How to Find the IP Address of an Email Sender

Identifying the origin of email messages

Internet emails are designed to carry the IP address of the computer from which the email was sent. This IP address is stored in an email header that is delivered to the recipient along with the message. Email headers are similar to envelopes for postal mail. Email headers contain the electronic equivalent of addressing and postmarks that reflect the routing of mail from source to destination.

cursor arrow clicking on email icon
Gregor Schuster/Photographer's Choice/Getty Images

Find IP Addresses in Email Headers

Modern email clients often hide the headers from view. However, headers are always delivered along with the message contents. Most email clients provide an option to enable the display of these headers if desired.

Internet email headers contain several lines of text. Some lines are labeled as Received followed by the IP addresses for the sending (from) email server and the receiving (by) email server, such as in the following fictitious example:

Received: from teela.mit.edu (65.54.185.39)
by mail1.aol.com with SMTP; 30 Jun 2003 02:27:02 -0000

These lines of text are automatically inserted by email servers that route the message. If only one Received line appears in the header, you can be confident this is the actual IP address of the sender.

Understanding Multiple Received Lines

In some situations, however, multiple Received lines appear in an email header. This happens when the message passes through multiple email servers. Some email spammers insert additional fake Received lines into the headers to confuse recipients.

To identify the correct IP address when multiple Received lines are involved requires a bit of detective work. If no faked information was inserted, the correct IP address is contained in the last Received line of the header. This is a simple rule to follow when looking at mail from friends and family.

If faked header information was inserted by a spammer, different rules are applied to identify a sender's IP address. The correct IP address isn't contained in the last Received line because information faked by a sender appears at the bottom of an email header. To find the correct address:

  • Start from the last Received line and trace the path taken by the message by traveling up through the header.
  • The by location listed in each Received line should match the from location listed in the following Received line.
  • Disregard any entries that contain domain names or IP addresses that don't match the rest of the header chain.
  • The last Received line containing valid information contains the sender's true address.

Many spammers send emails directly rather than through internet email servers. In these cases, all Received header lines except the first one are faked. The first Received header line contains the sender's true IP address in this scenario.

Internet Email Services and IP Addresses

Popular internet-based email services differ in the use of IP addresses in email headers. Use these tips to identify IP addresses in such emails.

  • Google Gmail omits the sender IP address information from all headers. Instead, only the IP address of the Gmail mail server is shown in the Received line.
  • Microsoft Outlook.com provides the IP address in the first Received header line.
  • Emails from Yahoo contain the sender's IP address in the last Received entry.