CyberBlue Academy — Blue Team & SOC Training

What You'll Learn

Parse the full Received header chain to reconstruct the delivery path of an email message
Identify originating IP addresses, mail servers, and relay timestamps from raw email headers
Evaluate SPF, DKIM, and DMARC authentication results to determine sender legitimacy
Use MXToolbox Header Analyzer to automate header parsing and flag anomalies
Detect header spoofing indicators including mismatched Return-Path and From addresses

Lab Overview

Detail	Value
Lab Type	Browser-Only
Tools Required	MXToolbox Header Analyzer, Browser
Estimated Time	40–50 minutes
Difficulty	Beginner
Pre-Requisites	Lesson PH.1 — Anatomy of a Phishing Email
Deliverable	Completed header analysis worksheet with annotated findings for 2 email samples

ℹ

Why Email Headers Matter. The visible parts of an email — sender name, subject line, body — are trivially easy to fake. Email headers are the forensic trail that reveals the truth: where the message actually came from, which servers relayed it, and whether authentication checks passed or failed. Every phishing investigation starts here.

The Scenario

Your SOC team has received two suspicious email reports from employees. The first came from the finance department — an employee received an "urgent invoice" from what appeared to be a known vendor. The second was flagged by the IT help desk — a password reset notification that didn't match any legitimate service.

Your task is to analyze the raw headers of both emails, trace their delivery paths, evaluate their authentication results, and determine whether each message is legitimate or malicious.

Part 1: Understanding Email Header Structure

Before diving into the tools, you need to understand what you're looking at. Email headers are read bottom-to-top — the oldest Received header (closest to the sender) is at the bottom, and the most recent (your mail server) is at the top.

Key Header Fields

Header Field	Purpose	Spoofable?
From:	Display name and address shown to recipient	Yes — trivially
Return-Path:	Envelope sender (where bounces go)	Partially — set by sending server
Received:	Each server that handled the message adds one	No — added by receiving servers
Message-ID:	Unique identifier assigned by originating server	Depends on server
Authentication-Results:	SPF, DKIM, DMARC verdict from receiving server	No — added by your server
X-Originating-IP:	IP of the client that submitted the message	Sometimes present

💡

Reading Received Headers. Each Received: line follows the pattern: from [sending-server] by [receiving-server] with [protocol]; [timestamp]. Start at the bottom and work upward to trace the complete delivery path. Any unexpected servers in the chain are red flags.

Part 2: Sample Email 1 — The Suspicious Invoice

Copy the entire header block below and paste it into MXToolbox Header Analyzer:

Return-Path: <billing-noreply@acm3-invoicing.com>
Received: from mx-gateway-01.company.com (mx-gateway-01.company.com [10.0.1.50])
    by mail-store-02.company.com (Postfix) with ESMTP id A3F4E2C001
    for <jsmith@company.com>; Wed, 18 Feb 2026 09:14:32 -0500 (EST)
Received: from mail-out-07.acm3-invoicing.com (unknown [91.215.42.118])
    by mx-gateway-01.company.com (Postfix) with ESMTP id 7BD1E1A003
    for <jsmith@company.com>; Wed, 18 Feb 2026 09:14:30 -0500 (EST)
Received: from localhost (unknown [192.168.1.105])
    by mail-out-07.acm3-invoicing.com (Postfix) with ESMTP id 4CF891B002;
    Wed, 18 Feb 2026 15:14:28 +0100 (CET)
Authentication-Results: mx-gateway-01.company.com;
    spf=fail (sender IP is 91.215.42.118) smtp.mailfrom=acm3-invoicing.com;
    dkim=none;
    dmarc=fail action=none header.from=acme-corp.com
From: "ACME Corp Billing" <billing@acme-corp.com>
To: jsmith@company.com
Subject: Invoice #INV-2026-4471 — Payment Due Immediately
Date: Wed, 18 Feb 2026 15:14:28 +0100
Message-ID: <5a8f3c2d-91e7-4b3a-a8d1-3f7e2c1b9a04@acm3-invoicing.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_7823_1098234571.1708265668"
X-Mailer: PHPMailer 6.5.0

Analysis Tasks for Email 1

Work through each question and record your answers:

Trace the Received chain (bottom-to-top):
- What is the originating IP? (Hint: look at the bottom Received header's connecting IP)
- How many mail servers handled this message?
- What is the time delay between the first and last hop?
Check the From vs Return-Path:
- The From: header says billing@acme-corp.com
- The Return-Path: says billing-noreply@acm3-invoicing.com
- Are these the same domain? What does a mismatch indicate?
Evaluate Authentication:
- SPF result: __________ (pass/fail/none)
- DKIM result: __________ (pass/fail/none)
- DMARC result: __________ (pass/fail/none)
- What does this combination tell you about the sender's legitimacy?
Check the X-Mailer:
- What software sent this email?
- Is PHPMailer commonly used by legitimate enterprise billing systems?

⚠

Key Red Flags in Email 1. The From domain (acme-corp.com) doesn't match the Return-Path domain (acm3-invoicing.com) — this is domain spoofing. SPF failed because 91.215.42.118 is not authorized to send for acm3-invoicing.com. No DKIM signature means the message cannot be cryptographically verified. DMARC failed as a result. The X-Mailer is PHPMailer, a scripting library commonly used in phishing campaigns.

Part 3: Sample Email 2 — The Password Reset

Now paste this second header block into MXToolbox:

Return-Path: <noreply@accounts.google.com>
Received: from mx-gateway-01.company.com (mx-gateway-01.company.com [10.0.1.50])
    by mail-store-02.company.com (Postfix) with ESMTP id B2E4F3D002
    for <jsmith@company.com>; Wed, 18 Feb 2026 11:42:15 -0500 (EST)
Received: from mail-sor-f41.google.com (mail-sor-f41.google.com [209.85.220.41])
    by mx-gateway-01.company.com (Postfix) with ESMTPS id 8AC2E2B001
    for <jsmith@company.com>; Wed, 18 Feb 2026 11:42:14 -0500 (EST)
Authentication-Results: mx-gateway-01.company.com;
    spf=pass (google.com: domain of noreply@accounts.google.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=accounts.google.com;
    dkim=pass header.d=accounts.google.com header.s=20230601 header.b=kX7vPqL2;
    dmarc=pass (p=REJECT sp=REJECT) header.from=accounts.google.com
From: "Google Accounts" <noreply@accounts.google.com>
To: jsmith@company.com
Subject: Security alert for your linked Google Account
Date: Wed, 18 Feb 2026 16:42:13 +0000
Message-ID: <CABx+XJqK2vN8r3w5L1mA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601

Analysis Tasks for Email 2

Trace the Received chain:
- Originating IP: __________
- Does the IP belong to Google? (Check via MXToolbox IP lookup or WHOIS)
- How many hops from sender to recipient?
From vs Return-Path:
- Do the domains match?
- Is the Return-Path consistent with the claimed sender?
Evaluate Authentication:
- SPF: __________
- DKIM: __________
- DMARC: __________
- What is the DMARC policy? What would happen to a failing message?
Compare with Email 1:
- List 3 specific differences between the headers of Email 1 and Email 2
- Which email would you escalate, and why?

Part 4: MXToolbox Deep-Dive Features

MXToolbox Header Analyzer provides several automated checks beyond basic parsing.

Hop Delay Analysis

The tool calculates the time delay between each Received header hop. Look for:

Normal: 0–2 seconds per hop
Suspicious: 10+ seconds per hop (may indicate queuing on a compromised relay)
Very suspicious: Minutes or hours (message was held for analysis evasion)

Blacklist Check

Click on any IP address in the MXToolbox results to run a blacklist check. For Email 1:

Is 91.215.42.118 on any blacklists?
How many blacklists flag it?

Reverse DNS

MXToolbox shows the reverse DNS (PTR record) for each IP. Compare:

Email 1: Does the PTR for 91.215.42.118 match the claimed hostname?
Email 2: Does the PTR for 209.85.220.41 resolve to a Google domain?

Part 5: Document Your Findings

Create a header analysis report for both emails using this template:

EMAIL HEADER ANALYSIS REPORT
═══════════════════════════════
Analyst: [Your Name]
Date: [Today's Date]

SAMPLE 1: Invoice Email
  From (Display):    ACME Corp Billing <billing@acme-corp.com>
  Return-Path:       billing-noreply@acm3-invoicing.com
  Originating IP:    [your finding]
  Server Chain:      [list each hop]
  SPF:               [result]
  DKIM:              [result]
  DMARC:             [result]
  Blacklist Status:  [result]
  Verdict:           [MALICIOUS / LEGITIMATE / SUSPICIOUS]
  Key Indicators:    [list 3+ red flags]

SAMPLE 2: Password Reset Email
  From (Display):    Google Accounts <noreply@accounts.google.com>
  Return-Path:       noreply@accounts.google.com
  Originating IP:    [your finding]
  Server Chain:      [list each hop]
  SPF:               [result]
  DKIM:              [result]
  DMARC:             [result]
  Blacklist Status:  [result]
  Verdict:           [MALICIOUS / LEGITIMATE / SUSPICIOUS]
  Key Indicators:    [list supporting evidence]

Deliverable Checklist

Before completing the lab, ensure you have:

Email 1 Received Chain — All hops traced with IPs, hostnames, and timestamps
Email 1 Authentication Results — SPF, DKIM, DMARC verdicts documented with explanations
Email 2 Received Chain — All hops traced and compared against Email 1
Email 2 Authentication Results — All three checks documented
Comparison Table — At least 3 specific header differences between the two emails
Completed Analysis Report — Both emails with verdicts and supporting evidence

Key Takeaways

Email headers are read bottom-to-top — the oldest Received header reveals the true origin
A mismatch between the From header and Return-Path is one of the strongest phishing indicators
SPF, DKIM, and DMARC work together — all three failing is a near-certain indicator of spoofing
MXToolbox automates header parsing but you must understand the fields to interpret the results
Legitimate senders like Google have consistent PTR records, DKIM signatures, and strict DMARC policies (p=REJECT)

What's Next

In Lab PH.2 — Email Authentication Check, you'll go deeper into SPF, DKIM, and DMARC by querying DNS records directly. Instead of reading authentication results from headers, you'll verify the records themselves — understanding exactly what each policy says and how attackers exploit gaps.

Lab Challenge: Email Header Dissection

10 questions · 70% to pass

In the sample invoice email (Email 1), what is the originating IP address found in the bottom-most Received header?

What does the mismatch between From: (billing@acme-corp.com) and Return-Path: (billing-noreply@acm3-invoicing.com) indicate?

Email 1 shows SPF=fail, DKIM=none, DMARC=fail. What does this triple failure mean for the email's legitimacy?

In Email 2 (the Google password reset), what DMARC policy is applied and what does 'p=REJECT' mean?

Email headers are read in which direction, and why?

The X-Mailer header in Email 1 shows 'PHPMailer 6.5.0'. Why is this significant in a phishing investigation?

When using MXToolbox Header Analyzer, what does a hop delay of 45 seconds between two Received headers suggest?

How can you verify whether the IP 209.85.220.41 from Email 2 actually belongs to Google?

Which header field is the MOST reliable for determining the true sender of an email, and why?

Based on your analysis of both email samples, which combination of findings would you include in an escalation report to justify flagging Email 1 as malicious?

0/10 answered

Lab PH.2 — Email Authentication CheckNext Lab

Lab PH.1 — Email Header Dissection