How to Look Up an IP Address From an Email
Every email you receive carries more information than you might expect. Beyond the sender's name and message body, email headers contain technical metadata — including, in many cases, IP addresses that reveal where a message originated. Understanding how to find and interpret this data is a useful skill for spotting spam, identifying phishing attempts, or simply satisfying technical curiosity.
What Is an Email IP Address?
When you send an email, it travels through a series of servers before reaching the recipient's inbox. Each server that handles the message stamps its IP address into the email's header — a block of technical data attached to every email that most clients hide by default.
The IP address you're looking for is typically the one logged by the first receiving server — the point where the email entered the mail system. This is often the closest available clue to the sender's actual location or mail server.
However, there's an important distinction: modern webmail services like Gmail and Outlook mask the sender's IP address with their own server IP. If someone emails you through Gmail, you'll see Google's server IP, not the sender's home or office IP.
How to View Email Headers
The method for accessing raw email headers varies depending on your email client:
| Email Client | How to View Headers |
|---|---|
| Gmail | Open email → three-dot menu → "Show original" |
| Outlook (web) | Open email → three-dot menu → "View" → "View message source" |
| Outlook (desktop) | Open email → File → Properties → "Internet headers" box |
| Apple Mail | Open email → View menu → "Message" → "All Headers" |
| Thunderbird | Open email → View menu → "Message Source" |
| Yahoo Mail | Open email → three-dot menu → "View Raw Message" |
Once you have the raw header text, you're looking at a block of dense technical data. It's not immediately readable — but the IP addresses are in there.
How to Find the IP Address in the Header
Email headers are read bottom to top in chronological order. The oldest entries (closest to the origin) are at the bottom.
Look for lines beginning with Received: from — these log each server hop the email made. The IP address typically appears in brackets directly after the server name, like this:
Received: from mail.example.com (mail.example.com [203.0.113.45]) The address in the brackets is the IP you want — specifically from the lowest Received: from line in the header, which represents the first server that touched the message.
You may also spot:
X-Originating-IP— some services explicitly log the sender's IP in this fieldX-Forwarded-For— common in headers from forwarded or relayed messages
If parsing headers manually sounds tedious, header analysis tools can do it for you. Paste the raw header text into a tool like MXToolbox's Email Header Analyzer or Google Admin Toolbox's Messageheader tool, and they'll extract IP addresses and map the server route visually.
What You Can Learn From the IP Address 🔍
Once you have an IP address, you can look it up using a WHOIS lookup or IP geolocation service. These tools can typically tell you:
- The country and region associated with the IP
- The ISP or organization that owns the IP block
- Whether it belongs to a known mail provider, VPN, or hosting service
- Whether it appears on any spam or blacklist databases
This information has real uses: identifying whether a "local" sender is actually overseas, flagging emails routed through suspicious infrastructure, or confirming that a business email truly originates from that business's servers.
What it won't give you is a street address or the identity of an individual. IP geolocation is approximate — often accurate to a city or region, rarely to a specific building.
Why You Often Can't Get the Sender's True IP
Several factors limit what's actually recoverable:
- Webmail users (Gmail, Outlook.com, Yahoo): The sending platform's server IP is logged, not the user's device IP
- VPN or proxy use: The IP belongs to the VPN exit node, not the sender's actual connection
- Corporate mail servers: The company's mail server IP appears, not the individual employee's machine
- Mobile apps on carrier networks: The IP may trace to a carrier's mail relay, not the device itself
This is intentional in many cases — major email providers started masking sender IPs as a privacy measure years ago. If you receive an email sent via Gmail, Google's infrastructure is what you'll trace.
The Variables That Determine What You'll Find
What you actually recover from this process depends heavily on:
- Which platform the sender used — older or self-hosted mail servers are more likely to expose originating IPs
- Whether the sender used a VPN — tracing stops at the VPN endpoint
- What email client you're using — some clients display partial headers only
- Whether the email was forwarded — forwarding adds additional server hops and can obscure original routing
Someone receiving a suspicious email from a small business's self-hosted mail server will find far more traceable information than someone trying to identify a Gmail or Outlook sender. The technical steps are the same — the usefulness of the result shifts dramatically depending on the infrastructure involved.
Your specific situation — the type of email you received, the platform it came from, and what you're trying to determine — shapes whether this process yields anything actionable. ✉️