What IP address sent me that email message?

Every email server has an IP address. It's sort of like the phone number for a server. It's often a stable identifier. Each IP address traces back to a company who owns a particular "network" or "block" of IP addresses. The IP address likely also references a domain name that may be the email platform, or may reference the brand that is emailing you. Often "big" email senders will have dedicated IP addresses (IP addresses meant only for their use), while "small" email senders may share an IP address or group (pool) of IP addresses with other small email senders.

(Geek break: When you see email people, especially deliverability people, talking about IP addresses, we're referring to IPv4 IP addresses, not IPv6. Sending email over IPv6 has yet to be universally adopted for email sending and while it does exist, it's outside the scope of what I'm discussing today.)

That sending IP address is stored in hidden email headers, primarily the "Received" email headers. There are multiple ways to access it:
  1. The first easy way: In Gmail, when you select "Show Original" to view the full headers and email source, Gmail shows you a series of bits of information about the email message, right at the top:
    See where it says SPF: PASS with IP address XXX. There's your sending IP address.
  2. The second easy way: The "Received-SPF" or "Authentication Results" header. For example, in Microsoft Outlook.com, select "Message Source" (or select "View Raw Message" in Yahoo Mail) and look for "Received-SPF: Pass (domain of XXX designates YYY as permitted sender)." In that instance, YYY is your sending IP address.
  3. The third easy way: Look for the "X-Originating-IP" header. This is viewable in Yahoo Mail when selecting "View Raw Message" and shown by some other ISPs as well. The value it gives you there, inbetween [brackets], is the sending IP address.
  4. The harder way. View full source for an email message, look for the "Received" headers and review them. You start from the bottom and work your way up. You're looking for the first or second bottommost received header. You're looking for the first reference to the ISP's mail server. Received from (server name) (IP address) by (something).outlook.com if it's Microsoft Hotmail/Outlook.com. Received from (server name) (IP address) by (something).yahoo.com or (something).google.com if Yahoo Mail or Gmail.
    In this case, the sending IP address is 206.125.175.2. This is the lowest received header that mentions the receiving ISP (Outlook.com), so it's showing what server connected to the ISP to deliver this email message, and there's the IP address.
Huge caveat: If your're doing this for corporate email, and if your company uses certain types of spam filtering, like, for example Proofpoint, the first three IP address identification methods might not work. My work, for example, uses Proofpoint, with servers in the domain name pphosted.com. In that case, to find the sending IP address, I can't trust the SPF results headers, and there's no Originating-IP header to reference. So, I need to look for that lowest (or second lowest) received header that says that server XXX at IP address YYY handed the mail off to Proofpoint's servers at pphosted.com. This is important -- if you get this bit wrong, you'll end up reporting spam to the wrong place. So look "beyond" what server handed the mail off to the ISP and look for what server handed it off to your spam filter's server. (I know, I know. This is a very brief explanation for a complex issue, and I apologize for that. But we've got to start somewhere.) If you're not sure if your company uses a spam filtering service in this way, you might want to ask your IT people for guidance. And know that this is almost never the case for non-corporate mail. If you're looking to report spam for mail you you received in your personal Gmail, or Outlook.com or Yahoo Mail account, you won't run into this issue.

Now that you know the sending IP address, here's what you can do with that information.
  • You could plug in the IP address on my XNND website and click on the "Did you receive spam from XXX?" abuse.net link. If the abuse.net website suggests an address to send to, that's where you'd email a spam report to. (Don't report spam to pphosted.com; that's the Proofpoint spam filter, not a spam source. If the IP address you're checking has a hostname that ends in pphosted.com, you're probably not looking at the right IP address.)
  • You could look up the IP address ownership info using the right Regional Internet Registry. This ownership info likely contains a company name and likely even contains a spam (abuse) reporting address. There are five RIRs (APNIC for Asia-Pacific, ARIN for North America, RIPE NCC for Europe, LACNIC for Latin America/Caribbean, and AFRINIC for Africa). My XNND tool can usually figure out which RIR is the right one and will give you a link to "query" the IP address in the appropriate registry. Click through, look at the contact info, see if there's an "abuse" contact, and then you can email your spam report to that address. 
  • You could go look up the Sender Score of the IP address and if that score is low, you're probably not the only person receiving spam from that IP address.
  • If you run a spam filter or blocking list, you could add this IP address to that list, if you want to reject future mail from this server, on the theory that where one spam came, more are likely to follow.
And that's where I'll wrap it up today. This might seem a bit incomplete, but I'm working through different sub-topics here with a goal of leading to a single, linked guide to all of these different steps involved with tracing email messages and sending spam complaints. Stay tuned for more and thanks for reading!

1 comment:

  1. Just shared this article with my org. Will be so helpful for the support team. LOVE YOUR BLOG!

    ReplyDelete

Comments policy: Al is always right. Kidding, mostly. Be polite, and you're welcome to join in, even if it's a differing viewpoint.