How to check out email headers

Did you receive a suspicious email 'from KVK'? Send it to You can also check the email yourself, by viewing the email header. Find out how to do that.

Where can I find the email header?

Open the email in Outlook and go to File -> Properties (or Bestand -> Eigenschappen) in the top left corner. 

Do you use a different email programme? Use Google Search to find out how to find the email headers in your software. 

How do you read the headers?

Go to MxToolbox:

Copy all the text under Internetheaders (in the properties of your email message), paste it into MxToolbox and click Analyze Header.

This will present the email headers in an easy-to-read overview.

How do you tell a real email from a fake one? 

If you do this exercise with a real email and a fake one, you will spot several differences. 


  • First of all, the Delivery Information. It looks much more neat and tidy in the real email than in the fake one. 

Note: In this case, the KVK does not meet the DKIM Authenticated standard, due to a hash. The DMARC Compliant and the SPF are more important, and they meet the standard. KVK also has DKIM Alignment, the fake mail does not.


  • Relay Information tells you where the email was sent from. The real email comes from a KVK mail server: The fake email was sent from

Notice that is blacklisted (the red x on the right). The KVK mail server is not.


  • The SPF is Flag number 3. The fake email fails on this count. 

What this means is: the domain is not on the KVK's SPF list. Nor is the IP address Therefore, these domains and IP addresses are not allowed to send emails using A good email programme will spot this at once and place the fake email in the spam folder.  


  • Flag 4 is the so-called ‘helo’. The helo tells an emailserver from which domain someone wants to send an email. See If you look at the fake email, under Authentication Results it says:

Authentication-Results s3; spf=neutral (sender IP is

This means: I am emailing with the email address, but I am from the mail server

The real email says: 

Received-SPF Pass ( domain of designates as permitted sender); client-ip=;;

In other words: I am emailing from the email address, and from the mail server Also, I am a permitted sender and authorised to mail from this email domain ( The fake email does not mention this. 

These pointers can help you find out if an email was really sent from the email address mentioned, or is likely to be a spoofing mail. 

In short: Check the headers in MxToolbox, and pay attention to the DMARC and SPF authentications. That usually tells you enough.