Analyzing Email Headers For Phishing Investigation
Investigate suspected phishing by parsing raw headers, tracing SMTP hops, and checking SPF, DKIM, and DMARC alignment.
Install
npx skills add https://github.com/mukul975/anthropic-cybersecurity-skills --skill analyzing-email-headers-for-phishing-investigationWhat is this skill?
- Workflow for extracting raw headers from EML/MSG, Gmail, and Outlook
- SPF, DKIM, and DMARC validation with DNS lookups (dig/nslookup)
- SMTP path tracing and relay identification for spoofing cases
- Python-oriented automated parsing aligned with MHA-style header review
- Threat-intel hooks for IP and domain reputation during phishing IR
Adoption & trust: 1 installs on skills.sh; 14.9k GitHub stars; 2/3 security scanners passed (skills.sh audits); trending (+100% hot-view momentum).
Recommended Skills
Azure Compliancemicrosoft/azure-skills
Openclaw Secure Linux Cloudxixu-me/skills
Entra Agent Idmicrosoft/azure-skills
Firebase Security Rules Auditorfirebase/agent-skills
Firestore Security Rules Auditorfirebase/agent-skills
Skill Vetteruseai-pro/openclaw-skills-security
Journey fit
Phishing triage and header forensics belong on the Ship shelf under security—where solo builders and small teams harden delivery and respond before or right after a user reports a malicious message. Security subphase covers sender forgery checks, authentication alignment, and incident-style email analysis—not general marketing or growth email.
Common Questions / FAQ
Is Analyzing Email Headers For Phishing Investigation safe to install?
skills.sh reports 2 of 3 security scanners passed. Review the Security Audits panel on this page before installing in production.
SKILL.md
READMESKILL.md - Analyzing Email Headers For Phishing Investigation
# Analyzing Email Headers for Phishing Investigation ## When to Use - When investigating a suspected phishing email to determine its true origin - For verifying sender authenticity and detecting email spoofing - During incident response when a user has clicked a phishing link - When tracing the delivery path and relay servers of a suspicious email - For validating SPF, DKIM, and DMARC alignment to identify forgery ## Prerequisites - Raw email headers from the suspicious message (EML or MSG format) - Understanding of SMTP protocol and email header fields - Access to DNS lookup tools (dig, nslookup) for SPF/DKIM/DMARC verification - Email header analysis tools (MHA, emailheaders.net concepts) - Python with email parsing libraries for automated analysis - Access to threat intelligence platforms for IP/domain reputation ## Workflow ### Step 1: Extract Raw Email Headers ```bash # Export from Outlook: Open email > File > Properties > Internet Headers # Export from Gmail: Open email > Three dots > Show original # Export from Thunderbird: View > Message Source # If working with EML file from forensic image cp /mnt/evidence/Users/suspect/AppData/Local/Microsoft/Outlook/phishing_email.eml \ /cases/case-2024-001/email/ # If working with PST file, extract individual messages pip install pypff python3 << 'PYEOF' import pypff pst = pypff.file() pst.open("/cases/case-2024-001/email/outlook.pst") root = pst.get_root_folder() def extract_messages(folder, path=""): for i in range(folder.get_number_of_sub_messages()): msg = folder.get_sub_message(i) headers = msg.get_transport_headers() subject = msg.get_subject() if headers: filename = f"/cases/case-2024-001/email/msg_{i}_{subject[:30]}.txt" with open(filename, 'w') as f: f.write(headers) for i in range(folder.get_number_of_sub_folders()): extract_messages(folder.get_sub_folder(i)) extract_messages(root) PYEOF ``` ### Step 2: Parse the Email Header Chain ```bash # Parse headers using Python email library python3 << 'PYEOF' import email from email import policy with open('/cases/case-2024-001/email/phishing_email.eml', 'r') as f: msg = email.message_from_file(f, policy=policy.default) print("=== KEY HEADER FIELDS ===") print(f"From: {msg['From']}") print(f"To: {msg['To']}") print(f"Subject: {msg['Subject']}") print(f"Date: {msg['Date']}") print(f"Message-ID: {msg['Message-ID']}") print(f"Reply-To: {msg['Reply-To']}") print(f"Return-Path: {msg['Return-Path']}") print(f"X-Mailer: {msg['X-Mailer']}") print(f"X-Originating-IP: {msg['X-Originating-IP']}") print("\n=== RECEIVED HEADERS (bottom-up = chronological) ===") received_headers = msg.get_all('Received') if received_headers: for i, header in enumerate(reversed(received_headers)): print(f"\nHop {i+1}: {header.strip()}") print("\n=== AUTHENTICATION RESULTS ===") auth_results = msg.get_all('Authentication-Results') if auth_results: for result in auth_results: print(result) print(f"\nARC-Authentication-Results: {msg.get('ARC-Authentication-Results', 'Not present')}") print(f"Received-SPF: {msg.get('Received-SPF', 'Not present')}") print(f"DKIM-Signature: {msg.get('DKIM-Signature', 'Not present')}") PYEOF ``` ### Step 3: Validate SPF, DKIM, and DMARC Records ```bash # Extract the envelope sender domain SENDER_DOMAIN="example-corp.com" # Check SPF record dig T