How can you track an email address

How to read the mail header

With the help of the so-called e-mail header, you can determine some information about a received e-mail that is otherwise not visible. For example, you can determine the actual sender of an email and expose fraudulent emails. Because with so-called phishing emails and fake sender addresses, fraudsters keep luring them into the trap.

You can find out the following information in the mail header:

  • the sender's email address
  • the IP address of the sender (and thus the actual sender!)
  • the recipients of the email
  • the date of dispatch
  • the subject of the email

Read out email headers - that's how it works

You should first display the mail header in full. In your mail program on the desktop PC, this is probably possible via "View" or "Options". Sometimes the mail header is also referred to as source text. The exact name of the function with which you can view the mail header depends on the mail program you are using.

What you see then will likely look something like this:

We don't want to go into too much detail here. We have highlighted everything that is important to you. In the following we explain the individual, color-coded areas and show you what information you can derive from them.

Email header on the smartphone

Unfortunately, it is often not possible to read the email header on smartphones. Whether and how it works on the smartphone depends on your operating system and the email program you use. You can try accessing your e-mail with a web browser and viewing the desktop page there. Some mail providers also offer their own app that you can install to access the header. If this does not work with your smartphone or your e-mail program, open your e-mail program on a desktop PC.

Sender's email address

Under the indication "Return path" you can find the sender of the e-mail or his e-mail address. If there is a cryptic e-mail address here, this is already an indication of a phishing e-mail. These But the address does not have to be correct, It is easy to manipulate as it is not checked for correctness by the mail server. This is why there can be a legitimate-looking address here, and it can still be phishing.

receiver

The recipient's email address and mail server can be found at "Delivered-To" or "Envelope-To" and under the first "Received" entry.

The Received entries should be read from bottom to top, so the last entry with the name "Received" is the one that the mail server of the Recipient when receiving the mail in the header. The mail server answers with HELO. In our case this is the entry "helo = astaro.vz-nrw.de".

IP address of the sender (the actual sender!)

The IP address, i.e. the actual physical address of the sender can be found below within one of the next "Received from" entries. This is the Received entry that documents the transfer of the e-mail from the sender server to the recipient server. It says "Received from (here is the sender server) by (here is the recipient server)".

The sender server is clearly identified by the so-called IP address. This is not falsifiable, is in square brackets and in this case is 62.128.158.4. It is preceded by the name of the mail server. But it doesn't necessarily have to be right.

You can, however, take the trouble to check that the IP address and the name of the server match. This also allows you to use the IP address to find out where the e-mail is really coming from.

Proceed as follows:

  1. Call (if you have a Windows computer) the command line via Start → Run. Enter "cmd" and click OK.
     
  2. A command window opens. There you type "nslookup", then a space and then the IP address that is given as the sender address. There are also web-based tools that do an nslookup query. You can find such services through search engines. The query tells you whether it is the same mail server that is specified in the mail header.
    The output looks something like this:

    Server: srv-d.vz-nrw.de
    Address: 172.16.3.9
    Name: lws01.netbenefit.co.uk
    Address: 62.128.158.4
     
  3. The server and its IP address are displayed from which you started the request. You can see the name and the IP address of the requested server below. You can also do the cross check and then enter "nslookup" with the name (here: lws01.netbenefit.co.uk). The associated IP address should then be displayed again.

     

Not every phishing email is cleverly crafted to work with fake sender addresses or mail server names. But if you have any doubts about the authenticity of the e-mail, you can dispel any remaining doubts about it - or have it confirmed.

We have summarized the characteristics by which you can recognize phishing emails in a separate article. Current phishing warnings can also be found here.

Read mail headers on your smartphone?

Important: With most smartphones it is not possible to view the mail header. If in doubt, open your mail program on a desktop PC.

This content was created by the joint editorial team in cooperation with the consumer centers Rhineland-Palatinate and North Rhine-Westphalia for the network of consumer centers in Germany.