for tracing the origins of messages, but not for finding the origins of spam.

  14. Ooz
    June 1, 2009 at 11:57 am

    Hello guys, i have a question about this matter. In cases senders use gmail, yahoo, hotmail accounts, IPs in the header blong to gmail, yahoo and hotmail's servers... is it possible to locate the sender's country? If there is a way, it would really be helpful...


  15. Mike
    June 1, 2009 at 8:02 am

    Like Mackenzie said, this info is only reliable for the last hop, or the last hop into your organisation at the best.
    The trail can very easily be spoofed by the originating device, and if not then it may have been sent via a botnet machine or an open relay. That's not to say that it is never correct, but there is no point looking at this unless you want to trace one specific email, such as a malicious rumour or similar.

  16. Mackenzie
    May 29, 2009 at 4:35 am

    Useless. Headers can be spoofed, and spammers use other suckers' open relays, not their own machines.

    • Dave
      June 10, 2009 at 1:06 pm

      Even Open Relays *can* be traced.
      Thus; it is not usless; moreover if it's a chickenboner who sent the mail in the first place.

  17. heartless_
    May 28, 2009 at 6:45 pm

    Ummmm, if there is a valid PTR, the process of reverse DNS will have already put that information into the header.

    In your example: has a PTR that points to, which works out via rDNS as a valid

    Also, your example is a bit rare, as often times you are not going to see "unknown" and "xxx@ip.address". You will most commonly see the originating mail server (usually an ISPs SMTP server). Which usually isn't even in the same area of the country as the originator of the email.

    I'm a bit curious, in your example, of where exactly that Gmail message originated.

    • heartless_
      May 28, 2009 at 6:48 pm

      Actually, it looks like Chaz is running a mail server as evidenced by the Qmail line. So, that IP is for a mail server then would be my guess.

  18. Jeff
    May 28, 2009 at 1:17 pm

    You can use the free email tracer from

Leave a Reply

Your email address will not be published. Required fields are marked *