Knowledge Center Monthly Newsletter - June 2025
Stay up to date with the latest from the Knowledge Center. See all new Knowledge Center articles published in the last month, and re:Post's top contributors.
How do I use email headers to identify the sender of a spam email?
This article shows you how to analyze email headers to identify the source for your emails.
Introduction
An email header is the section of an email message that contains essential metadata. The metadata tracks an email's complete path, such as the originating IP address, routing information, and the precise time of transmission. When you report spam emails to AWS that originate from the AWS IP address space, be sure to share the email header information. If the email contains links to abusive content that’s hosted on AWS IP address space, select the appropriate abuse type to specify this information in your report, as shown in the following screenshot:
Identify and review email headers
To determine if an email originated from Amazon Elastic Compute Cloud (Amazon EC2) or Amazon Simple Email Service (Amazon SES), you must view and extract the full email header. For more information, see How do I view full email headers on popular email clients so that I can troubleshoot issues?
After you extract the email header, review the following key fields to determine the origin of the suspected spam email.
Received
The Received field in the email header provides a chronological record of the servers and IP addresses that the email message passed through before the email reached the recipient's mailbox.
Example:
Received: from ip-198-51-100-1 (ec2-192-0-2-0.eu-west-2.compute.amazonaws.com. [192.0.2.0])
by mx.example.com with ESMTPS id abcdef1234567qrs.789.2021.04.30.20.39.46
for <alice@example.com>
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-SHA bits=128/128);
Fri, 30 Apr 2021 20:39:46 -0700 (PDT)
In the preceding example, you can use the IP address 192.0.2.0 to trace the email's path. Each Received field contains information, such as server names, IP addresses, timestamps, and SMTP protocol details. Note that you can only trust the topmost Received header because your own mail server added this part. The reliability of each following header depends on whether you trust the server that created it. If you see a header from an untrusted server, you might need to consider all headers after that part potentially unreliable.
You can query a reverse DNS lookup or reverse DNS (rDNS) resolution with the following command:
dig -x IP_ADDRESS
The rDNS name has the ec2 label and indicates that the IP address 192.0.2.0 is associated with a resource on an AWS customer's Amazon virtual private cloud (Amazon VPC). If the message originated from Amazon SES, then the rDNS name of the IP address returns amazonses.com in the corresponding Pointer (PTR) Record query.
From
The From field indicates the email address of the person who is responsible for the content of the message. This field identifies the sender of the message and is the primary identifier that you see in your inbox.
Example:
From: John Stiles <john_stiles@sender-domain.com>
To: Jie Liu jie_liu@recipient-domain.com;
In the preceding example, John stiles sent the email. However, the From field might be spoofed if your domain's incoming mail server didn't enforce the domain's Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy. For more information, see Amazon SES: Email authentication and getting value out of your DMARC policy.
Authentication-Results
The Authentication-Results field in an email header shows the results of authentication checks, such as the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and DMARC. This field typically includes codes, such as pass or fail, for each authentication method. These codes help email providers and recipients assess the email's legitimacy and potential risks. This information can help you to filter out spam or phishing emails.
Example:
Authentication-Results: mx1.recipient-domain.com;
dkim=pass (signature was verified)
header.d=sender-domain.com;
spf=pass (sender IP is 192.0.2.1)
smtp.mailfrom=john.doe@sender-domain.com;
dmarc=pass (p=REJECT; aspf=r; adkim=s; spf=pass; dkim=pass)
header.from=sender-domain.com;
In the preceding example, the receiving mail server mx1.recipient-domain.com reports the results of the email authentication checks in the Authentication-Results field. In this example, the contents of this field confirms that the email passed the DKIM and SPF checks, and as a result, also passed the DMARC verification. Therefore, this field confirms that the email is authentic and not spoofed.
Return-Path
The Return-Path field in an email header specifies the email address where the recipient's email server sends the bounce messages or error notifications when it can't deliver an email to the recipient's inbox. These servers generate automated messages, called bounce messages or Non-Delivery Reports. These messages inform the sender that their email wasn't delivered and provide details about why the delivery failed.
Example:
Return-Path: < bounce-9876a54b32c1d0e8f@example.com>
Received: from ec2-192-0-2-0.compute-1.amazonaws.com (ec2-192-0-2-0.compute-1.amazonaws.com [192.0.2.0])
by mx.recipient-domain.com with ESMTP id abcdef1234567xyz
for receiver@recipient-domain.com;
Mon, 18 Jun 2021 10:30:15 -0700 (PDT)
From: "Customer Service" <service@example.com>
Subject: Your Account Update
In the preceding example, the Return-Path field bounce-9876a54b32c1d0e8f@example.com specifies the unique identifier along with the sender’s domain. If the email can’t be delivered, then the bounce messages are sent to this address.
Use the email header information to report spam to AWS
You can use the email header information to report spam emails to AWS that originate from the AWS IP address space. To do so, follow these steps:
-
Get the full email header for the suspected spam message. For more information, see How do I view full email headers on popular email clients so that I can troubleshoot issues?
-
Identify if the email header IP address corresponds to an AWS IP address. For more information, see AWS IP address ranges. Use the steps in the previous section of this article to verify if the information on the headers clearly indicate that the message originated from AWS. If you identify that the message originated from AWS, report the abuse to AWS through the Report abusive activity from AWS resources web form. For Category, select Email. If you determine that AWS didn't send the message, but the message includes content that's hosted on AWS resources, then select Web Content/Non-Copyright IP for Category. For abuse that's related to Amazon SES, send an email to email-abuse@amazon.com. For more information on how to report other content related abusive activities, see How do I report abuse of AWS resources?
-
Include all the email headers in your spam report. To report email spam to AWS, submit a report through the Report abusive activity from AWS resources web form. Add any additional context about why you believe that the reported email is spam. For more information, see Abuse reporting FAQs.
Conclusion
When you select the most suitable category on the web form to report spam emails to AWS and include the full header information, AWS can process your spam reports more effectively.
- Language
- English

Relevant content
- asked 3 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago