Email Investigation

How to Trace Who Sent a Phishing Email

A phishing email is built to look like it came from someone you trust, and the name in your inbox is the easiest part to fake. The truth about where it really came from is buried in the full headers: the path the message traveled, the originating server, whether the sender domain actually authorized it, and where the links and payment requests lead. This guide walks through exactly how to trace a phishing email like an investigator: reading the full headers and the originating IP, telling a spoofed sender from the real one with SPF, DKIM, and DMARC, looking up the sender domain, following the payload and money trail, the honest limits of what a header can show, and how to report it so it actually gets actioned.

Read the Real Headers Report It Right Since 2004
The HeadersWhere the Truth Lives
SPF/DKIM/DMARCSpoofed vs Real
IC3 + FTCWhere to Report
Since 2004Lawful Skip Tracing

The Short Version

Do not click anything, reply, or open attachments. Instead, open the full raw headers of the message (in Gmail, the three-dot menu has “Show original”), and read them like an investigator. The visible From: line is trivially forged, so ignore it and look at the Received: chain, which records each server the message passed through; read it from the bottom up to find the originating server and its IP. Then check the Authentication-Results line for SPF, DKIM, and DMARC. A real message from a brand passes and aligns all three; a spoofed one fails or shows “none.” Look up the sender and link domains with a WHOIS search to see who registered them and how recently. Capture everything before it disappears, then report the email to the FBI Internet Crime Complaint Center, the FTC, and the brand that was impersonated. Headers reveal the infrastructure, but not always a person, because big mail providers strip the sender’s home IP and attackers hide behind data centers. That is where our investigation team takes over, turning the identifiers you collect into a lawfully researched name and location.

Watch: Tracing a Phishing Email

What the headers reveal, and the lawful path to a name.

▶ Video Overview

Why the From: Line Tells You Nothing

The visible sender is the one piece of an email anyone can forge.

Email was designed in an era of trust, and that design never went away. The From: address you see in your inbox is not verified by the protocol that delivers mail; it is simply text the sender chose to type. An attacker can put billing@your-bank.example in that field as easily as you can write a return address on an envelope, and your mail client will display it without question. This is the single fact every phishing trace begins with: the name and address shown at the top of the message are a claim, not evidence. Treating them as proof is exactly what the scam depends on.

What cannot be casually faked is the trail the message leaves as it crosses the internet. Every mail server that handles a message stamps a Received: line into the header, recording where it came from and when. Stacked together, those lines form a chain from the originating server to your inbox. Layered on top are the authentication results, the SPF, DKIM, and DMARC verdicts that tell you whether the domain in the From: line actually authorized this message. None of that is visible in the normal reading view, which is why tracing a phishing email always starts with one move: opening the full, raw headers. From there, the same lawful, records-based discipline our team brings to any fraud investigation applies to a single suspicious message.

Step One: Open the Full Headers

Before you can trace anything, you need the raw source, not the pretty view.

Every major mail program can show you the complete header, even though it hides them by default. In Gmail, open the message, click the three-dot menu in the top right, and choose “Show original.” In Outlook on the desktop, open the message in its own window, go to File, then Properties, and read the “Internet headers” box; in Outlook on the web, use the message menu and select “View” then “View message source.” In Apple Mail, the View menu has Message, then Raw Source. Whatever the client, the goal is the same: a wall of text that begins with dozens of lines like Received:, Return-Path:, Authentication-Results:, DKIM-Signature:, and Message-ID:.

Copy that entire block to a plain-text file and save it before you do anything else. Phishing infrastructure is deliberately short-lived, so the domain, the linked website, and the sending account can all vanish within hours. A saved header is a frozen record that survives that disappearance, and it is the one artifact every later step, your own analysis, an abuse report, or a request to our investigators, will lean on. Do not forward the suspicious email to yourself or others before saving, because forwarding rewrites the headers and can strip the very lines you need.

Step Two: Read the Received Chain

This is the message’s travel log, and it reads from the bottom up.

The Received: lines are the heart of the trace. Each server that touches a message adds its own line at the top of the stack, so the chain reads in reverse: the bottom-most Received: line is the earliest hop, usually the originating mail server, and each line above it is the next relay on the way to you. Start at the bottom and work upward. You are hunting for the first publicly routable IP address in the chain, written in brackets next to a hostname, because that is the closest thing the header offers to where the message was actually injected.

Ignore private, internal addresses along the way. Anything in the ranges 10.x.x.x, 172.16.x.x through 172.31.x.x, or 192.168.x.x is a machine inside someone’s network and tells you nothing about the public origin. Once you have that first public IP, you can run it through a lawful IP lookup to learn which hosting company or internet provider owns it and roughly where its data center sits. Also compare the timestamps as you climb the chain: large, inconsistent time gaps or hops that jump across the world can hint at relays and obfuscation. The Received chain rarely hands you a person, but it reliably hands you the infrastructure, and infrastructure is a starting thread our team can follow with the same approach we use when we research an email address back to a real identity.

Step Three: Spoofed Sender or Real One?

SPF, DKIM, and DMARC are the three checks that settle the question.

The most important question in any phishing trace is whether the message genuinely came from the domain it claims, or whether someone forged that name. Three authentication standards answer it, and their results sit in the Authentication-Results: header that the receiving mail server writes. You do not need to be an engineer to read the verdicts; you need to know what each one proves.

SPF: did an authorized server send it?

SPF, the Sender Policy Framework, is a published list of the servers a domain authorizes to send its mail. When SPF shows pass, the message left a server the domain owner approved. When it shows fail or softfail, the sending server was not on that list, which is a strong sign the envelope sender was forged or the mail was relayed from somewhere it should not have been.

DKIM: was the message tampered with?

DKIM, DomainKeys Identified Mail, attaches a cryptographic signature tied to a specific domain, recorded in the header as the d= value. A DKIM pass means the signature is valid and the message was not altered in transit, and it ties the message to whatever domain signed it. Watch the d= domain closely: scammers sometimes sign with a throwaway domain they actually control, so a DKIM pass on d=random-lookalike.example is not the same as a pass on the brand’s real domain.

DMARC: do the names actually line up?

DMARC is the protocol that ties it together. It requires that the domain in the visible From: line aligns with the domain that SPF or DKIM authenticated. This alignment is what defeats exact-domain spoofing, because a forger can pass SPF and DKIM on their own throwaway domain yet still fail DMARC when that domain does not match the brand in the From: field. The rule of thumb: a legitimate message from a real organization passes and aligns all three, while a phishing message typically shows a DMARC fail, an SPF fail, or a DKIM signature from a domain that has nothing to do with the brand being impersonated. If you see those mismatches, you are almost certainly looking at a spoofed sender, and the brand named in the From: line is a victim too, not the source.

Step Four: Look Up the Domains

The sender domain and any link domains carry their own paper trail.

Once you know which domains are really involved, the authenticating domain from DKIM, the host of any links in the body, and the domain in the Return-Path, examine each with a WHOIS lookup. WHOIS is the public registration record for a domain, and even when the registrant’s name is shielded by privacy, the record still shows the registrar, the creation date, the name servers, and an abuse contact. The single most telling field is the creation date: legitimate brands send from domains that are years old, while phishing campaigns lean on domains registered days or weeks before the attack. A domain born last Tuesday that is impersonating a decades-old bank is its own confession.

Look just as hard at the links themselves, without clicking. Hover to reveal the true destination, and read it carefully for lookalike tricks: a hyphenated or misspelled brand name, an extra word stuffed into a subdomain, or an unfamiliar top-level domain. Many phishing links also route through a redirector or a traffic-distribution service that bounces visitors toward whichever fake login page is live at that moment, which is part of why these sites are so hard to pin down. The hosting provider and registrar you uncover through WHOIS are exactly who should receive an abuse complaint, and the same domain-level research feeds naturally into the broader work of identifying a person behind a scam when there is real money or harm involved.

Step Five: The Payload and Payment Trail

Where the email tries to send you is often the strongest lead of all.

A phishing email is rarely the goal in itself; it is a delivery vehicle for something. Identifying what it was trying to make you do, and where that action led, frequently produces better leads than the headers alone. If the message pushed a fake login page, the destination domain and its host become the target of your report. If it asked you to call a number, that phone number is a researchable identifier in its own right, the same kind of thread our team follows when helping someone identify a scammer by a phone number. If it demanded a payment, by wire, by card, by gift card, or by cryptocurrency, then the account, address, or wallet on the receiving end is the money trail, and money trails point at the people who cash out.

Capture the payload safely. Record the full link text without clicking, note any phone numbers and payment details, and screenshot the message exactly as it arrived. If you already interacted, clicked through, entered credentials, or sent anything, write down precisely what you did and when, because that timeline matters for both your own account security and any later report. A payment that already went out turns this from a pure email trace into a financial-recovery matter, and the documentation you assemble here is the same evidence that powers a full effort to find someone who scammed you.

The Honest Limits of a Header Trace

What the headers can and cannot tell you about an actual person.

Webmail Strips the IP

Major providers like Gmail and Outlook hide the sender’s home IP and show only their own servers, so the origin you find is the provider, not the person.

An IP Is Not a Name

The originating IP geolocates to a data center or internet provider, not a doorstep. Linking it to a person requires lawful records, not a map pin.

VPNs and Botnets

Attackers route through proxies, VPNs, and compromised machines, so the IP in the header may belong to an unwitting victim, not the sender.

Bulletproof Hosting

Some hosts ignore abuse complaints and let domains rotate constantly, keeping the infrastructure online and the operators out of easy reach.

Privacy-Shielded WHOIS

Registration privacy hides the registrant behind a proxy service, so WHOIS alone usually names the registrar, not the human who registered it.

Compromised Real Accounts

Some phishing comes from a genuine account that was hijacked, so the sender is real but is not the attacker, which authentication checks alone will not reveal.

None of this means a trace is pointless. It means the header is the beginning, not the end. The headers, the authentication verdicts, the domain records, and the payload give you a set of true identifiers; turning those identifiers into a named, located person is a separate discipline built on lawful public-records research rather than on technical artifacts. That is the lane our team works, and it is also why we never attempt to hack an account, breach a server, or unmask anyone through anything but lawful, permissible-purpose methods.

From Identifiers to a Real Person

Two trails run side by side. The header is one. The records are the other.

The technical trail. This is everything the message itself reveals: the Received chain and originating server, the SPF, DKIM, and DMARC results, the sender and link domains and their WHOIS records, the payload destination, and any payment details. This trail establishes that an email was spoofed, identifies the infrastructure behind it, and gives you a clean, documented packet to hand to the platforms and agencies that can take the sites down or open an investigation. It is precise and it is verifiable, but it stops at the edge of a person.

The human trail. This is where People Locator Skip Tracing works. Behind the infrastructure are people who leave footprints in public records: the individual who registered a domain before privacy was applied, the account holder behind a phone number left for a callback, the name on the receiving end of a wire or a payment app, the operator who reused a username or an email across other sites. Those identifiers can be researched lawfully to surface a real name, current address, and associations, which is the same records-based work behind our skip tracing services. A spoofed email rarely points straight at a culprit, but the trail of identifiers it leaves, paired with disciplined public-records research, often does. A named, located individual is what turns a frustrating inbox into something a prosecutor, an attorney, or a civil claim can actually use.

Where to Report a Phishing Email

File with each of these. Every one does something the others cannot.

WhereWhat It DoesHow to Reach
FBI IC3The central federal intake for internet crime, including phishing and spoofing. Feeds investigations and case-linking.ic3.gov
FTCLogs the fraud for enforcement and provides a recovery plan if your identity or accounts were exposed.reportfraud.ftc.gov
The Spoofed BrandLets the impersonated company take down the fake page and warn other customers. Most have a phishing or abuse inbox.Their official security or abuse address
Hosting Provider and RegistrarCan suspend the fraudulent domain and the page it serves once they receive a documented abuse complaint.The abuse contact from WHOIS
Your Mail ProviderImproves filtering and can act on the sending account if it sits on their platform. Use the “report phishing” control.In-client report button
Your Bank or Card IssuerEssential if you entered credentials or sent money. They can watch for or reverse fraudulent activity.Fraud department, in writing

One caution that matters right now: attackers have built fake versions of government reporting sites, including lookalikes of the IC3 portal, to harvest the very information victims try to submit. Always type the official address yourself rather than clicking a link, and never enter your details on a reporting page you reached from an email. File quickly, attach the saved headers and screenshots, and keep every confirmation number, because a single well-documented report can be the piece that connects one campaign to many victims.

Trace It Step by Step

The whole sequence, in the order an investigator would run it.

1

Preserve, Don’t Click

Do not click links, open attachments, or reply. Open and save the full raw headers and screenshot the message before anything disappears.

2

Read the Received Chain

Work bottom to top through the Received: lines, skip private IPs, and note the first public IP and the originating server.

3

Check Authentication

Read the SPF, DKIM, and DMARC results. Fails or misaligned domains mean the sender was almost certainly spoofed.

4

Look Up the Domains

Run WHOIS on the sending and link domains, note the creation date and registrar, and inspect links for lookalike tricks.

After those four steps you will have a documented packet: the saved headers, the originating infrastructure, the authentication verdicts, the domain records, and the payload details. File your reports with that packet attached, then, if there is real harm, money, or a need to know who is actually behind it, hand the same identifiers to investigators who can lawfully carry the human trail the rest of the way.

Who Comes to Us With a Phishing Email

We turn the identifiers a header leaves behind into a real, located person.

Phishing Targets

Find who is behind the message

Attorneys

Locate an identified sender or facilitator

Businesses

Investigate a spoofed brand or vendor

Fraud Victims

Trace a payment that already left

Investigators

Add public-records depth to a case

Families

Help a relative who was targeted

Send us whatever you have, even if it feels thin: the saved headers, a sender or link domain, a phone number left for a callback, a payment account, or a username. We work strictly for lawful, permissible purposes; we never hack, breach, or unmask through anything but legitimate public-records research; and we tell you honestly what the records can and cannot show. We do not promise to identify everyone or to recover money, because no one truthfully can. For a legitimate matter, an initial locate typically comes back within 24 hours.

Our Commitment

We do not sell false hope or promise to unmask every anonymous sender. We do the lawful research most tool sites skip: turning the headers, domains, and identifiers behind a phishing email into a named, located person, so your reports and any civil action carry weight. Honest, permissible-purpose skip tracing since 2004.

People Locator Skip Tracing Investigation Team — investigators conducting skip tracing and public-records research since 2004, working lawful, investigative-grade sources for legitimate purposes only. Last reviewed 2026. This page is general information, not legal or technical advice.

Frequently Asked Questions

Can I really find out who sent a phishing email?

You can reliably trace the infrastructure: the originating server, whether the sender was spoofed, and the domains and payment details involved. Reaching an actual person is harder, because providers strip the sender’s IP and attackers hide behind data centers, VPNs, and privacy services. The path to a name runs through lawful public-records research on the identifiers the email leaves behind, not through the header alone.

How do I see the full headers of an email?

In Gmail, open the message, click the three-dot menu, and choose “Show original.” In desktop Outlook, open the message and go to File, then Properties, then Internet headers; in Outlook on the web, use View message source. In Apple Mail, use View, then Message, then Raw Source. Copy the whole block to a text file and save it before doing anything else.

Where is the real sender’s IP address in the headers?

Look at the Received: lines and read them from the bottom up. The bottom-most line is usually the originating server, and you want the first publicly routable IP in the chain, ignoring private ranges like 10.x, 172.16 to 172.31, and 192.168. Keep in mind that major webmail providers replace the sender’s true IP with their own server IPs, so the address you find is often the provider, not the person.

How can I tell if a phishing email was spoofed?

Check the Authentication-Results header for SPF, DKIM, and DMARC. A genuine message from a real brand passes and aligns all three. A spoofed one typically shows an SPF or DMARC fail, or a DKIM signature from a throwaway domain that does not match the brand in the From: line. Those mismatches mean the visible sender was forged and the named brand is a victim too.

What does a WHOIS lookup tell me about the sender?

WHOIS is the public registration record for a domain. Even when the registrant is hidden by privacy, it shows the registrar, the name servers, an abuse contact, and the creation date. The creation date is the most useful clue: a domain registered days before it impersonates an established company is a strong sign of phishing, and the abuse contact is exactly who should receive a takedown complaint.

Where should I report a phishing email?

Report it to the FBI Internet Crime Complaint Center at ic3.gov and to the FTC at reportfraud.ftc.gov, and notify the brand that was impersonated through its official abuse or security address. Also use your mail provider’s report-phishing button and file an abuse complaint with the hosting provider and registrar from WHOIS. Type official addresses yourself rather than clicking links, since fake reporting sites exist.

I clicked the link or entered my password. What now?

Treat it as urgent. Change the password on the affected account and anywhere you reused it, turn on two-factor authentication, and contact your bank or card issuer if you entered financial details. Write down exactly what you clicked or sent and when, then file your reports. That timeline and the saved evidence are also what an investigation team needs if money was lost and you want to pursue who received it.

What does People Locator Skip Tracing do on a case like this?

We work the human trail, not the mail server. Using lawful public-records research and skip tracing, we take the identifiers a phishing email leaves behind, a domain, a phone number, a payment account, a username, and work to surface a real name, current address, and associations. We never hack or breach anything, we do not take custody of funds, and we are honest about what the records can and cannot show.

Traced the Headers? Now Find the Person.

We turn the domains, numbers, and identifiers behind a phishing email into a lawfully researched name and location, so your reports and any civil case carry weight, typically with an initial locate within 24 hours. Contact us to get started.

Start Your Request →