Dr.Who
← blog

How to read the Authentication-Results header to tell if an email was spoofed

· authentication-results · dmarc · spf · dkim · spoofing

authentication-resultsdmarcspfdkimspoofing

Your receiving mail server stamps an Authentication-Results header on every inbound message recording how SPF, DKIM, and DMARC evaluated. To tell if a message was spoofed, find the dmarc= result: dmarc=pass means the visible From: domain was authenticated and aligned, so the sender is who they claim to be. spf=pass and dkim=pass on their own are not enough — both can pass on domains unrelated to the one you see in your inbox.

Where to find the header

In Gmail, open the message, click the three-dot menu, and choose Show original. In Outlook, use View message source (or Properties in the desktop client). Both show the raw headers, where Authentication-Results lives near the top.

A real example, line by line

Here is a typical header from a Google receiving server:

Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of [email protected] designates 192.0.2.10 as permitted sender) [email protected];
       dkim=pass header.d=example.com header.s=s1 [email protected] header.b=Hk3pQ2;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=example.com

Three independent results, each tied to a different domain:

  • spf=pass is tied to smtp.mailfrom — the envelope sender (the Return-Path), here mail.example.com. SPF checks the IP that connected, not the address you see.
  • dkim=pass is tied to header.d (the signing domain, example.com) and header.s (the selector, s1). It proves the message body was signed by a key published under that domain.
  • dmarc=pass is tied to header.from — the visible From: domain, example.com. This is the address your recipient actually reads.

Why dmarc= is the only trustworthy signal

This is the part attackers exploit. SPF and DKIM each pass against their own domain, and those domains do not have to match the From: you see. A forged message can carry spf=pass for an attacker-controlled smtp.mailfrom, and dkim=pass for an attacker's signing domain, while the From: header still reads [email protected].

DMARC is the only check that ties a passing result back to the visible From: domain. dmarc=pass requires that SPF or DKIM passed and that the passing domain aligns with header.from. So read it this way: dmarc=pass with header.from matching the displayed sender means authentic. dmarc=fail (or no DMARC line) on a message claiming to be from a known brand is your spoofing flag.

The trust caveat that matters most

Only the Authentication-Results header added by your own receiving server is trustworthy. Any such header inside a forwarded, pasted, or attached message can be forged — the attacker simply typed it. Always read the topmost Authentication-Results line, the one stamped by your mail system (e.g. mx.google.com), and ignore lower ones from unknown servers.

For mail that was legitimately forwarded, SPF and DKIM often break in transit. Forwarders preserve the original verdict in ARC-Authentication-Results (Authenticated Received Chain, RFC 8617), which a trusted forwarder seals so your server can honor the original DMARC result.

Run the check on your domain →

Further reading