How to Trace an Email Back to Its Original ISP

By Jacob Andrew

Look for the header to find an email's origin information.
i Medioimages/Photodisc/Photodisc/Getty Images

A return email address doesn’t always tell you the full story of that email’s source. However, every email sent includes full information about the path it took from the sender’s ISP to your inbox. This information is stored in the email header, which is viewable in most online mailboxes and email client software.

Opening Email Headers

Virtually all mail clients give you the ability to read email headers. In Gmail, for example, open the message, click the down arrow next to the Reply button, and then click “Show Original” in the menu that appears to display the message with a full header. In Thunderbird, click “Other Actions” next to the email message, and then click the “View Source” option to see the full message with the header. In Microsoft Outlook, click the "File" menu, and then select “Properties” to bring up a dialog box which includes an Internet Headers section.

Reading Headers

Headers appear to have a lot of garbled information; what you’re looking for is next to a field marked “Received:”. You can read this directly, keeping in mind that the header is constructed backwards: the last “Received:” action of the message, which was that message’s delivery to your mailbox, appears first, so you need to scroll to the bottom of the header to find its origins. In some programs, such as Outlook, the information is already organized and placed into well-described fields. Alternatively, you can paste the email header into a header parsing tool, such as the one offered by Google Toolbox (see Resources). Parsers often reverse backwards-constructed headers, placing the first action on the email at the top.

Identifying the ISP

Finding the originating ISP comes down to identifying the first server that received the message. In an unparsed message, this is among the last items labeled with a “Received:” preceding it. The reason it’s not always the very first server is because some organizations have servers that act as intermediaries in the delivery process. To analyze the information, look for the text that follows. For example, the field may include the following:

from ([]) with mapi id 15.00.0775.005; Fri, 27 Sep 2013 19:17:03 +0000.

The information before the parenthesis is the name and IP address of a mail server, which is typically the originating ISP.

Lookup Up the IP

Of course, DNS names and IP addresses don’t always provide a clear picture of the ISP. To resolve this, perform a WHOIS lookup of the IP address you’ve found. A WHOIS lookup queries a large database of public IP addresses and their owners, so enter the IP address into the WHOIS lookup (see Resources) to get information on the owner. This should tell you the exact ISP by sender. Be warned, however, that some spam messages use forged or “spoofed” mail headers to hide their actual origin.