Blue Team: Email Analysis — Complete Guide

Delight Cybersecurity Workbook Series

Core authentication concepts

SPF — Sender Policy Framework

Checks if the sending server's IP is authorized by the domain's DNS records (TXT record listing allowed IPs).

passfailsoftfail

DKIM — DomainKeys Identified Mail

A cryptographic signature added by the sending server. Proves content wasn't tampered with in transit.

passfailnone

DMARC — Domain-based Message Authentication

Ties SPF + DKIM together. Tells receiving servers what to do on failure: none / quarantine / reject.

passp=quarantinep=reject

Return-Path (envelope sender)

Where bounce messages go. Should match or be a subdomain of the From domain in legitimate emails.

Received chain

Each mail server prepends its own Received header. Read bottom-up — the last entry is the origin.

Message-ID

Unique ID assigned by the originating server. The domain after @ should match the From domain.

5-step analysis workflow

Check all sender fields for mismatches

Compare Display Name, From address, Reply-To, and Return-Path. Any mismatch is a primary red flag.

Read the Authentication-Results header

Find SPF / DKIM / DMARC results added by your receiving server. All three passing is a strong trust signal.

Trace the originating IP via Received headers

Read bottom-up to find the first external IP. Look it up on MXToolbox or AbuseIPDB.

Inspect links and attachments safely

Defang URLs (replace . with [.]) before writing anywhere. Submit to URLScan.io or VirusTotal — never click.

Write your verdict and recommendations

Verdict (phishing / suspicious / legitimate), indicators found, confidence level, and recommended actions.

Annotated phishing header

Key indicators highlighted: red = definite red flag · amber = suspicious, verify

From: "PayPal Support" <support@paypa1-secure.com> ← typosquat (digit 1, not letter l) Reply-To: attacker@gmail.com ← replies hijacked to attacker Return-Path: <bounce@paypa1-secure.com> ← matches fake domain, not PayPal To: victim@company.com Date: Mon, 03 Jun 2026 09:14:22 +0000 Subject: Urgent: Your account has been limited Message-ID: <abc123@randomhost.ru> ← .ru domain, not paypal.com MIME-Version: 1.0 Authentication-Results: mx.company.com; spf=fail (185.220.101.45 not authorized for paypa1-secure.com) ← SPF FAIL dkim=none ← no signature dmarc=fail (p=REJECT) ← should have been rejected Received: from mail.randomhost.ru (185.220.101.45) ← origin: bulletproof hosting by mx.company.com; Mon, 03 Jun 2026 09:14:25 +0000 Received: from localhost by mail.randomhost.ru; [...] ← read upward from here

Field reference

From display nameAnyone can set this — always check the actual address in < > From addressCheck for typosquats: compare character-by-character (0/O, 1/l/I, rn/m) Reply-ToIf different from From, all replies go there — classic BEC technique Return-PathEnvelope sender for bounces — should align with From domain Authentication-ResultsAdded by YOUR server — shows SPF/DKIM/DMARC outcomes Received (bottom)First hop = true origin server — read the chain bottom-up Message-IDDomain after @ should match From domain; mismatch = spoofing signal

Phishing indicators

Authentication failures

SPF fail or softfail

Sending server's IP is not in the domain's SPF record. Softfail (~all) is weaker than hard fail (-all) but still suspicious.

DKIM fail or absent (none)

Email not signed, or signature is invalid. Could indicate forgery or content tampering in transit.

DMARC fail

Neither SPF nor DKIM aligned with the From domain. Most severe when policy is p=reject — the email should have been blocked.

Header anomalies

From ≠ Reply-To (reply-to hijack)

Display name shows a trusted brand but replies redirect to an attacker-controlled address. Classic BEC technique.

Lookalike / typosquat domain

paypa1.com, arnazon.com, micros0ft.com — check every character, especially 0/O, 1/l/I, rn/m.

Message-ID domain mismatch

ID generated by a different host than the claimed From domain — the email didn't originate where it claims.

Unexpected origin country in Received headers

IP resolves to a country inconsistent with the claimed org — a "Microsoft" email from a .ru host is suspicious.

Content indicators

Urgency and fear language

"Your account will be suspended in 24 hours", "Immediate action required" — designed to bypass rational thinking.

Mismatched link text vs actual URL

Text says "paypal.com" but href points elsewhere. Always hover (or inspect raw HTML) before clicking.

URL shorteners / multi-hop redirectors

bit.ly, tinyurl, or custom redirect chains that obscure the final destination. Expand before analysis.

Double extension trick (e.g. invoice.pdf.exe)

Windows hides known extensions by default — file appears as "invoice.pdf" but is a .exe executable.

Macro-enabled Office attachments (.docm, .xlsm)

Classic malware delivery. Legitimate senders rarely need macros. Always sandbox-analyze before opening.

Legitimate trust signals

SPF pass + DKIM pass + DMARC pass

All three auth checks passing significantly increases confidence. Stronger when DMARC policy is p=reject.

Consistent sending infrastructure

Received chain shows known ESPs (Mailchimp, SendGrid, Amazon SES) matching the From domain's SPF record.

Message-ID matches From domain

ID generated by the same server claiming to send — consistent infrastructure is a positive signal.

Calm, transactional tone — no urgency

Legitimate orgs rarely threaten immediate account closure. Calm, informational language is a positive indicator.

Example 1: PayPal account suspended

phishing — high confidence

Raw email headers + body

From: "PayPal" <security@paypa1-secure[.]net> Reply-To: collect2023@protonmail[.]com Return-Path: <bounce@paypa1-secure[.]net> To: john.doe@company.com Subject: [URGENT] Your PayPal account has been permanently limited Date: Wed, 04 Jun 2026 03:42:11 +0000 Message-ID: <ZxQ92k@vps-hosting-ru[.]net> Authentication-Results: mx.company.com; spf=fail (185.220.101.45 not permitted for paypa1-secure.net) dkim=none dmarc=fail (p=REJECT sp=REJECT) Received: from vps-hosting-ru.net (185.220.101.45) by mx.company.com; Wed, 04 Jun 2026 03:42:15 +0000 Received: from localhost by vps-hosting-ru.net; [internal hop] --- BODY --- Dear Customer, We have noticed unusual activity on your account. Your account has been LIMITED. To restore access, verify your information within 24 HOURS or your account will be permanently closed. Click here to verify: hxxp://paypa1-secure[.]net/verify?token=abc123

Findings

1. Typosquat domain: paypa1-secure[.]net

Digit "1" replaces letter "l" in "paypal". Attacker-registered domain, not affiliated with PayPal Inc.

2. SPF fail + DKIM none + DMARC fail (p=REJECT)

All three auth checks failed. Server (185.220.101.45) not authorized. Should have been rejected per DMARC policy.

3. Reply-To hijack to ProtonMail

Replies go to collect2023@protonmail.com — an attacker-controlled anonymous inbox, not PayPal.

4. Origin IP: 185.220.101.45 — bulletproof hosting

IP associated with a bulletproof VPS provider used for malicious campaigns. Verify on AbuseIPDB.

5. Social engineering: urgency + fear

"24 HOURS", "permanently closed" — high-pressure language to prevent critical thinking.

6. Credential harvesting link

URL points to attacker's typosquat domain. The /verify?token= pattern is a classic credential phishing page.

Verdict

Phishing — 6 indicators confirmed, high confidence

Actions: (1) Block paypa1-secure[.]net at email gateway + DNS. (2) Submit URL to VirusTotal / URLScan.io. (3) Alert recipient, check gateway logs for clicks. (4) Report abuse to ProtonMail and hosting provider.

Example 2: GitHub OAuth alert

legitimate — high confidence

Raw email headers + body

From: GitHub <noreply@github.com> Reply-To: noreply@github.com Return-Path: <bounces+abc123@sgbounce.github.com> To: john.doe@company.com Subject: [GitHub] A third-party OAuth application has been added Date: Wed, 04 Jun 2026 10:05:33 +0000 Message-ID: <01000189f2b3c4d5-abc123@amazonses.com> Authentication-Results: mx.company.com; spf=pass (smtp.mailfrom=sgbounce.github.com) dkim=pass header.d=github.com header.s=20210112 dmarc=pass (p=REJECT) header.from=github.com Received: from a48-30-248-97.deploy.static.akamaitechnologies.com (48.30.248.97) by mx.company.com; Wed, 04 Jun 2026 10:05:37 +0000 Received: from out-23.smtp.github.com (192.30.252.193) [...] --- BODY --- Hey john.doe, A third-party OAuth application (VSCode GitHub Integration) was authorized on your account. If this was you, no action is needed. If this wasn't you, revoke access: https://github.com/settings/applications

Findings

1. SPF pass — legitimate GitHub sending infrastructure

Sending IP (48.30.248.97) is an Akamai CDN address authorized in github.com's SPF record.

2. DKIM pass — valid cryptographic signature

Signed with github.com key (selector 20210112 is a known GitHub DKIM key). Content integrity confirmed.

3. DMARC pass (p=REJECT) — all aligned

GitHub uses strict p=REJECT. A forged email would have been rejected before delivery. Very strong trust signal.

4. Return-Path uses subdomain — normal ESP bounce pattern

sgbounce.github.com is GitHub's SendGrid bounce handling subdomain — standard practice for large senders.

5. Message-ID from Amazon SES — consistent with GitHub's mailer

GitHub sends via Amazon SES. Message-ID ending @amazonses.com aligns with their known infrastructure.

6. No urgency, link to github.com, no credential harvesting

Calm tone. Link points directly to github.com/settings — real domain, no redirects or typosquats.

Verdict

Legitimate — 6 trust signals confirmed, high confidence

All auth checks pass. Infrastructure matches GitHub's known sending setup. Follow-up: confirm the user did authorize a VSCode integration around this time.

Essential analysis tools

Header analysis

MXToolbox

mxtoolbox.com — paste raw headers for SPF/DKIM/DMARC analysis, IP reputation lookup, visual header tracing.

Google Admin Toolbox

toolbox.googleapps.com/apps/messageheader — clean header parser showing delivery path and timing.

mailheader.org

Alternative header parser, good for cross-checking results.

URL and link analysis

URLScan.io

urlscan.io — safely loads and screenshots a URL in an isolated browser. Shows redirects and verdicts.

VirusTotal

virustotal.com — scans URLs and files against 70+ antivirus engines. Shows historical results.

CheckPhish

checkphish.ai — AI-powered phishing URL detection with visual similarity scoring against known brands.

IP and domain reputation

AbuseIPDB

abuseipdb.com — community-reported IP abuse database. Shows report count and abuse type.

Shodan

shodan.io — shows what services are running on a given IP and its history on the internet.

WHOIS lookup

whois.domaintools.com — check domain registration date (new = suspicious), registrar, contact info.

File and attachment analysis

Any.run

any.run — interactive sandbox. Upload a file and watch it execute in a safe Windows VM.

Hybrid Analysis

hybrid-analysis.com — free automated sandbox by CrowdStrike. Detailed behavioral reports.

VirusTotal (files)

Upload files or submit hashes. Cross-checks against 70+ AV engines.

Practice and learning

PhishTool

phishtool.com — free tier for email triage and header analysis. Good for structured practice.

Google Phishing Quiz

jigsaw.google.com/phishing-quiz — 8-question visual quiz for spotting phishing emails.

OpenPhish

openphish.com — real phishing URLs for analysis practice (use safely in a sandbox only).

Defanging convention

Always defang malicious URLs before writing them in reports or messages to prevent accidental clicks:
http://evil.com/phish → hxxp://evil[.]com/phish
Replace http with hxxp and wrap each dot in brackets [.]

Practice quiz

Score 0 / 0