SPF (Sender Policy Framework) Verification

What it checks: Verifies that the sending mail server is authorized by the domain owner to send emails for that domain.

Why it matters: Prevents spammers from forging your domain. If an email claims to be from "paypal.com" but comes from a server not authorized by PayPal, SPF will fail.

HeaderScope extracts SPF results from Authentication-Results headers and validates against the envelope sender (Return-Path).

DKIM (DomainKeys Identified Mail) Signature Validation

What it checks: Verifies a cryptographic signature that proves the email hasn't been tampered with and was authorized by the sending domain.

Why it matters: DKIM signatures ensure message integrity. If someone intercepts and modifies the email in transit, the DKIM signature will fail. This proves the email content is exactly as the sender wrote it.

HeaderScope checks for DKIM-Signature headers and parses validation results from receiving servers.

DMARC (Domain-based Message Authentication) Policy Enforcement

What it checks: Verifies that SPF and DKIM checks align with the visible "From" address and checks what the domain owner wants done with failures.

Why it matters: DMARC ties everything together. It ensures the domain in the "From" address matches the domain that passed SPF or DKIM. Domain owners can specify policies: none (monitor only), quarantine (send to spam), or reject (block entirely).

HeaderScope extracts DMARC results and policy actions from Authentication-Results headers.

ARC (Authenticated Received Chain) Verification

What it checks: Preserves authentication results when email is forwarded through mailing lists or forwarding services.

Why it matters: Email forwarding often breaks SPF. ARC allows receiving servers to trust the original authentication even after forwarding.

HeaderScope detects ARC-Authentication-Results chains and validates forwarding integrity.

Microsoft Exchange / Office 365 Headers

• X-Forefront-Antispam-Report: Comprehensive spam analysis including SCL (Spam Confidence Level), BCL (Bulk Confidence Level), PCL (Phishing Confidence Level). Higher scores = more likely spam/phishing.
• X-Microsoft-Antispam: Additional spam filtering verdicts and bulk mail classification.
• X-MS-Exchange-Organization-SCL: Spam Confidence Level score (0-9). Scores above 5 typically indicate spam.
• X-MS-Exchange-Organization-PCL: Phishing Confidence Level. Values above 4 indicate likely phishing attempts.
• X-MS-Exchange-Organization-AuthAs/AuthMechanism: How the sender authenticated with the Exchange server.
• X-MS-TNEF-Correlator: Indicates Outlook-specific formatting that can be exploited for attacks.

SpamAssassin Scoring

• X-Spam-Status: Overall spam verdict (Yes/No) and numerical score. Scores above 5 are typically spam.
• X-Spam-Score: Aggregate score from all spam tests. Negative scores indicate ham (legitimate email).
• X-Spam-Flag: Simple YES/NO flag for spam classification.
• X-Spam-Level: Visual representation of spam score using asterisks.
• X-Spam-Tests: List of specific tests triggered (BAYES_*, DKIM_*, HTML_MESSAGE, etc.).

Generic Spam Headers

• X-Spam-Checker-Version: Version of spam filtering software used.
• X-Virus-Scanned: Indicates antivirus scanning was performed.
• X-Spam-Report: Detailed breakdown of spam test results and scores.

Received Headers (Complete Mail Server Chain)

What it shows: Every mail server the email passed through, in chronological order from newest (top) to oldest (bottom).

Why it matters: Reveals the email's true origin, routing path, and delivery delays. Suspicious emails often show unusual routing through multiple countries or delays indicating bulk sending.

• Server hostnames and IP addresses at each hop
• Protocol used (SMTP, ESMTP, HTTP)
• Encryption status (TLS version and cipher)
• Timestamps for calculating delivery delays
• Mail server software and versions
• Geographic location of sending servers (via IP geolocation)

Timing & Delay Analysis

What it checks: Time elapsed between each mail server hop.

Why it matters: Normal emails deliver within seconds to minutes. Long delays (hours or days) can indicate:

• Bulk sending through compromised servers
• Spam queues or rate limiting
• Server configuration problems
• Backscatter or delayed bounce messages

Message-ID Format Validation

What it checks: Uniqueness and proper formatting of the Message-ID header.

Why it matters: Legitimate mail servers generate properly formatted, unique Message-IDs. Spammers often use generic, poorly formatted, or duplicate Message-IDs.

From Address vs. Envelope Sender

What it checks: Compares the visible "From" address with the envelope sender (Return-Path).

Why it matters: These addresses should match for legitimate email. Mismatches often indicate spoofing or mailing list/forwarding scenarios. Phishers exploit this by showing a trustworthy "From" while using a malicious Return-Path.

Reply-To Address Verification

What it checks: Presence and validity of Reply-To header.

Why it matters: Scammers often use Reply-To to redirect responses to addresses they control, different from the "From" address. Legitimate businesses rarely use Reply-To unless for support/no-reply scenarios.

Display Name Spoofing Detection

What it checks: Display name in "From" field vs. actual email address.

Why it matters: Common phishing technique: From: "PayPal Support <scammer@evil.com>". Most email clients show only "PayPal Support", hiding the malicious address.

Return-Path Analysis

What it checks: The envelope sender address used for bounce messages.

Why it matters: Return-Path reveals the actual sending account. Spammers often use throwaway or compromised accounts here while spoofing the "From".

Content-Type Analysis

What it checks: MIME type (text/plain, text/html, multipart/*) and character encoding.

Why it matters: HTML emails can hide phishing links and malicious scripts. Unusual character encodings can be used to evade spam filters.

X-Mailer / User-Agent Identification

What it checks: Email client or service used to send the message.

Why it matters: Legitimate businesses use consistent mail clients. Generic or missing X-Mailer headers can indicate bulk sending tools or compromised accounts.

MIME-Version Validation

What it checks: Proper MIME version declaration.

Why it matters: Missing or incorrect MIME headers indicate poorly configured mail servers or bulk sending scripts.

Content-Transfer-Encoding

What it checks: How message content is encoded (7bit, 8bit, base64, quoted-printable).

Why it matters: Unusual encoding methods can be used to hide malicious content from spam filters.

TLS/SSL Encryption Detection

What it checks: Whether email was transmitted over encrypted connections (STARTTLS, TLS, SSL).

Why it matters: Unencrypted email can be intercepted and read by anyone along the route. Legitimate businesses should use TLS for all hops.

TLS Version & Cipher Analysis

What it checks: TLS protocol version (1.0, 1.2, 1.3) and encryption cipher used.

Why it matters: Older TLS versions and weak ciphers have known vulnerabilities. Modern servers should use TLS 1.2+ with strong ciphers.

Certificate Validation

What it checks: Whether receiving servers verified TLS certificates.

Why it matters: Proper certificate validation prevents man-in-the-middle attacks.

Date Header Validation

Verifies Date header is present, properly formatted, and reasonable. Dates far in the future or past often indicate spam or system clock issues.

Subject Line Analysis

Checks for suspicious patterns like all caps, excessive punctuation (!!!), or spam trigger words.

Precedence & Priority Headers

Identifies bulk/list mail markers (Precedence: bulk) and priority flags. Spammers sometimes abuse high-priority flags.

List-Unsubscribe Presence

Legitimate bulk email includes List-Unsubscribe headers. Missing headers on commercial email may indicate non-compliance with CAN-SPAM.

Received-SPF & Authentication-Results

Legacy and modern authentication result headers showing SPF/DKIM/DMARC verdicts from each receiving server in the chain.

X-Originating-IP Detection

Reveals the original IP address of the sender (often added by webmail providers). Useful for tracing the true source.

Bounce & Auto-Reply Headers

Detects Auto-Submitted, X-Autorespond, and bounce message headers. Helps identify automated messages and potential backscatter spam.