Identify legit emails vs Spoofed emails in the Header

Iron Contributor

Hi everyone,


Is there any way to differentiate between legit and spoofed emails from looking into email header?


We saw an spoofed email saying via return--path in the To:... section. And it comes from


So what is the area of mismatch between legit and spoofed email that exchange or outlook consider one as an unverified email?


How does Outlook/Exchange process to choose and pick the legit emails?



3 Replies

@Ali Fadavinia 




This method I have witnessed when you do the spoofing INTERNALLY....

Copy email header and paste it in "Microsoft Message Header Analyzer" tool


If it is spoofed email you will find like this

> X-MS-Exchange-Organization-AuthAs: Anonymous


if it is a legitimate email you will find this way
> X-MS-Exchange-Organization-AuthAs: Internal


External spoofing : An SPF record is playing a key role here to block spoofing emails –
(SPF record: a list of IP addresses which are authorized to send emails from a domain.)

Most probably your mail gateway will block the spoofing emails based on define RULES.


Thank you,


Thanks MD, I will give it a try

@Ali Fadavinia 


Most welcome buddy.