How to Read SPF, DKIM, and DMARC Email Headers (2026 Guide)

2026-06-02 · by Spicy Stromboli · technical, identity-security, phishing, cybersecurity, email-headers, spoofing

Retro-cyberpunk dashboard screen showcasing email security authentication

We have all received them. The urgent notifications from Netflix warning about a suspended account, or a security alert from your banking app. The sender’s name says Apple or Citibank, and everything looks genuine. But is it?

Behind the glossy logos and perfect fonts lies the real story: the raw email headers. If you know how to read these hidden lines of text, you can spot spoofed mail in seconds. This technique is frequently used to identify and intercept adversary-in-the-middle (AiTM) phishing attacks where attackers sit in the middle of a session.

The Quick Answer: How to View Raw Headers

Every major email provider allows you to view the raw code of an email. This is where the routing info, server handshakes, and security results live.

Gmail: Open the email, click the three dots on the top right next to the reply button, and select Show original.
Outlook (Web): Open the email, click the three dots on the top right of the message pane, go to View, and select View message source.
Apple Mail: Double-click the message to open it, select View in the menu bar, hover over Message, and choose Raw Source.

Once you open this window, you will see a massive wall of text. Do not let this intimidate you. You only need to look for three specific acronyms: SPF, DKIM, and DMARC.

The Three Pillars of Email Trust

Email was originally designed in the 1980s without any security. Anyone could write “president@whitehouse.gov” in the sender field, and the network would deliver it without asking questions. To fix this, security engineers added three layers of verification.

1. SPF (Sender Policy Framework)

Think of SPF as a guest list for a party. A domain owner publishes a list of authorized servers allowed to send mail on behalf of their domain.

When a server receives an email claiming to be from paypal.com, it checks the DNS records of paypal.com to see if the sending IP address is on that guest list. Before you proceed to check if a link is a scam, checking the SPF validation is your first barrier.

SPF Pass: The sending server is on the guest list.
SPF Fail: The sending server is an imposter.

2. DKIM (DomainKeys Identified Mail)

DKIM is like a wax seal on a physical letter. It uses cryptography to add a digital signature to every email sent from a domain.

The sending server signs the email with a private key, and the receiving server fetches the public key from the domain’s DNS records to verify it. This proves that the email was not modified while traveling across the web.

DKIM Pass: The signature is valid, meaning the email is authentic and untouched.
DKIM Fail: The signature has been broken or is missing.

3. DMARC (Domain-based Message Authentication, Reporting, and Conformance)

Even if SPF and DKIM are set up, scammers can still trick you. They might send an email from a random server (where they set up their own SPF and DKIM records) but change the visual “From:” header that you see in your inbox to match a trusted brand. Attackers exploit human psychology by triggering fear or urgency to rush you past verification, as discussed in our article on why urgency is dangerous.

DMARC solves this by enforcing Alignment. It requires that the domain in the visual “From:” address matches the domain verified by SPF (the envelope sender) and/or the domain verified by DKIM (the signature domain).

DMARC Pass: The domains align, and the authentication checks succeed.
DMARC Fail: The email fails verification, and the receiving server applies the domain owner’s policy (None, Quarantine, or Reject).

Analyzing a Raw Header Snippet

Let us look at what a clean, authentic header verification block looks like. When you open the raw source of an email, you want to search for the Authentication-Results line.

Authentication-Results: mx.google.com;
       dkim=pass header.i=@github.com header.s=pf2025;
       spf=pass (google.com: domain of support@github.com designates 192.30.252.205 as trusted sender);
       dmarc=pass (p=reject sp=reject dis=none) header.from=github.com

Here is a breakdown of what this block tells us:

dkim=pass: The digital signature from GitHub is valid and intact.
spf=pass: The server at IP 192.30.252.205 is listed in GitHub’s DNS records as authorized.
dmarc=pass: The email successfully aligned, and GitHub’s policy is set to p=reject, which tells email providers to block any messages failing authentication.

The Warning Sign: Alignment Spoofing

If you see an email claiming to be from your bank, but the raw source looks like this, you are looking at a scam:

Authentication-Results: mx.google.com;
       dkim=pass header.i=@scam-mailer.net;
       spf=pass (google.com: domain of admin@scam-mailer.net designates 203.0.113.1 as trusted sender);
       dmarc=fail header.from=chase.com

Notice what is happening here:

SPF passed because the sender IP is authorized by the server at scam-mailer.net.
DKIM passed because the signature matches scam-mailer.net.
However, because the visual From header claims to be chase.com, the domains do not align. DMARC fails, exposing the phishing attempt.

Authentication Parameter	What it Checks	Telltale Sign of a Scam
SPF	Sending IP Address	`spf=fail` or a mismatched envelope domain
DKIM	Cryptographic Seal	`dkim=fail` or missing signatures
DMARC	Domain Alignment	`dmarc=fail` when checking high-stakes domains

Steps to Verify a Suspicious Email

If you get an email that triggers your instincts, follow this verification flow:

Extract the raw source code using the steps mentioned above.
Locate the authentication block by searching for the term Authentication-Results:.
Check the From address alignment. Verify that the domain listed next to header.from= matches the domain next to header.i= (for DKIM) and the domain listed in the spf= section.
Use automated verification tools. If the wall of code is too confusing, you can copy the headers and paste them into an inspector tool like PhishPond.io to parse the configuration results in plain English.

Staying safe online does not require you to be a computer scientist. By taking a few extra seconds to inspect the digital stamp on your incoming mail, you can safely navigate the web without falling victim to spoofing tactics.

FAQ: Frequently Asked Questions

Can an email pass SPF and DKIM and still be a phishing email?

Yes. If an attacker registers a lookalike domain (like sec-chase.com), sets up valid SPF and DKIM for that domain, and sends the email from it, both checks will pass. DMARC will also pass because the envelope domain aligns with the visual From header (sec-chase.com). In this scenario, check the domain registrar age and reputation using PhishPond.io.

What is the difference between envelope sender and visual header From?

The envelope sender (or Return-Path) is the address used by mail servers to route bounce messages. The visual From header is what is displayed to the user inside their mail client. Attackers commonly spoof the visual From header while using a completely different envelope sender.

Does a DMARC policy of “p=none” block spoofing?

No. A DMARC policy of p=none is a monitoring-only policy. It tells receiving servers to collect statistics but not block or quarantine unauthorized emails. Only p=quarantine or p=reject policies actively protect domains from spoofing.

References & External Resources

To read more about the security RFCs and guidelines governing email authentication, check out these high-authority standards:

IETF RFC 7208 (SPF Standard): Sender Policy Framework Specification
IETF RFC 6376 (DKIM Standard): DomainKeys Identified Mail Signatures
IETF RFC 7489 (DMARC Standard): Domain-based Conformance
NIST SP 800-177: Trustworthy Email Guidelines
M3AAWG Best Practices: Messaging Malware Mobile Anti-Abuse Working Group

← All posts · Home