Key Takeaways

  • Tracing an email back to its sender can help identify scam, spam, and phishing emails, as well as block persistent sources of spam or abusive content.
  • To trace an email address, you need to access the full email header, which contains routing information and email metadata. Different email clients have different methods for viewing the full header.
  • While tracing the IP address of an email sender can be helpful, it may not always be possible due to providers obscuring the information. Free tools are available to trace IP addresses, but their accuracy can vary. Social media may also be used to trace an email sender, but success depends on the individual's public-facing information.

The first thing you do when you hear that email notification is to check the sender, right? It is the quickest way to figure out who the email is from, as well as the likely content.

But did you know each email comes with more information than what appears in most email clients? There's a host of information about the sender included in the email header—information you can use to trace the email back to the sender.

Here's how to trace an email back to where it came from and why you might want to.

Why Trace an Email Address?

Before learning how to trace an email address back to the sender, let's consider why you would do it in the first place.

In this day and age, malicious emails are all too frequent. Scams, spam, malware, and phishing emails are common. If you trace an email back to its source, you have a slight chance of discovering who (or where!) the email comes from.

In other cases, you can trace the origin of an email to block a persistent source of spam or abusive content, permanently removing it from your inbox; server administrators trace emails for the same reason.

But on the flip side, if you want to prevent your own email identity from being revealed, learn to send completely anonymous emails.

How to Trace an Email Address

You can trace an email address to its sender by looking at the full email header. The email header contains routing information and email metadata—information you don't normally care about. But that information is vital to tracing the source of the email.

Most email clients don't display the full email header as standard because it is full of technical data and somewhat useless to an untrained eye. However, most email clients offer a way to check out the full email header. You just need to know where to look, as well as what you're looking at, as the method for finding the full email header differs between email providers.

gmail how to check email header
  • Gmail Full Email Header: Open your Gmail account, then open the email you want to trace. Select the drop-down menu in the top-right corner, then Show original from the menu.
  • Outlook Full Email Header: Double-click the email you want to trace, then head to File > Properties. The information appears in the internet headers.
  • Apple Mail Full Email Header: Open the email you wish to trace, then head to View > Message > Raw Source.
  • Proton Mail Full Email Header: Open the email you wish to trace, then head to More (the three-dot icon) > View headers.
  • Yahoo Mail Full Email Header: Open Yahoo Mail, then the email you wish to trace. Select More (the three-dot icon) > View Raw Message.

Of course, there are countless email clients. A quick internet search will reveal how to find your full email header in your client of choice. Once you open the full email header, you'll understand what I meant by "full of technical data."

How to Read the Data in a Full Email Header

A full email header looks like a lot of information. However, consider the following: you read the email header chronologically, from bottom to top (i.e., oldest information at the bottom), and each new server the email travels through adds Received to the header.

Check out this sample email header taken from my MakeUseOf Gmail account:

gmail email header long version

Gmail Email Header Lines

Let's break down how to read a full email header to help you trace the email to its sender. First, let's break down what each email header line means (reading from bottom to top).

  • Reply-To: The email address you send your response to.
  • From: Displays the message sender; it is easy to forge.
  • Content-type: Tells your browser or email client how to interpret the content of the email. The most common character sets are UTF-8 (seen in the example) and ISO-8859-1.
  • MIME-Version: Declares the email format standard in use. The MIME-Version is typically "1.0."
  • Subject: The subject of the email contents.
  • To: The intended recipients of the email; may show other addresses.
  • DKIM-Signature: DomainKeys Identified Mail authenticates the domain the email was sent from and should protect against email spoofing and sender fraud.
  • Received: The "Received" line lists each server that the email travels through before hitting your inbox. You read "Received" lines from bottom to top; the bottom-most line is the originator.
  • Authentication-Results: Contains a record of the authentication checks carried out; can contain more than one authentication method.
  • Received-SPF: The Sender Policy Framework (SPF) forms part of the email authentication process that stops sender address forgery.
  • Return-Path: The location where non-send or bounce messages end up.
  • ARC-Authentication-Results: The Authenticated Receive Chain is another authentication standard; ARC verifies the identities of the email intermediaries and servers that forward your message to its final destination.
  • ARC-Message-Signature: The signature takes a snapshot of the message header information for validation, similar to DKIM.
  • ARC-Seal: "Seals" the ARC authentication results and the message signature, verifying their contents; similar to DKIM.
  • X-Received: Differs from "Received" in that it is considered non-standard; that is to say, it might not be a permanent address, such as a mail transfer agent or Gmail SMTP server. (See below.)
  • X-Google-Smtp-Source: Shows the email transferring using a Gmail SMTP server.
  • Delivered-To: The final recipient of the email in this header.

You don't have to understand what all of these things mean to trace an email. But if you learn to look through the email header, you can quickly begin to trace the email sender.

Each email provider has a different way of listing IP addresses. For example, Gmail shows the IP address of the last email server in the Received line (not the sender IP address), whereas if you were using Yahoo Mail, the Received line may show the actual sender IP address. Unfortunately, that means you'll have to play around with the data to trace who sent the email.

Why Does the Email Header Have More Than One "Received" Line?

As mentioned previously, each email server that processes your email as it bounces around the world to you adds its own "Received" line. That doesn't mean every address and location had a quick look at your email on its way, though, just that they processed the email and passed it on to the final location.

Remember to read the Received email addresses from bottom to top. The last Received line is the originating IP address and the one you can use to trace the email sender.

Why Doesn't the "Received" Line Show an IP Address?

Just as each email provider differs in where to find the full email header, they also differ in the information displayed. Although the Received line is meant to show an IP address, many providers will obscure this to make tracing an email harder.

For example, Gmail will only show the IP address of the email server, while privacy-focused Proton Mail will show nothing. Unfortunately, tracing the IP address of the email sender for Gmail is impossible, as is for Proton Mail (and several other services).

However, you might get lucky. Some tools for managing multiple email accounts expose the sender's IP address before passing the email to the original service. In those cases, you'll be able to trace the IP address. I cannot specify which tools expose the addresses as there are far too many of them for me to test, but many email account management tools will list their name in the header, which should give you an indication.

Tracing the IP Address of the Original Email Sender

To trace the IP address of the original email sender, head to the first Received in the full email header. Alongside the first Received line is the IP address of the server that sent the email. Sometimes, this appears as X-Originating-IP or Original-IP.

Find the IP address, then head to MX Toolbox. Enter the IP address in the box, change the search type to Reverse Lookup using the drop-down menu, then hit Enter. The search results will display a variety of information relating to the sending server.

mxtool supertool reverse ip address lookup result

Unless the originating IP address is one of the millions of private IP addresses. In that case, you will meet the following message:

mxtool reverse ip address lookup private address

The following IP ranges are private:

  • 0.0.0-10.255.255.255
  • 16.00-172.31.255.255
  • 168.0.0-192.168.255.255
  • 0.0.0-239.255.255.255

IP address lookups for those ranges will not return any results, and you won't be able to trace the email sender to a specific IP address.

4 Free Tools to Trace the IP Address of an Email

Of course, there are some handy tools out there that automate this process for you. Learning about full email headers and their contents is handy, but sometimes you need quick information. Moreover, you want to trace emails for free, not fork out a heap of cash.

what is my ip trace email address example with ip address

Check out the following header analyzers:

However, while you can use these free tools to trace the source of an email, the results don't always match up. In the below example, I know that the sender is nowhere near the alleged location, stated as in the middle of a reservoir near Wichita.

trace email address sending user using email header

In that, your success with tracing the IP address of an email will vary depending on the sender's email provider. For example, if you're trying to trace an email sent from a Gmail account, you'll only find out the location of the last Google server that processed your email—not the IP address of the original sender. The quality of a free email tracer is only as good as the information you provide. An email or IP tracer can't magically make assumptions about a person's location or the providence of an email.

Now, with that said, email tracers and IP tracers do work if given the right information. As written previously, those using a tool to manage multiple email accounts might be in for a surprise. I traced the email address of a friend who uses an email account management tool, and they were shocked to see how easy it was and how if they'd been using their regular Gmail account, I wouldn't have been able to trace his email.

Can You Trace an Email Sender Using Social Media?

Social media is another option for tracing the sender of an email, but like the other methods, it is by no means guaranteed to work. Social media email tracing relies on the sender adding the same email address to their account and leaving that information public-facing.

For example, you can use Facebook's search tool to comb the site for an email address, but if the person you're looking for hasn't added that specific email address to an account, it won't work. Tracing an email through social media may work with a more specific service, such as LinkedIn, where users are more likely to leave forward-facing email addresses.

Again, it depends on why you're tracing an email address to begin with. You're extremely unlikely to be tracking down a scammer account through a LinkedIn account, but learning OSINT for social media sites is generally useful.

Can You Really Trace an IP Address from an Email?

There are instances where tracing an IP address through the email header is useful—a particularly irritating spammer, perhaps, or the source of regular phishing emails.

Certain emails will only come from certain locations; your PayPal emails won't originate in China, for instance. In that, tracing the origin of an email isn't a precise science, at least not with easily accessible tools. As vast numbers of people use free email services like Gmail, Outlook, and Yahoo, tracing an email sent from those services or an IP address relating to the sender will remain extremely difficult, if not impossible, for regular internet users.

Furthermore, if the sender is using a VPN or other anonymizing service (perhaps a proxy server or sent from an email account on the Tor Network), you'll never trace the email sender.