Where do I find email headers?

In Gmail: open email → menu "⋮" → "Show original". In Outlook: File → Properties → Internet Headers. In Apple Mail: View → Message → All Headers.

What does SPF fail mean?

SPF fail means the sending server IP is not listed in the domain allowed IPs. This may signal spoofing or an incorrectly configured SPF record.

How is DKIM different from SPF?

SPF checks whether the sender IP is authorized for the domain. DKIM verifies a digital signature on the email content. DMARC combines both mechanisms and defines a handling policy.

How can I tell if an email is forged?

Signs: SPF fail or softfail, DKIM fail, DMARC fail with reject/quarantine policy, mismatch between From: domain and Received: headers, suspicious X-Originating-IP.

Each server in the delivery chain adds a timestamp to the Received: header. The difference between timestamps is the hop delay. Delay >10s is suspicious, >60s indicates a queue problem.