This practical exercise will help you understand how to analyze suspicious email headers and detect red flags that indicate phishing or malicious intent.

• Understand the structure of an email header
• Identify key fields that reveal sender information
• Trace the email’s path using "Received" headers
• Spot spoofing or anomalies in authentication results (SPF, DKIM, DMARC)

• Any email client or webmail service with “View Raw Header” option (e.g Thunderbird Email Client)
• Online header analyzers (e.g., Google’s toolbox, MXToolbox)
• Command-line tools: whois, dig, nslookup

• Download the sample .eml files from the link below.
  Download eml_files.7z

• Extract the archive to your working directory.

• You will analyze five .eml files and identify why each email header is suspicious.

• After completing the analysis.

• Right-click the .eml file and select Open with → Thunderbird.

• Review the displayed email for obvious anomalies (suspicious sender, spelling errors, spoofed domains, etc.).

• In Thunderbird, go to:
  Menu → View → Headers → All

• Scroll through the email header to inspect all details.

• Open the .eml file in Sublime Text or any preferred text editor.
• Select the Email Header syntax package (bottom-right) to format the header for readability.

• Copy and paste the raw header into an online header analysis tool.
• These tools break down each field (Received, DKIM, SPF, etc.) to highlight suspicious entries.

Look at:

• SPF: Pass/Fail
• DKIM: Valid/Invalid
• DMARC: Pass/Fail

✅ Tip: Always correlate multiple indicators in the email header (sender, domain, SPF/DKIM, Received hops) instead of relying on one field alone.