BrowsePopularContact UsAbout Us

How to Check the IP Address of an Email: A Complete Guide

Every email you receive carries hidden technical data — including the IP address of the server (or device) that originally sent it. Knowing how to find and read that information can help you identify spam sources, trace phishing attempts, verify sender locations, and understand how email routing works. Here's exactly how to do it.

What Is an Email IP Address?

When an email travels from sender to recipient, it passes through one or more mail servers. Each of those servers stamps the message with routing information called email headers. Buried inside those headers is the originating IP address — a numerical label (like 192.168.1.1 or an IPv6 equivalent) that identifies where the message began its journey.

This is different from the sender's display name or even their email address, both of which can be spoofed. The IP address in the email header is harder to fake because it's written by the receiving server, not the sender.

Two key terms to know:

  • Sender IP — The IP of the device or mail server that first submitted the message
  • Relay IP — IPs of intermediate servers the email passed through before reaching you

How to View Email Headers (By Platform)

The method for accessing raw email headers varies depending on your email client.

Gmail

  1. Open the email
  2. Click the three-dot menu (⋮) in the top-right corner of the message
  3. Select "Show original"
  4. A new tab opens with the full raw headers, including Received: lines and X-Originating-IP: if present

Outlook (Web)

  1. Open the email
  2. Click the three-dot menu"View" → "View message source"
  3. Alternatively, go to File → Properties in the desktop app — headers appear in the "Internet headers" box

Apple Mail

  1. Open the email
  2. Go to View → Message → All Headers (or press Shift+Cmd+H)
  3. The full header block appears above the message body

Yahoo Mail

  1. Open the email
  2. Click the three-dot menu"View Raw Message"

Thunderbird

  1. Open the email
  2. Go to View → Message Source (or Ctrl+U)

How to Read the Headers and Find the IP Address

Raw email headers look dense, but the key sections are straightforward once you know what to look for. 🔍

The Received: Lines

These are the most reliable source of IP data. Each mail server that handled the message adds a Received: line. They're listed in reverse chronological order — the bottom-most Received: line is usually closest to the original sender.

Example:

Received: from mail.example.com (mail.example.com [203.0.113.45]) by inbound.yourmail.com with SMTP

The IP in brackets — 203.0.113.45 — is the sending server's IP address.

X-Originating-IP

Some mail services include this header explicitly, making it easier to spot. It directly states the IP of the device that submitted the email to the mail server — often the sender's actual machine.

Authentication-Results and SPF / DKIM

These don't contain the originating IP directly but tell you whether the sending IP was authorized to send on behalf of the domain. A failed SPF check alongside an unfamiliar IP is a strong indicator of a spoofed or phishing email.

Using IP Lookup Tools to Interpret the Address

Finding an IP is only half the job. To make sense of it, run it through an IP lookup service. Common options include:

ToolWhat It Shows
whois (command line)Registered owner, ISP, country
MXToolbox Header AnalyzerFull header parse, IP reputation
IPinfo.ioGeolocation, ASN, hosting provider
Google Admin Toolbox (Messageheader)Visual header breakdown, delay analysis

Paste the raw headers (or just the IP) into one of these tools to see the country, ISP, and whether the IP appears on spam blacklists.

Important Limitations to Understand

Not every email will expose the sender's personal IP address. Several factors affect what you actually see:

  • Web-based senders (Gmail, Outlook, Yahoo) — These services typically replace the sender's real IP with their own server IP. A Gmail-sent message will show Google's mail server IP, not the sender's home address.
  • VPNs and proxies — A sender routing through a VPN will show the VPN server's IP, not their real location.
  • Corporate mail servers — Enterprise environments route through centralized servers, masking individual device IPs.
  • Mobile apps — Behavior varies; some expose the device IP, others route entirely through the provider's infrastructure.

This means the IP you find may point to a mail server in a data center rather than a specific person's location. That's still useful — it tells you the service used, the region, and whether the sending infrastructure is legitimate — but it's not the same as pinpointing an individual. 🗺️

When This Information Actually Matters

Tracing an email IP is most useful in specific situations:

  • Phishing analysis — Checking whether the sending IP matches the claimed domain's authorized mail servers
  • Spam investigation — Identifying if an IP is on known blacklists
  • IT and system administration — Diagnosing email delivery issues or verifying routing paths
  • Legal or security contexts — Providing raw technical evidence to an ISP or law enforcement (who can then subpoena the actual subscriber behind the IP)

The level of detail you can extract — and how actionable it is — depends heavily on how the email was sent, what email client you're using to inspect it, and what you're trying to accomplish with the information.

Understanding those variables determines how far the raw IP data actually takes you. ⚙️