Tracing an IP from an email header involves reading the Received: headers from bottom to top to find the originating sending IP, then running WHOIS to identify the network owner. ESP relaying obscures the actual sender's IP (you see only the ESP's IP). Apple Mail Privacy Protection breaks open-tracking IP capture. Useful for diagnosing abuse, less for tracking real people.
Tracing IPs From Email Headers: What You Can and Can't Do
Email header tracing is a useful diagnostic skill that gets misunderstood. People assume you can extract a sender's location and identity from email headers; you mostly can't. What you can extract is the routing path, the ESP or mail server used, and sometimes the originating IP — useful for abuse investigation, less useful for tracking individuals.
This guide covers what header tracing actually reveals, when it's useful, and where it hits hard limits.
What's in an email header
Every email carries Received: headers that document its path through mail servers. Read from bottom (origin) to top (final delivery):
Received: by mx.google.com with SMTPS id abc...
Received: from mail.example.com (mail.example.com. [203.0.113.42])
by mx.google.com with ESMTPS id xyz...
Received: from internal.example.com (10.0.1.5)
by mail.example.com with SMTP id qrs...
for <[email protected]>; Wed, 15 May 2026 14:23:17 -0700
The bottom-most Received: from a non-trusted source is typically the originating mail server. In this example, mail.example.com at IP 203.0.113.42.
What header tracing tells you
| Information | Source | Reliability |
|---|---|---|
| Originating mail server hostname | Bottom Received: header | High |
| Originating mail server IP | Same | High |
| Network owner | WHOIS lookup on IP | High |
| Geographic location of mail server | IP geolocation database | Medium (city-level) |
| Path through relays | Received: header chain | High |
| Sender's authentication status | Authentication-Results header | High |
| Original DKIM-signing domain | DKIM-Signature header | High |
| Sender's actual personal IP | Often nowhere | Low |
| Sender's actual location | Often nowhere | Low |
| Sender's real identity | From / Reply-To headers | Low (can be spoofed) |
The mail server IP is what you can trace reliably. The actual human sender's personal device IP is usually invisible.
How ESP relaying obscures tracing
When mail is sent through an ESP (SendGrid, Mailgun, Postmark, Klaviyo, etc.), the Received: headers show the ESP's infrastructure, not the actual end-user sender:
Received: from sendgrid.net (o1.email.example.com [149.72.123.45])
The IP belongs to SendGrid. The customer who actually composed the message is identified only by:
- The From address
- The DKIM signing domain (often the customer's domain)
- The X-Mailer or X-Sender headers (sometimes)
- The Return-Path / envelope sender
The originating customer's IP is not in the headers. This is by design — ESPs centralize sending so individual users don't expose their infrastructure.
Practitioner note: People come to me asking to "trace who sent this email" when investigating internal abuse. If the mail came through an ESP, the headers won't reveal which employee at the ESP customer sent it. You need the ESP's logs, which typically require legal process or the customer's own admin access. Header tracing tells you which ESP and which customer domain — not which person inside that customer.
How to view full headers
| Email client | Method |
|---|---|
| Gmail (web) | Three-dot menu > Show original |
| Gmail (mobile) | Forward as attachment, view in another client |
| Outlook (desktop) | File > Properties > Internet headers |
| Outlook.com | Three-dot menu > View > View message source |
| Apple Mail | View > Message > All Headers (or Cmd+Opt+U) |
| Yahoo Mail | More > View raw message |
| ProtonMail | More > View headers / View source |
| Thunderbird | View > Headers > All |
Copy the full headers (including the Received: chain) to a text file. Many online "header analyzers" (Google Admin Toolbox, MXToolbox Header Analyzer) parse them into readable form.
Practical use cases
Diagnosing abuse from a sending IP
You receive phishing or spam claiming to be from your brand. Trace the actual sending IP:
- View full headers
- Find the bottom-most external Received: header
- Extract the IP
- Run WHOIS to identify the network
- Submit an abuse complaint to the network's contact
See reporting abusive IPs for the full workflow.
Diagnosing your own sending issues
When troubleshooting why mail isn't being delivered, header analysis on a successful send vs failed bounce often reveals:
- Authentication results (SPF, DKIM, DMARC status)
- Which relay produced the failure
- Specific SMTP error codes
For SMTP-level troubleshooting see 421 try again later and 550 5.7.1 rejection.
Verifying authentication
The Authentication-Results header shows what the receiving server validated:
Authentication-Results: mx.google.com;
dkim=pass [email protected];
spf=pass (google.com: domain of [email protected] designates 203.0.113.42 as permitted sender);
dmarc=pass (p=REJECT) header.from=example.com
Pass on all three means the message is authenticated. Fail on any indicates an issue worth fixing.
Identifying spoofing in phishing
If the From says paypal.com but the Received chain shows the message originated from an Indonesian VPS with no PayPal authentication, it's spoofed. DMARC and DKIM verify whether the sender is legitimate; header tracing shows where it actually came from.
What header tracing cannot do
Find the personal device IP of a desktop email user. Almost always not in headers. Webmail (Gmail web) sends through Google's infrastructure; desktop clients submit through their account provider's outbound server.
Reliably geolocate the actual person. Mobile mail clients send through carrier infrastructure; corporate users send through office mail servers; personal users send through ISP relays. The IP rarely maps to the person's location.
Identify a person from their IP. Even with the actual IP, mapping to a person requires legal process at the ISP. Open data only gives the network owner.
Defeat Apple Mail Privacy Protection. Since 2021, Apple Mail pre-loads images through Apple's proxy. Open-tracking pixels capture Apple's IP, not the recipient's. About 50% of email opens are now privacy-proxied.
Practitioner note: I get periodic requests to "trace who is opening these emails for location data." Even ignoring the legal and ethical issues, the technical answer is: you mostly can't, and the percentage you can is shrinking. Apple Mail Privacy Protection broke open-IP capture for Apple users. Corporate proxies and VPNs handle most others. The data is too unreliable to build anything meaningful on top of.
Tools that automate tracing
| Tool | What it does |
|---|---|
| MXToolbox Header Analyzer | Parses headers, shows hops, validates auth |
| Google Admin Toolbox Messageheader | Free header parser by Google |
| Mailheader.org | Header analysis |
| WHOIS (whois.arin.net, etc.) | IP owner lookup |
| ipinfo.io | IP geolocation (approximate) |
| MaxMind GeoIP | Higher-quality geolocation (paid) |
For most diagnostic work, MXToolbox Header Analyzer is the fastest start.
For broader header and SMTP context see SPF authentication failed and DKIM verification failed.
If you need help with header analysis for abuse investigation, phishing forensics, or sender authentication diagnosis, book a consultation. I do header analysis weekly for clients investigating impersonation and deliverability issues.
Sources
- RFC 5321 — SMTP (Received header)
- RFC 8601 — Authentication-Results Header
- Google Admin Toolbox: Messageheader
- MXToolbox: Email Header Analyzer
- Apple Mail Privacy Protection Documentation
- ARIN WHOIS
v1.0 · May 2026
Frequently Asked Questions
How do I trace the IP address of an email?
View full email headers, find the bottom-most Received: header (the originating server), extract the IP, run WHOIS to identify the network owner. Most senders use ESPs that relay through their infrastructure, so the traced IP belongs to the ESP, not the actual sender's machine.
Can you find someone's location from their email?
Not reliably. The IP in the Received headers typically belongs to the ESP or mail server, not the user's personal device. Even when you have the user's actual IP, geolocation databases give city-level accuracy at best, and VPNs/proxies obscure further.
What is an email tracer?
A tool or workflow that extracts IP addresses, mail server identifiers, and routing information from email headers to determine the sending source. Useful for abuse investigation, phishing analysis, and spam source identification. Less useful for tracking individual people due to relay obfuscation.
How do I read email headers to find the sender's IP?
In Gmail: View > Original or three-dot menu > Show original. In Outlook: File > Properties > Internet headers. Look at the Received: headers from bottom (origin) to top (delivery). The originating IP is in the first Received: line that came from outside trusted infrastructure.
Can ESPs trace IP addresses of recipients?
Partially. Open tracking pixels can capture recipient IP at open time, but Apple Mail Privacy Protection (since 2021) pre-loads images via Apple's proxy, breaking IP capture for Apple Mail users (~50% of opens). The remaining IP capture is unreliable for location due to VPNs and mobile carrier IP pools.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.