Step 3: Reveal the Sender's Email Address last modified

The purpose of this document is to show how to mouse over the purported sender in an email header to reveal the email address that may have been used to send you the email. May because that email address might have been forged.

The art of detecting phishes is discovering inconsistencies in the body and header lines of an email. If the moused over purported sender differs from other email addresses in the header, it’s a red flag that the email is a phish.

Most of the header lines in an email are readily forged. On macOS, the full header lines are revealed in the View/Message/All Headers dropdown menu. On Windows, see View internet message headers in Outlook.

Helpful information on email headers may be found in the following four sources:

  1. Email Headers Can Tell You About the Origin of Spam
  2. How to Test a Suspicious Link Without Clicking It
  3. What all the stuff in email headers means—and how to sniff out spoofing
  4. MxtoolBox’s Email Header Analyzer
    Here you can paste an email’s full headers for analysis.
    To see the full headers on macOS, open the email, then select Mail/View/Message/All Headers.

Cement what you learn from these documents by selecting a spam or phish from your laptop Inbox and follow along with this narrative. Do the same with a legitimate email.

The three snippets below from our sample email’s top header lines illustrate how the sender’s address may be moused over. Again, this address may be forged.

The purported sender is Server Administrator.
Server Administrator

Mouse over the purported sender in your sample and linger for several seconds and the purported sender’s name will turn blue on a Mac. It will show a downward facing arrow on the right end of the purported sender’s name. Click the downward facing arrow to expose the email address the sender wants you to see.
Server Administrator Moused Over

That sender in our example is info@artsfarmwine.com, as revealed by a click on the downward facing arrow on the purported sender. The inconsistency between the purported sender Server Administrator and info@artsfarmwine.com is a red flag.
Sender

The sender is purportedly artsfarmwine.com and not olympus.net, a blatent inconsistency. This email is a phish.

Do send an email to yourself, then mouse over your email address on the top line of the header to see the sender, you.
Now, do the same with a spam or phish.

Introduction To Who Sent This Email?
Step 1: Spot Spam and Phishes By Appearance and Tone
Step 2: Look for Red Flags
Step 4: Reveal the Sender’s Website Address