How to Find an IP Address in an Email Header
Every email you receive carries more than just a message — it contains a hidden layer of technical data called the email header. Buried inside that header is routing information, timestamps, and often one or more IP addresses that reveal where the message originated or traveled through. Knowing how to read that data is a useful skill for verifying senders, investigating spam, or understanding how email works under the hood.
What Is an Email Header?
When an email is sent, every mail server that handles it stamps the message with a record of its involvement. This creates a chain of Received: lines inside the header — essentially a travel log for your email.
The header also contains fields like:
- From — the display name and sender address
- Reply-To — where replies go (can differ from the sender)
- Message-ID — a unique identifier for that specific message
- X-Originating-IP — sometimes explicitly listed by the sending server
The IP address of the original sender is typically found in the earliest (bottom-most) Received: line in the header chain, since headers are added in reverse chronological order — newest at the top, oldest at the bottom.
How to Access Full Email Headers
The method varies by email client and platform. Here's how it works across common ones:
| Platform | How to Access Headers |
|---|---|
| Gmail | Open the email → click the three-dot menu → Show original |
| Outlook (web) | Open the email → three-dot menu → View → View message source |
| Outlook (desktop) | Open the email → File → Properties → Internet headers box |
| Apple Mail | Open the email → View menu → Message → All Headers |
| Yahoo Mail | Open the email → three-dot menu → View Raw Message |
| Thunderbird | Open the email → View → Headers → All |
Once you have the raw header text, you're looking at a block of technical metadata — often dense and long. Don't let that put you off.
Reading the Header to Find the IP Address 🔍
Look for lines that start with Received: from. Each one represents a hop between mail servers. Here's a simplified example:
Received: from mail.example.com (mail.example.com [203.0.113.45]) by mx.recipient.com with ESMTP Received: from [192.168.1.10] (unknown [203.0.113.45]) by mail.example.com with SMTP The IP address in square brackets is what you're after. Scroll to the lowest Received: line in the header — that's the first server the email touched, which is closest to the original sender.
Keep in mind:
- If the email was sent from a webmail service (like Gmail or Outlook.com), the originating IP may belong to Google's or Microsoft's servers — not the individual sender's device.
- If sent from a desktop email client (like Thunderbird or Outlook configured with a personal domain), the IP is more likely to reflect the sender's actual network.
- Some providers deliberately strip the originating IP from headers to protect user privacy.
What Can You Do With the IP Address?
Once you've identified an IP address, you can look it up using tools like ARIN WHOIS, MXToolbox, or IPinfo.io to find:
- The Internet Service Provider (ISP) that owns the address
- The general geographic region (city or country level — not a precise street address)
- Whether the IP belongs to a known hosting provider, VPN, or spam network
This is useful for:
- Confirming whether a "local" business email actually came from overseas
- Identifying phishing attempts routed through suspicious infrastructure
- Checking if an IP appears on any email blacklists
⚠️ Important to understand: an IP address gives you network-level information, not personal identification. A result showing "New York, Comcast" tells you about the ISP and general region — nothing more without legal processes.
Variables That Change What You'll Find
Not every email investigation produces the same results. Several factors affect what the headers reveal:
The sending platform matters a lot. Corporate email servers, shared hosting environments, and major webmail providers each handle header information differently. Google Workspace emails will show Google's IP infrastructure. A small business running their own mail server is more likely to expose a direct originating IP.
Privacy tools obscure the trail. Senders using VPNs, Tor, or privacy-focused email services (like ProtonMail or Tutanota) may have their real IP masked or entirely absent from the headers. ProtonMail, for instance, explicitly omits sender IPs by design.
Email forwarding adds noise. Emails passed through forwarding rules pick up additional Received: lines from intermediary servers, making the chain longer and the true origin harder to isolate.
Mobile vs. desktop clients can also differ — some mobile apps route through their own proxy infrastructure before delivery.
The Gap Between Finding an IP and Drawing a Conclusion
The technical steps here are consistent and learnable. But what the IP address actually means in your situation depends heavily on context — who sent the email, which platforms were involved, what privacy tools might be in play, and what you intend to do with the information.
Someone investigating a phishing attempt has different needs than someone trying to confirm a business contact's location or diagnose a mail server misconfiguration. The header data is the same; what matters is whether that data is meaningful for your specific case — and that's something only your own situation can answer.