Email headers are metadata attached to every email that record its full journey from sender to recipient. They contain information about each mail server the message passed through, timestamps, authentication results (SPF, DKIM, DMARC), and message identifiers. Unlike the email body, headers are not normally visible in email clients but can be accessed through 'Show original' or equivalent options.

In Gmail, open the email, click the three-dot menu (⋮), and choose 'Show original', then copy the full text. In Outlook, open the email, go to File → Properties, and copy the Internet headers field. In Apple Mail, go to View → Message → All Headers. For Microsoft 365 administrators, headers are available in the Defender portal under Email & collaboration → Explorer. Google Workspace administrators can access headers via the Security Investigation Tool.

DMARC alignment means that the domain in the From header must match the domain used by SPF (the Return-Path / envelope-from) or DKIM (the d= signing domain). It is not enough for SPF or DKIM to pass on their own — they must pass for the same domain shown to the recipient. This prevents attackers from using a legitimate sending service to pass SPF while spoofing a different From address.

SPF can pass for a third-party sending service's domain while still failing DMARC alignment for your domain. For example, if you send through a marketing platform that uses its own Return-Path domain, SPF passes for that platform but is not aligned with your From domain. In this case, DMARC requires a passing and aligned DKIM signature instead. Adding your domain's DKIM key to the sending service is the correct fix.

The Authentication-Results header is added by the receiving mail server and summarises the outcome of SPF, DKIM, and DMARC checks on the incoming message. It shows whether each check passed or failed, along with the domain and selector evaluated. This header is the most reliable indicator of whether an email is properly authenticated, as it reflects what the receiving server actually verified.

Read the Received headers from bottom to top — the lowest Received header shows the originating connection. The IP address in parentheses is the actual sending server, which you can cross-reference against the SPF result and PTR (reverse DNS) record. A mismatch between the visible From address and the authenticated sending domain, or a failure of both SPF and DKIM, is a strong indicator of spoofing or phishing.