Someone received mail allegedly from us, how do we analyse it?
Headers of the suspicious message reveal which server actually sent it, whether SPF/DKIM failed, and what the Return-Path domain is.
Try this first
- 1Request the full headers (View source / Show original)
- 2Paste into a header analyser (mha.azurewebsites.net or mxtoolbox)
- 3Look at Authentication-Results and Received-from
- 4Compare Return-Path and From domain to confirm spoofing
When to bring us in
For ongoing phishing in your name, report to the attacker's hosting provider and APWG.
See also
- Our emails land in spam for some recipientsAlmost always an SPF, DKIM, or DMARC setting that is wrong or missing, or a sender name that mimics a well-known brand.
- Someone reports receiving phishing emails "from us"Read: spoofing. Someone is abusing your sender name, not necessarily your actual mailbox.
- An email bounces (NDR): delivery failedThe NDR text usually states the exact reason. Reading it is step one.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.