How to Find the IP Address of an Email: What the Headers Actually Tell You
Every email you receive carries more information than what's visible in your inbox. Hidden in the email headers is a trail of routing data — including IP addresses — that can tell you where a message originated and which servers it passed through. Whether you're investigating a suspicious message, troubleshooting delivery issues, or just curious about how email works, knowing how to read this data is a genuinely useful skill.
What Is an Email IP Address?
When someone sends you an email, the message travels through a series of servers before landing in your inbox. Each of those servers stamps the message with its own IP address as part of the delivery chain. These stamps are recorded in the email's full headers — a block of metadata that most email clients hide by default.
The IP addresses you find in email headers generally fall into two categories:
- Sender IP address — the IP of the device or mail server that originally sent the message
- Relay server IPs — addresses of intermediate mail servers the message passed through
It's worth noting upfront: finding the IP of a sender is not the same as finding their physical address. An IP address maps to a general geographic region and an internet service provider, not a street address. And increasingly, that IP may belong to a mail server — not the sender's personal device.
How to View Full Email Headers
The process varies by email client, but the goal is always the same: access the raw, unformatted version of the message that includes the routing metadata.
Gmail: Open the email → click the three-dot menu (⋮) in the upper right → select Show original. The full headers appear in a new window.
Outlook (web): Open the email → click the three-dot menu → View → View message source or Message details.
Apple Mail: Open the email → go to View in the menu bar → Message → All Headers.
Thunderbird: Open the email → View → Headers → All.
The result is a dense block of text. Most of it is technical routing data — and the IP addresses are buried inside it.
Reading the Headers: Where to Look
Once you have the full headers open, look for lines that begin with "Received:". These are added by each server that handled the message, and they stack in reverse chronological order — the most recent server is at the top, and the originating server is at the bottom.
A typical Received: line looks something like this:
Received: from mail.example.com (mail.example.com [192.168.1.100]) by mx.yourdomain.com with ESMTP The IP address in brackets — [192.168.1.100] in this example — is the address of the server that handed off the message at that step.
To find the originating IP, scroll to the bottom-most Received: line. That's where the message entered the email delivery network.
You may also see a "X-Originating-IP" header in some services. This is a non-standard but common header that some providers include specifically to log the IP of the original sending device.
Using an Email Header Analyzer 🔍
Reading raw headers manually is tedious. Several free tools parse them automatically and present the routing path in a readable format:
- MXToolbox Email Header Analyzer
- Google Admin Toolbox (Message Header Analyzer)
- Mail Header Analyzer by WhatIsMyIPAddress
You paste the full header text into the tool, and it maps out each hop, including the IP addresses, timestamps, and any SPF, DKIM, or DMARC authentication results. Those authentication checks are important — they tell you whether the email actually came from who it claims to be from.
What You Can Do With the IP Address
Once you have an IP address from the headers, you can run a WHOIS lookup or IP geolocation query using tools like:
whois.domaintools.comipinfo.ioip-api.com
This typically returns:
- The ISP or hosting provider that owns the IP
- A general geographic location (usually city or region level)
- Whether the IP belongs to a known spam network or VPN
| What You Can Find | What You Usually Cannot Find |
|---|---|
| ISP or mail host | Sender's home address |
| General city/region | Sender's identity |
| Whether IP is flagged as spam | Exact device used |
| Mail server provider | Real-time location |
Why the Results Vary Significantly
The usefulness of this technique depends heavily on how the email was sent:
Webmail services (Gmail, Outlook, Yahoo): These providers typically strip or replace the sender's real IP with their own server IP before delivery. You'll see Google's or Microsoft's infrastructure — not the sender's personal IP.
Direct email clients (desktop apps, configured SMTP): More likely to include the sender's actual IP in the headers, especially in older or self-hosted setups.
VPNs and privacy tools: If the sender used a VPN or anonymous mail service, the IP traces back to the VPN exit node — not their actual network.
Email marketing platforms: Headers will show the platform's sending infrastructure (Mailchimp, SendGrid, etc.), not individual user data.
The technical skill required to interpret these results also varies. Raw headers are easy to retrieve but can be confusing to parse without some familiarity with networking concepts. Header analyzer tools lower that barrier significantly — but even then, understanding what the results mean for your specific situation depends on context.
Whether the IP you find is the sender's personal connection, a shared mail server, or a VPN endpoint changes everything about what you can conclude from it — and that determination depends entirely on the specific email you're examining. 🧩