When judging an email’s authenticity, it’s tempting to look at what’s visible – the sender’s name, the display name, or even the company name. However, these details don’t prove much on their own. Instead, focus on metadata, such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) values.
Check that the visible sender’s address matches the domain in the Return-Path, and verify that the SPF IP passes for the actual brand’s domain. However, note that a malicious actor can still register a legitimate-sounding domain and pass these checks.
Look at the “Received” chain, which shows where the email actually came from. An attacker may try to forge this information, but an inbound mail server will also include it as part of the Received chain. If there’s a mismatch, be suspicious.
Consider the routing trail: recognizable mail service, authentication that matches the sending server, and no random hosting provider in the chain. Fake emails typically leave a trail with your provider receiving the message from an unrelated VPS or strange domain.
Be wary of Message-ID anomalies, such as outdated or strange X-Mailer headers, exposed X-Originating-IP pointing to a residential range, or identical formats across unrelated phishing emails. While sophisticated attackers may clean up these details, mass phishing operations often prioritize volume over polish.
Ultimately, the key is to look beyond presentation and focus on the transport element, which leaves residual markers that can help spot legitimacy.
Source: https://www.makeuseof.com/these-3-email-headers-prove-a-message-is-fake-heres-how-to-check